Cybersecurity

US Smashes Annual Data Breach Record With Three Months Left

There were 2116 reported US data breaches and leaks in the first nine months of 2023, making it the worst year on record with a whole quarter left to go, according to the Identity Theft Resource Center (ITRC).

The non-profit, which tracks publicly reported breaches in the US, said there were 733 “data compromises” in Q3 2023, a 22% decline from the previous quarter. However, despite the relative slump, this was enough to drag the total for the year past the previous all-time high of 1862 set in 2021.

On a more positive note, the ITRC counted an estimated 234 million victims from these breaches, well short of the 425 million individuals impacted by incidents last year.

Cyber-attacks remained the most common cause of breaches in Q3, with phishing attacks the most popular attack vector, followed by zero-day exploits, ransomware and malware. Zero-day attacks in particular are on the rise, climbing 1620% in the first three quarters of 2023 versus the whole of 2022, the ITRC said.

Read more on US breaches: Near-Record Year for US Data Breaches in 2022

Supply chain attacks also remained a major threat in Q3, with 1321 organizations reporting breaches due to attacks on 87 third parties, many of which used the MOVEit software targeted by the Clop ransomware gang.

In fact, the ITRC claimed that four of the top 10 biggest compromises in Q3 were caused by the MOVEit campaign.

Eva Velasquez, ITRC president and CEO said the figures for 2023 year-to-date weren’t surprising.

“There are a handful of reasons for the rise in data compromises, ranging from the drastic uptick in zero-day attacks to a new wave of ransomware attacks as new groups enter the criminal identity marketplace,” she explained.

“Now that we have broken the previous annual data comprise record, the question remains: by how much?”

A persistent concern is the lack of transparency from breached organizations. The ITRC said over half (53%) of reported breaches did not come with any explanation about the initial attack vector.