World Reimagined

Data Breaches in 2021 Already Top All of Last Year

Abstract rendering of cybersecurity and technology
Credit: NicoElNino -

In 2020, U.S. businesses were the victim of 1,108 data breaches. But by the end of September this year, 2021’s total was 1,291.

The Identity Theft Research Center (ITRC) reports the 17% increase we’ve already seen over the 2020 total number indicates we could be facing a record-breaking year for data compromises. The all-time high was set in 2017, with 1,529. And 2020’s biggest spikes occurred beginning on August, implying more are on the way.

What’s especially concerning, though, is the ITRC count is likely low, though no one knows to what extent. The group notes that many authorities are becoming more reticent to discuss data breaches as well. One state, it says (without identifying it) has not posted any data breach notices since last September.

“There has been an increase in a lack of transparency in breach notices at both the organization and government level that, if it continues, could lead to a significant impact on individuals,” it said. “Withholding important information or failing to post notices on a timely basis may serve to prevent individuals from taking actions to protect their identities.”

Cybersecurity incidents
Identity Theft Resource Center

Not all of the news is bad: The number of publicly reported breaches in the third quarter was lower than the second quarter total – 446 publicly reported attacks, versus 491 between April and June.

And the total number of victims so far in 2021 is still nearly 30 million fewer than last year, despite the breach total being higher.

So far in 2021, nearly 281.5 million people have been affected by some sort of data breach. That’s actually the lowest number in the past seven years, with 2018 holds the dubious honor of having the most victims, with 2.2 billion.

That said, the total number of victims in Q3 surpassed the total of Q1 and Q2 combined. Between July and September, there were 160 million victims, compared to 121 million in the first half of the year.

As for breaches, there have been some massive ones. DarkSide’s ransomware attack on Colonial Pipeline saw 100 GB of data stolen and disrupted the petroleum supply chain for much of the East Coast. Facebook saw 214 million records breached via an unsecured database. Men’s retailer Bonobos had personal information on 7 million shoppers, including 3.5 million partial credit cards, snatched by the hacker group ShinyHunters.

Phishing and ransomware are the two most popular tools of hackers, says the ITRC.

“While the total number of data breaches dropped slightly in Q3, we are only 238 data breaches away from tying the all-time record for data compromises in a single year,” said Eva Velasquez, President and CEO of the Identity Theft Resource Center. “It’s also interesting to note that the 1,111 data breaches from cyberattacks so far this year exceeds the total number of data compromises from all causes in 2020. Everyone needs to continue to practice good cyber-hygiene to protect themselves and their loved ones as these crimes continue to increase.”

The rise in ransomware and hacking incidents has put many cybersecurity companies on investor radars. Palo Alto Networks (PANW) reported better-than-expected earnings in August. And CrowdStrike Holdings (CRWD) was added to the Nasdaq-100 index that same month.

It’s even big business for Microsoft. The company recently said its cybersecurity revenues top $10 billion per year and it has some 400,000 customers. And, in July, it bought security threat management company RiskIQ for a reported $500 million.

"Microsoft is clearly pitching itself as offering a full security suite, a competitive advantage as customers increasingly want a unified view of threats," said UBS analyst Karl Keirstead in a note.

That’s advantageous, as today’s data thieves are a lot more sophisticated than they were just a few years ago, using automated tools and looking for high-quality data, things like logins and passwords. With those, cybercriminals don’t have to risk a time-consumer backdoor approach, they can simply log in and take what they want.

“Data quantity is no longer the goal of an attack; data quality is,” said James Lee, chief operating officer of the ITRC in prepared comments to the U.S. Senate Committee on Commerce, Science, and Technology earlier this month. “We are moving from an era of identity theft where data is acquired and accumulated to a time of identity fraud where ID thieves monetize the data they’ve collected - with the occasional effort to refresh older information.”

The views and opinions expressed herein are the views and opinions of the author and do not necessarily reflect those of Nasdaq, Inc.

In This Story


Other Topics

Cybersecurity Technology

Chris Morris

Chris Morris is a veteran journalist with more than 30 years of experience, more than half of which were spent with some of the Internet’s biggest sites, including, where he was Director of Content Development, and Yahoo! Finance, where he was managing editor. Today, he writes for dozens of national outlets including Digital Trends, Fortune, and

Read Chris' Bio