ITRC Report: Criminals’ Ransomware Adoption and Phishing Focus Help Explain the Drop
The number of data breaches being reported in the U.S. and elsewhere each year continues to decline. But security experts say this unfortunately can be explained by criminals increasingly focusing on lucrative ransomware and business email compromise scams, which require scant data to be successful.
See Also: The Evolution of Email Security
In the U.S., reported data breaches and inadvertent data exposure incidents decreased by 19% from 1,473 in 2019 to 1,108 in 2020, as did the overall number of exposed records, according to the Identity Theft Resource Center, a nonprofit organization based in San Diego, California, that provides no-cost assistance to U.S. identity theft victims to help resolve their cases. The ITRC recently released its 15th annual Data Breach Report.
“While it is encouraging to see the number of data breaches, as well as the number of people impacted by them, decline, people should understand that this problem is not going away,” says Eva Velasquez, ITRC’s president and CEO. “Cybercriminals are simply shifting their tactics to find a new way to attack businesses and consumers. It is vitally important that we adapt our practices, and shift resources, to stay one step ahead of the threat actors.”
ITRC reports that of 878 data breaches involving hack attacks in 2020, at least 44% involved phishing, “smishing” – text-based phishing – or business email compromise scams; 18% ransomware; 12% another type of malware; 6% an unsecured cloud environment; and 2% featured credential stuffing. Supply chain attacks are also increasingly common, with 694 U.S. organizations reporting that they were affected by such an attack last year.
Where human error was listed as the cause of a breach, failing to correctly configure cloud security controls was blamed for more than one-third of incidents, with inadvertent disclosure of information via email following closely behind, ITRC reports.
Attackers’ Tactics Changing
The latest ITRC report describes the steady downward trajectory in the overall number of data breaches reported in the U.S. “We hit our high-water mark, in terms of the number of breaches, in 2017,” says James E. Lee, COO of ITRC, noting that the total annual count has fallen by one-third since then.
Lee says the shift largely has to do with attackers prioritizing quality over quantity. “The threat actors are changing their tactics. They don’t need the massive amounts of data that they would have stolen five or 10 years ago,” he says. “They’re highly targeted now, and they’re highly organized and sophisticated in their attack methods. … They still need data – just not that much.”
Two of today’s most popular types of attacks – ransomware and phishing, especially leading to business email compromise – also require relatively little data to lay the groundwork for success. “We really only need two data elements to commit those kinds of crimes: a login and a password,” Lee says. That information alone can help attackers gain remote access, study networks, and drop ransomware or run business email compromise scams.
Successful attacks can be extremely lucrative. Some BEC scammers net millions of dollars per attack. And in Q4 of 2020, the average ransom payment was $233,000 after a ransomware attack, according to the incident response firm Coveware.
Lee notes that while the number of data breaches declined, the popularity of ransomware and other cybercrime schemes means it’s more important than ever for organizations to defend themselves by maintaining sophisticated cybersecurity policies, practices and procedures.
Britain: Breach Reports Decline
Like researchers in the U.S., British authorities have been seeing an annual decline in data breach reports.
Last month, the U.K. Information Commissioner’s Office released its latest quarterly tally of domestic data breach reports, for July 1 to Sept. 30 of last year. In that timeframe, the ICO received 2,594 breach reports. Of those, 737 were described as cybersecurity incidents. “These figures are based on the number of reports submitted by the data controller, not necessarily the number of incidents,” the ICO says.
The figures show “an 80% increase in reported data leaks” for the quarter, following an “unexplained dip” for the prior three months, says Rick Goud, CEO of Dutch cybersecurity intelligence firm Zivver. But overall, breach reports have been trending downward.
“The biggest cause is still misaddressed email, fax and snail mail, accounting for 25% of reported data leaks,” Goud says. “Non-cyber-related events are still more than 70% of causes of data leaks.”
Parallel Global Picture
The global picture mirrors what’s being seen in the U.S. and Britain.
Threat intelligence firm Risk Based Security, based in Richmond, Virginia, says its assessment of global breaches in 2020 found 3,932 breaches, which was a 48% decline compared to 2019. Of those, 2,340 breaches were tied to the U.S. and 971 happened outside the U.S. The victims’ locations were not known for 621 other breaches.
More breaches from last year are sure to come to light, the firm notes, which could increase the count by 5% to 10%. But even so, it charted a marked decline in 2020.
But breaches that traced to ransomware attacks doubled from 2019 to 2020, Risk Based Security notes. And last year featured a number of massive breaches. “Five breaches each exposed 1 billion or more records, and another 18 breaches exposed between 100 million and 1 billion records,” it says.
Despite – or perhaps because of – the ongoing COVID-19 pandemic and society’s collective reliance on healthcare organizations, “healthcare was the most victimized sector this year, accounting for 12% of reported breaches,” it says.
Caveat: How Breaches Get Counted
As with the ITRC data, Risk Based Security’s report comes with a caveat: It’s based on breaches that have been publicly reported.
Of course, not all data breaches come to light, or have yet been discovered. In addition, in the U.S., any given breach may not have exposed personal information, and thus may not require a mandatory breach notification. For Europe, per the EU’s General Data Protection Regulation, organizations must notify regulators if Europeans’ personal data was exposed, or of any breaches in certain sectors, such as telecommunications. But not all breach victims will then be required to publicly disclose the breach, especially if it might have national security implications.
“Jurisdictions without mandatory public disclosure requirements tend to see fewer breaches reported,” says Inga Goddijn, executive vice president at Risk Based Security, where she leads the company’s data breach research effort. “Publicizing bad news is never fun, so it is understandable that breached organizations would be reluctant to share information about an event unless required to do so.”
Another open question centers on whether publicly available data is sufficient to ascertain if some regions get targeted more often than others. Arguably, any region with mandatory breach notification rules will see many more breaches being disclosed there.
“Thanks to the various state reporting requirements, we see more consistent breach disclosures coming to light across the United States,” Goddijn says. “That said, the U.S. is home to a significant number of entities with the type of data or deep pockets attackers like to target. So it is an interesting question: Are there more disclosures because of the state statutes or because more targets means more breaches?”
Continuing SolarWinds Breach Impact
Also unclear is the extent to which data breaches might not be spotted, especially as many IT teams continue to work remotely during the pandemic.
Last year also featured the discovery of the massive SolarWinds supply chain attack, which appears to have run for at least nine months before being detected. The apparent Russian espionage operation, which affected up to 18,000 organizations, likely resulted in several hundred organizations suffering extensive network penetration and data theft. Assessment, response and cleanup efforts are continuing and could take years to complete.
As those efforts progress, organizations that count and track data breaches may also need to revise their 2020 figures.
Nick Holland, director of banking and payments for ISMG, contributed to this report.