After a Decline in 2020, Data Breaches Soar in 2021
2021 was a bad year on the personal data front. A really bad year.
The Identity Theft Resource Center, in its 16th annual Data Breach Report, says the number of data breaches at corporations was up more than 68% in 2021, beating the previous record, set in 2017, by 23%.
The surge comes after a lull in 2020, when the number of data breaches in the U.S. was down 19%. Over three of the past five years, there has been an increase in the number of corporate compromises.
In 2021, there were 1,862 breaches, an increase of 754 over the previous year and 356 over the previous record. All totaled, nearly 294 million people were impacted, with over 18.5 million records exposed.
“There are a number of watershed moments in the history of cybercrime,” said Eva Velasquez, president and CEO of the Identity Theft Resource Center in a statement. “The first cyberattack was in 1834 when criminals intercepted bond trading information sent by a mechanical telegraph system in France. The modern era of cyberattacks began in 1957 when a blind, seven-year-old child discovered they could whistle a tone that would allow them to make long distance telephone calls for free. We may very well look back at 2021 as the milestone year when we officially moved from the era of identity theft to an era of identity fraud. That is to say, the time when cybercriminals shifted from mass data accumulation (identity theft) to mass data misuse (identity fraud).”
Ransomware-related data breaches, over the past two years, have doubled. The ITRC says it expects this type of attack to surpass phishing as the most common cause of data compromises this year. Supply-chain attacks, like DarkSide’s ransomware attack on Colonial Pipeline, which saw 100 GB of data stolen and disrupted the petroleum supply chain for much of the East Coast, are on the rise as well.
The number of hacks involving sensitive personal information rose as well last year, but the total number of victims was down 5%. The total hacks with data like social security numbers and passwords didn’t come close to touching 2017’s total, however, when 95% of all breaches contained that data.
The still-high number of hacks that gather that information, though, has led the ITRC to announce plans to launch a free data breach alert service for consumers. (The current target is later in the first quarter of 2022.)
The service comes, in part, because the reporting data on breaches has been dwindling for a few years now. The ITRC says that lack of actionable information prevents consumers from taking appropriate actions to prevent themselves. One state, it noted (but did not identify) updated its breach notices in December 2021 for the first time since the fall of 2020.
In fact, the group said, the number of data breach notices that do not reveal the root cause of that compromise was up 190% percent since 2020.
Overall, compromises were higher year-over-year in every sector the ITRC covers, with one exception. The military sector actually did not publicly disclose any data breaches in 2021, so it’s unclear how it was impacted. The manufacturing and utilities sector saw the biggest increase in hacker interest, with data breaches jumping 217% over the 2020 totals.
Ransomware and phishing schemes are growing fast because they’re easier money for the hackers compared to the sale of consumer personal information. Those attacks also generally require less effort and can be automated.
Hackers have taken control of systems and tried to force companies to pay to unlock them for many years. Most businesses, though, learned to have backups of their information, which they would restore and move forward – ignoring the demand. In the past few years, though, hackers have instead threatened to release that information publicly. Since affected companies don’t know precisely what information was taken, they are forced to engage with the thieves.
The average ransomware attack results in 19 days of downtime, according to Coveware.
The views and opinions expressed herein are the views and opinions of the author and do not necessarily reflect those of Nasdaq, Inc.