Security practitioners looking back on 2021 may see it as the year attackers shifted their focus from identity theft to identity fraud. That’s according to Eva Velasquez, president and CEO of the Identity Theft Resource Center (ITRC), after the organization released its annual data breach report.
“In 2021, we saw a shift in the identity crime space,” Velasquez said in a release about the report. “Too many people found themselves in between criminals and organizations that hold consumer information.”
While the report found a 5% decline in the number of victims between 2020 and 2021—due in part to cybercriminals refocusing their efforts on specific data types as opposed to mass data acquisition—“the number of consumers whose data was compromised multiple times per year remains alarmingly high,” the ITRC said. Events involving sensitive information like Social Security numbers showed a slight increase over 2020.
“The number of breaches in 2021 [also] was alarming,” Velasquez noted, with the total number of data compromises reaching 1,862, a 68% increase over the year before and a 23% upswing from 2017, which previously held the record for breaches at 1,506.
“Reporting to ITRC is optional, and it shows,” Shawn Melito, chief resource officer at BreachQuest, said, adding that it’s likely the study lowballed the number of compromises. “1,862 compromises are a drop in the bucket compared to the real total number,” said Melito. “I know individual law firms that handled more than 2,000 incidents last year.”
Inadequate Transparency
But the results still revealed concerning trends. “Many of the cyberattacks committed were highly sophisticated and complex, requiring aggressive defenses to prevent them,” Velasquez said. “If those defenses failed, too often we saw an inadequate level of transparency for consumers to protect themselves from identity fraud.”
Not surprisingly, the number of ransomware-related data breaches jumped significantly—doubling in 2021 as it also did the year before. If that pace continues, the ITRC expects ransomware attacks to surpass phishing in 2022 as the leading root cause of data compromises.
The supply chain was a clear target, with third-party supply chain attacks up from 69 in 2020 to 93 in 2021. But 559 entities were affected by third-party attacks. “From the standpoint of an adversary, supply chain attacks benefitted from at least two factors,” said Tim Wade, technical director, CTO team at Vectra.
“First, when successfully executed, there’s a factor of scale associated with moving downstream from a supplier that allows a single compromise to extend to multiple victims,” Wade said. “Second, traveling down into organizations via trusted suppliers can be a mechanism to avoid detection.”
Cyberattack-related data compromises grew to 1,603 in 2021—that’s more than all data compromises (1,108) logged in 2020.
Manufacturing and Utilities saw the biggest increase—a whopping 217%—while the military didn’t publicly disclose a single data breach.
Another troubling increase: “The number of data breach notices that did not reveal the root cause of a compromise (607) has grown by more than 190% since 2020,” ITRC found.
We’ve Only Just Begun
The numbers will only increase as the threat landscape expands due to digitization. “The consumer move to a preference for digital-first interactions will grow the potential threat landscape that can be targeted by attackers,” said Tyler Shields, CMO at JupiterOne. “More apps, more data in the cloud, more digital experiences mean more targets of both opportunity and chance. There will be a continued increase in data compromise as more of our daily lives move into the cloud. We’ve really only just begun to see the expansion of digital experiences and the attacks that will grow alongside them.”
Tal Morgenstern, co-founder and CPO at Vulcan Cyber, agreed that “vulnerabilities will continue to increase in number in line with the pace and scale of the tech we adopt,” and noted that “we’ve come to expect and account for inherent risk in our digital lives.”
But, he said, “The more concerning trend is a mounting pile of security debt we, as cybersecurity professionals, can’t seem to get ahead of.”
“We are seeing more advanced persistent threats like the SolarWinds hack that daisy-chain vulnerabilities and exploits to inflict maximum damage to digital organizations. As an industry, we are still learning from and cleaning up after that one,” Morgenstern said. “And it is unfair to put all the blame on SolarWinds considering how the bad actors used known, old, unaddressed vulnerabilities that should have been mitigated by IT security teams well before the SolarWinds software supply chain hack was ever hatched.”
“Security has always been a balance of ease-of-use and security. The cybersecurity vendor community must drive toward creating easy-to-use cybersecurity experiences that deliver an acceptable level of security to the technologies that consumers demand,” said Shields.
Stefano De Blasi, cyber threat intelligence analyst at Digital Shadows, urged organizations to “not automatically grant access and permissions to third-party software and hardware. They should, instead, constantly verify these devices, users and programs operating within or alongside their perimeter.”
One of the remedies lies with zero-trust. “The zero-trust architecture framework embodies this strategy and principle that organizations should adopt to improve their security,” De Blasi said.
The impact of third-party supply chain attacks on others “underscores one of the important principles present in zero-trust architecture: Continuously monitoring and reevaluating trust,” said Wade. “Organizations can’t simply vet suppliers on the way into the ecosystem as a point-in-time exercise, and instead must invest in ongoing detection and response capabilities so that when something previously trusted begins to misbehave, they’re in a position to do something about it.”