The Connection Between Consumer Privacy and Business Data Breaches and Looking Ahead in 2021
For the last fifteen years, the Identity Theft Resource Center (ITRC) has tracked publicly-reported data breaches to identify trends, attack vectors, case studies, the number of people impacted by data breaches and much more. The release of the 2020 ITRC Data Breach Report and launch of the ITRC’s data breach tracking tool supports the Data Privacy Day 2021 initiative to help build trust among consumers and promote transparency around data collection practices.
The reports have grown into a database of more than 12,250 data compromises, including up to 90 data points per event. The ITRC’s 2020 Data Breach Report breaks down the number of data compromises, the root causes of the compromises, the types of data that were compromised, and looks at some of the top data events of 2020.
Data Breaches and Consumers Impacted Decrease
According to the ITRC’s 2020 Data Breach Report, there were 1,108 data breaches in 2020, down 19 percent from 2019 (1,473 data breaches). Data breaches were not the only thing to decline. The number of people impacted dropped nearly two thirds (66 percent decrease from 2019). In years past, the ITRC saw data breaches on the rise. However, there is a reason for the decline in breaches and consumers impacted.
Right now, cybercriminals are less interested in stealing mass amounts of consumers’ personal information. Instead, threat actors are more interested in taking advantage of poor consumer behaviors to attack businesses using stolen credentials such as logins and passwords. It is a trend the ITRC traced to 2019 and expects to continue in 2021.
The Preferred Methods of Data Theft
Ransomware and phishing attacks directed at organizations have become the preferred method of data theft by cyberthieves. It is not a surprise because these attacks generally require only a stolen credential or for an employee to click on a malicious link, attachment or file. Ransomware and phishing attacks require less effort, they are primarily automated, and they generate payments that are much higher than taking over the accounts of individuals. One ransomware attack can generate as much revenue in minutes as hundreds of individual identity theft attempts over months or years. According to Coveware, the average ransomware payout has grown from less than $10,000 per event in Q3 2018 to more than $233,000 per occurrence in Q4 2020.
The ITRC is encouraged to see the number of breaches and people impacted by them drop. However, that does not mean consumers can relax. Even though the information threat actors want and how they obtain it has changed, cybercriminals will still look to steal and misuse consumers’ personal information. The cybercriminals have not gone away. Rather, they have just changed their tactics, and it is important for businesses and consumers to stay one step ahead of them by following good cyber-hygiene practices.
Top Data Events of the Year
Three data events were highlighted in the ITRC’s 2020 Data Breach Report:
Blackbaud, a technology services company used by non-profit, health and education organizations, fell victim to a ransomware attack that stole information belonging to more than 475 Blackbaud customers. The ransomware attack included the stolen information of more than 11 million people. The personal information was later reported to have been destroyed by the cybercriminals after Blackbaud paid a ransom. The Blackbaud data compromise is a good example of cybercriminals relying on an attack against a single business instead of a series of attacks against a large number of consumers to generate large sums of money.
Unemployment insurance benefits fraud was a hot spot for threat actors in 2020. Organized cybercriminals used stolen credentials and other identifying information to apply for unemployment benefits through state websites. In fact, Washington and Maryland each reported more than $500 million in fraudulent benefit claims and California more than $2 billion in 2020. The U.S. Department of Labor estimated the total identity-related fraud at more than $26 billion in all 50 states and the District of Columbia during that same timeframe. The unemployment insurance benefits fraud attacks prove it is easier and more profitable to commit a cybercrime using stolen, legitimate credentials than hacking into a company’s computer network.
Vertafore, a technology company that helps insurance companies price automobile insurance, placed the license and related information of 28 million Texas drivers into a cloud database that was left unsecured for months. According to investigators, the personal data was viewed by unauthorized third-parties. However, there was no evidence the information was misused, which could change over time. According to IBM, unsecured databases are tied for first place as the root cause of data compromises. It is a statistic that is reinforced by the ITRC’s analysis of 2020 data compromises. The risk of identity crimes is low with most events where a cloud database is left unsecured. However, it is not zero.
How Businesses and Consumers Can Protect Themselves
Companies are usually the target of ransomware attacks, not consumers. Businesses can take the following actions:
- Frequently back up their systems
- Patch any software flaws as soon as they are noticed
- Refuse to pay any ransom demands
All a cybercriminal needs to commit a phishing attack is a consumer’s email address or mobile phone number along with a fake website or social media account. These are the tools used to get people to share their login and password or other personal information that can be used to launch other attacks. Consumers can do the following to protect themselves at work and home:
- Do not reuse passwords (use one unique passphrase per account that is at least 12 characters long)
- Don’t use the same password at work and at home
- Use a password manager if needed
- Use multi-factor authentication when possible
- Consider creating online accounts so cybercriminals cannot open one in your name
As more organizations move their applications and databases to cloud environments, it’s a common misconception that the cloud service provider is also responsible for cybersecurity. It is not true, and the result is often data compromises caused by someone failing to secure an online database. Businesses should follow these best practices:
- Properly configure cybersecurity tools for cloud environments
- Apply the same level of effort to protecting cloud environments as an on-premise system and data assets
For more information on privacy and data breaches, best cyber-hygiene practices, or if someone believes a data compromise has impacted them, visit the ITRC’s website idtheftcenter.org. Consumers can reach out to the contact center for assistance by phone (888.400.5530) or live-chat, they can find resources on best practices, and they can download the free ID Theft Help App to get access to advisors, a customized case log and much more.