Why is the world witnessing a surge in data breaches?

While the world of cybersecurity has always been fairly unpredictable, what’s certain is that data breaches are on the rise. But what’s driving this trend, how long will it continue, and what can organizations do about it?

According to the 2023 Annual Data Breach Report by the Identity Theft Resource Center (ITRC), a non-profit organization, data compromises have leapt up in the past two years. From the previous record of 1,860 in 2021 they dropped slightly to 1,801 in 2022 but rebounded to reach a new high of 3,205 last year. That’s an increase of 72 percent over just two years.

The healthcare sector, with its huge volumes of personal and sensitive information, is one of the biggest targets. The ITRC recorded 809 data compromises in healthcare companies in 2023, which amounts to a staggering 56 million victims. That’s close to double the population of Texas.

Some cybercriminals are undoubtedly becoming more sophisticated. But as the cybersecurity sector has raised its game, threat actors have adapted their tactics, techniques and procedures (TTPs) in response. It’s effectively a race to see which side can evolve fastest to evade or catch the other.

In the past decade, cybercrime has grown into a huge economy. The more advanced criminal groups have developed services and platforms to rent out to lesser skilled ones. In the past ten years or so, we’ve seen the advent of Ransomware-as-a-Service (RaaS) and numerous tools which enable bot-based phishing campaigns. Alongside these, we’ve also seen a marked increase in data collection and Internet connected devices.

Cybersecurity professionals know all too well that too many organizations still aren’t getting many of the basics right to protect their organizations’ data, assets, customers, employees, and their reputations from harm. But, of course, there are also lots of cases of exploitation of zero-day vulnerabilities.

In just the past two to three years, we’ve seen the nature of ransomware attacks evolve almost continuously to comprise encryption, multi-extortion tactics including data leaks and pressure placed on the people who own the stolen data. A recent trend has been for criminal groups to drop the encryption part of their attacks and simply threaten to leak sensitive data online or sell it on the dark web.

In arguably the most extreme and bizarre case in the US, a ransomware threat actor even reported their victim to the Security Exchange Commission (SEC). Why? Because the victim organization failed to report the incident. And in the US, if a whistleblower informs on an organization which is subsequently fined as a result, the whistleblower is entitled to a percentage of the fine.

The crime of holding organizations to ransom is nothing new, of course. Human ransoms used to be more common than they are today. In Europe it’s much more acceptable to pay for a person’s safe return. So, I think that the way ransomware is used might follow, with criminal gangs publicizing the stolen data to put pressure on the organization that stands to lose the most into paying them. We’ve already seen cases where group pressure and the threat of litigation and reputational damage have successfully forced the organization’s hand.

We talk and write about data as if it’s just bits and bytes, and the consequences are just a little inconvenient. But theft of confidential and personal information can be serious for the individual involved. Who wants their business, relationship or medical data shared to the public or parties who could use it to gain a commercial advantage, blackmail or simply to ruin someone’s life?

And recently the world witnessed how one major outage can have a major impact on national and international travel, retail, banking, and medical appointments and more. Add the insurance claims and the damage ran to billions of dollars.

In 2017, in the aftermath of the NotPetya cyber-attack, pharma giant Merck & Co. tried to recover its financial losses from its insurer. However, since the attack was widely accepted to have been conducted by Russia, the insurance company waved it away as an "act of war".

Merck & Co. took its insurer to court, won the original case and an appeal. This eventually concluded with an out-of-court settlement. Although the final sum wasn’t disclosed, the pharmaceutical company’s original claim was for a princely $1.3 billion in compensation.

Image credit: Rawpixel/depositphotos.com

Mark Cunningham-Dickie is a Principal Incident Response Consultant at Quorum Cyber. He has over 20 years’ experience in the technology industry including more than ten working in technical roles for law enforcement and other government funded organizations. Mark has an MSc in Advanced Security and Digital Forensics and a BSc (Hons) in Computer Science.