The Identity Theft Resource Center (ITRC) published its annual data breach report indicating that the number of data compromises increased by 68% in 2021 compared to 2020.
The report recorded 1,862 data compromises were recorded in 2021, compared to 1,108 in 2020. The number of data compromises also surpassed the all-time high record of 1,506 in 2017 by 23%.
Similarly, the number of data events involving sensitive personal information like SSNs increased from 80% to 83% in the same period. However, they remained below the record high of 95% set in 2017.
Although the number of victims (293,927,708) reduced by 5% in 2021, the researchers described the number as “excessively high.” They attributed the small reduction to cybercriminals focusing on specific data types instead of conducting mass breaches.
ITRC 2021 data breach report key findings
According to the identity theft data breach report, all primary sectors – except the military where no public disclosures were made – recorded a year-over-year increase in the number of data breaches. The manufacturing & utilities sector saw the largest percentage increase in data compromises at 217% increase from 2020.
The data breach report identified three root causes of data compromise namely: cyber attacks (1,613), human & system errors (179), and physical attacks (51).
According to the ITRC data breach report, cyber attacks caused more data breaches (1,613) in 2021 than all data compromises (1,108) in 2020. Similarly, data compromises from ransomware incidents have doubled in the past two years. The Identity Theft Resource Center speculates that ransomware attacks will surpass phishing as the root cause of data compromise in 2022.
Phishing, smishing, or business email compromise (BEC) were responsible for 537 of all cyber attack-related compromises, followed by ransomware (350), and malware (139). Unsecured cloud environments were responsible for 23 confirmed cyber attack-related data compromises.
The leading data compromise causes related to human and system errors were correspondence (66), failure to configure cloud security (54), misconfigured firewall (13), lost device/document (12), and unspecified others (34).
However, more than a quarter (27%) of data breach sources were unspecified. ITRC data breach report found that the number of data breach notices without disclosing the root cause of the compromise almost doubled (190%) from the previous year.
Identity theft is more likely as breach transparency declines
The 2021 data breach report found that transparency was falling, and many consumer breach notifications were missing crucial details. In 2021, 607 consumer data breach notices lacked important information compared to 209 in 2020. The researchers noted that missing information in the notifications reduced their effectiveness.
According to the report, missing information in data breach notices prevent consumers from understanding the risks and taking appropriate actions to protect themselves from identity theft.
“The form and substance of existing notices fail to prompt breach victims into taking actions that can significantly reduce the risk of their compromised identity information being misused,” they wrote.
Additionally, existing state and federal laws do not guarantee that all citizens across jurisdictions are notified timely.
“That means residents of one state may get a data breach notice when a resident across the border in a neighboring state may not receive an alert for the same data breach.”
Out of the 72% of consumers who received data breach notifications, 48% changed the impacted account password, 16% took no action, and 3% froze their credit cards to prevent identity theft.
“There is no reason to believe the level of data compromises will suddenly decline in 2022,” says Eva Velasquez, President and CEO of the Identity Theft Resource Center. “As organizations of all sizes struggle to defend the data they hold, it is essential that everyone practice good cyber-hygiene to protect themselves and their loved ones from these crimes.”
Erich Kron, Security Awareness Advocate at KnowBe4, says the increase in data compromises was not surprising, considering that most ransomware attacks exfiltrate data.
“It is no surprise that the overall number of data compromises has risen so much, as very few ransomware strains do not exfiltrate data as part of the attacks,” Kron said. “The continued explosion of ransomware and associated data loss is exacerbated by the ever-growing collection of digital data on individuals by not only entities that the consumer does business with, but also marketing groups that compile and collect data on potential customers at a significant rate. Data, even just metadata, has a significant value and is therefore collected at staggering rates.”