Rising Breach Numbers and Shifting Attack Patterns Signal Tough Times Ahead
Table Of Contents:
If you thought data breaches were bad, buckle up; they’re getting worse. In January, the US Identity Theft Resource Center (ITRC) published its 2023 Data Breach Report. The findings are dire. The report, now in its 18th year, documented a huge rise in the number of data breach incidents. It tracked 3,205 total compromises in 2023, up 72% from an all-time high of 1,860 in 2021.
Experts are concerned that exposed supply chains and the lack of a national data protection law are giving adversaries an advantage.
A Mother of All Breaches
In the same month, we saw one of the biggest single data leaks in history. Nicknamed the “Mother of All Breaches” (MOAB), it saw over 26 billion records pilfered from Leak-Lookup, a search engine for breached personal records collected from over 4,000 breaches extending back years.
Bob Diachenko, founder of Security Discovery, found the stolen records sitting in a misconfigured instance online, meaning that anyone could have accessed them.
Cybersecurity company SpyCloud found that while most of the records were old and had been previously exposed, the data still contained an estimated 1.6 billion records from 274 breaches that were not in its own existing database of compromised records. Around 30 of the previously undisclosed breaches contained duplicates or fabricated data, but the records also included some breach data that had been previously offered for private sale online.
A Double Threat
Data breaches that lead to the publication of personal information online carry several dangers. The first is that they can be used for credential stuffing attacks, in which attackers automate brute-force attacks on multiple accounts using one attack’s exposed credentials.
“The scariest thing for a security team is someone getting access to credentials and being able to persist within an organization,” Will Lin, CEO at stealth security startup AKA Identity, tells ISMS.online.
Breached records leaked online are also a useful tool in launching targeted attacks, says Venky Raju, field CTO of ColorTokens. Raju notes a fall in the average number of victims per breach of late. Whereas breach incidents soared in 2023, the number of overall victims fell 16% from 425.2 million in 2022 to just over 353 million last year. Six years ago, 2.2 million records were exposed in 1,175 breaches, according to the ITRC.
“The reason why the number of victims is falling is because [attacks] are very targeted now,” Raju tells ISMS.online. “There is more money to be made by targeting a small number of people that you know more about than just doing a spray-and-pray attacks.”
Breached records can contain anything from simple access credentials to detailed healthcare information or financial data. In January, insurance group Chaucer said that 53 million individuals’ financial data was compromised in breaches last year.
Personal data from breaches allows attackers to learn more about their victims, says Raju, which means they can target individuals more effectively. He warns of attackers enhancing this data with even more information purchased from data brokers. These can be used for scams including pig butchering, in which attackers lure people into relationships and then persuade them to invest in fake ventures. These attacks rely heavily on social engineering.
Supply Chains at Risk
The ITRC’s chief operating officer James Lee argues that MOAB, with its large proportion of already exposed records, will not have much of an impact. He’s worried about another trend highlighted in the report.
“I’m much more concerned about the rise in supply chain attacks and the growing ability of threat actors to get into the source code of software to find zero-day flaws and exploit them,” he tells ISMS.online. The ITRC’s statistics show a 2,600% rise in organizations targeted in supply chain attacks since 2018, and a 1,400% rise in the number of victims.
So how do we stop the breach numbers rising still further?
“The lack of uniform cybersecurity standards coupled with a lack of uniform data breach notification and remediation standards [in the US] are major contributors to why we have not made progress against data breaches,” says Lee. He calls for more standardized reporting mechanisms, along with initiatives for compliance.
The Need for Standard Reporting Rules
Delegating privacy laws to individual states in the US creates a confusing patchwork. In the absence of a national privacy law, we must take the next best option, he says.
“The only way to improve the status quo is to get each state to update its laws and regulations to meet certain minimum standards,” Lee explains. “It’s not impossible, but it’s not fast or ideal.”
The SEC’s recently introduced reporting rules will help make publicly traded companies more accountable. However, fewer than 10% of breaches last year were reported by these companies, he adds. Perhaps the regulation will increase that proportion this year. Lee points out that companies are already reporting without waiting to determine if a breach has a material effect or not. Nevertheless most breaches will still fall outside the SEC’s scope, he warns.
What You Can Do Now
While federal regulation from the SEC will undoubtedly help, the challenge remains huge as attackers continue to target the economy’s soft underbelly. The breaches keep coming, as January saw an attack on Global Affairs Canada, although its full scope was not revealed. In February, a ransomware attack at UnitedHealth subsidiary Change Healthcare disrupted prescriptions and threatened lives. Cyber-criminals close to BlackCat, which claimed responsibility for the hit, claimed that UnitedHealth paid $22m to prevent the breached data’s publication.
Companies can take action by building robust security controls based on standards such as ISO 27001, along with other industry-approved certifications appropriate to their own region, sector and size. We may not be able to quell a rising tide of increasingly targeted attacks, but we can at least take heed and move to higher ground.