Data Breach Trends: Global Count of Known Victims IncreasesPhishing Attacks and Ransomware Continue to Be Dominant Data Breach Attack Vectors
Are data breaches getting worse?
Tracking data breach trends carries some caveats. For starters, not all organizations report when they've suffered a data breach or exposed people's personal information. Others might report a breach, but not crucial details such as the underlying cause or quantity of records that might have been exposed.
With that in mind, here's what researchers do know: Last year in the U.S., the number of records that were reportedly exposed declined slightly, while the total number of reported data breaches increased. So says the Identity Theft Resource Center, a nonprofit organization based in San Diego, California, that provides no-cost assistance to U.S. identity theft victims to help resolve their cases, and which recently released its 16th annual Data Breach Report.
"In 2021, there were more data compromises reported in the U.S. than in any year since the first state data breach notice law became effective in 2003," says Eva Velasquez, president and CEO of ITRC.
Data exposure as a result of online attacks notably increased from 1,108 incidents in 2020 to 1,613 in 2021, ITRC reports.
There was also an increase in the number of breaches that traced to phishing, smishing or business email compromise, rising from 383 incidents in 2020 to 537 incidents in 2021. In the same time frame, breaches that traced to ransomware rose from 158 to 321, meaning that as a root cause of a breach, it doubled - and for the third year in a row.
What the online attack data doesn't show, ITRC says, is that the fourth-most-common cause of such incidents was supply chain attacks (see: Data Breach Reports Rise as Supply Chain Attacks Surge).
Last year, while the number of known breaches increased, the total number of records that were reportedly exposed declined slightly. ITRC reports that in 2021, 294 million records were reportedly exposed, down from 310 million records in 2020 and 884 million in 2019.
When personal data does get exposed, ITRC reports that it's most often a person's name, followed by Social Security number, date of birth, current home address and medical information.
Global View of Breaches
An assessment of breaches worldwide in 2021 charts similar trends: slightly fewer records being exposed, but more organizations overall reporting that they'd been breached.
The research comes via vulnerability and data breach intelligence firm Risk Based Security, which last month was bought by New York-based threat intelligence firm Flashpoint.
Here's its count of known 2021 breaches, broken out by the country in which a breached organization was based:
- United States: 2,953
- Canada: 181
- United Kingdom: 125
- France: 79
- India: 71
- Germany: 53
- Russia: 42
- Australia: 39
- Netherlands: 33
- All Other: 569
Risk Based Security says that so far, about 5% fewer breaches were reported in 2021 than in 2020. But it expects more 2021 incidents to belatedly come to light this year. "It is typical for the number of breaches disclosed for a given year to subsequently increase by 5% to 10%," the company's researchers write in a recent report.
Looking at all reported 2021 breaches globally, Risk Based Security says "the healthcare sector experienced the most incidents, accounting for 14% of reported breaches, although financial services and software providers were also hard-hit.
As in the U.S., ransomware is an increasing problem. It was cited in 11.5% of all breaches reported globally in 2019, rising to 17% in 2020 and 21% in 2021, Risk Based Security reports.
Reporting Delays Remain Common
Timely breach discovery and victim notification continue to be a shortfall at many organizations, says Inga Goddijn, executive vice president at Risk Based Security. The average time interval between a breach being discovered and reported increased from 72 days in 2020 to 89 days in 2021, she says.
But some took much, much longer. "In 2021, 15 breaches took more than 365 days - a full year - to go from discovery to the release of a formal breach notification letter. Another 169 events took six months or more," Goddijn says. "It would be easy to blame delays on the pandemic, but this trend started well before COVID-19 became a household name. Complex incident investigations, weak enforcement and a deliberate blindness to notification obligations appear to be at the root of the delays."