Why Data Breaches Are On The Rise Worldwide

Posted on by

This guest post was contributed by Mark Cunningham-Dickie,Principal Incident Response Consultant, Quorum Cyber

In 2023, there were 2,365 reported cyberattacks impacting 343,338,964 victims. That represents a 72% increase in data breaches since 2021, which held the previous all-time record, according to the Identity Theft Resource Center Data Breach Report. The question is, why? And what is the outlook for the future?

The dramatic data breach increase is not inherently about threat actors becoming more sophisticated, but criminals changing their tactics, techniques, and procedures. There are certainly more criminals using cyber as a means to their ends. They have been aided by the growth over that time period of platforms enabling them to leverage the skills and infrastructure of others to carry out compromise operations that they ordinarily would not be able to carry out themselves. In the duration between 2013 and 2022 we’ve seen the increase of things like compromise for sale, ransomware-as-a-service and tooling enabling bot-based phishing, etc. But we’ve also seen a significant uptick in data collection and Internet connected devices, thereby facilitating a larger attack vector and target.

Threat actors may be a bit more sophisticated than in the past, but it’s aided by tactics brought from other areas of crime and techniques developed by smaller groups of more capable individuals.

In some instances, companies are undoubtedly failing to safeguard consumers, clients, staff, and suppliers; but in others, such as cases of zero days, potentially not. It’s a case-by-case basis. The period of 2013-2022 has seen a shift and fundamental step-change in how, and to whom, zero-day vulnerabilities are being sold.

Unfortunately, this is going to keep happening. In the time periods mentioned above we’ve seen the rise of ransomware, encryption, multi-extortion, and we’re starting to see encryption-less ransoms increase. In the US, there’s been a case of a ransomware threat actor reporting their non-ransom paying victim to the Security Exchange Commission (SEC). What’s interesting about that is that under the rules in the US, if a whistleblower informs on an organization and the organization is fined as a result, the whistleblower is entitled to a portion of the fine. We will see the result of that, and if/how any payment is made to the reporting party.

I suspect that ransomware may head in a similar direction as human ransoms. For example, in mainland Europe, where paying ransoms for a nation’s citizens’ safe return is much more accepted, I suspect that ransomware will follow a similar tack in that raising awareness of the plight of an individual, or in this case data, to the public attention that pressures organizations and governments into paying for its safe return. Therefore, if threat actors find a mechanism for publicizing their access to the impacted parties’ data that they have stolen, I suspect that group pressure and the threat of litigation and reputational damage may become the next tactic in extorting organizations into paying a ransom.

It isn’t only the loss of data that is having a direct impact on users and organizations. Service interruption, because of supply chain attacks, is disrupting the daily operations of organizations and individuals. While this may be seen as an inconvenience, there can be significant consequences. Outages at hospitals and their supporting infrastructure can have life-altering consequences, while insurance claims for recovering from cyber incidents pushes up the premiums for all.

Following the 2017 NotPetya attack, pharmaceutical giant Merck & Co. filed a claim with their insurance provider to reclaim the cost of damages and losses incurred as a result of its impact to their organization. The claim was initially rejected with the insurance company claiming it to have been an “act of war” as the attack has widely been attributed to the Russian state. However, Merck & Co. challenged that decision in the court and won both that and an appeal. The case was finally settled out of court prior to a subsequent appeal by the insurance company. While the final settlement sum is not known, the initial claim sought $1.3 billion to cover their losses.