Phishing, Ransomware Driving Wave of Data Breaches

Data compromises have increased every month this year except May.

If that trend continues, or even if there is only an average of 141 new compromises per month for the next six months, the total will still exceed the previous high of 1,632 breaches set in 2017.

These were among the findings of the nonprofit organization Identity Theft Resource Center’s (ITRC) latest data breach analysis report, which revealed publicly reported U.S. data breaches are up 38% in the second quarter of 2021, for a total of 491 compromises, compared to Q1.

Phishing, Ransomware and Supply Chain Attacks

The surge in phishing, ransomware and supply chain attacks is driving the accelerated pace of data compromises and is the central factor contributing to a record year for total data breaches, data exposures and data leaks.

The report noted, however, that the number of victims—118.6 million—is only  38% of  the total number of people impacted by data compromises in 2020. If the trend continues, 2021 could result in the lowest number of people impacted by data compromises since 2014.

“Simply put, cybercriminals don’t need to steal as much information as they have historically to commit phishing and ransomware attacks,” said the ITRC’s chief operating officer James E. Lee. “For the past several years, identity thieves have been relying less on stealing mass amounts of information needed to attack individuals in favor of being very targeted in what they steal and the companies they target.”

He noted even with the drop in the number of victims, the risk of identity crimes to those impacted by breaches and compromises is real and can have devastating consequences.

Three Key Actions to Face Threats

From Lee’s perspective, there are three key actions every business needs to take to face these threats: The first is to speed up the patching process for known software flaws and implement an ongoing penetration testing regimen.

“You don’t have weeks or months anymore to avoid an attack against a known bug; you have days to hours,” Lee warned. “Some tools allow you to apply virtual patches in minutes. Use them. And you need to constantly look for zero-day flaws and other holes in your software and security protocols. The cybercriminals are—you should, too.”

Secondly, once you’ve patched your software, you need comprehensive backups. As Lee noted, if you don’t have good backups, restoring your data is no longer an option if you are the victim of a ransomware or malware attack.

The third action centers around training your teams to spot phishing attempts; the number-one root cause of a data breach today.

“Not just some team members and not just at new employee orientation; cybercriminals are always evolving their tactics, and your teams need to know what to look for as a signal of an attack when new exploits and vectors emerge,” Lee said. “Routine training is important and ensures everyone in an enterprise knows cybersecurity is a personal responsibility.”

One other thing Lee asked organizations to consider: Are you collecting too much personal information?

“Cybercriminals can’t take what you don’t have,” he added.

Despite the fact that, on the whole, organizations are spending more money on cybersecurity and data protection than ever, there is no 100% foolproof way of preventing every data breach, ransomware or phishing attack.

As Lee puts it, corporate and government cybersecurity teams are largely outgunned by the sheer number of threat actors, and they must operate under a set of rules that do not apply to their cybercriminal adversaries.

Lee said there are still too many organizations that think it is “cheaper to pay the fine” than invest in proper data security and privacy controls.

“Even the most responsible companies are subject to innovative exploits, as we have seen as recently as last week. because the tools most companies use rely on outdated approaches—whitelisting, blacklisting, pattern matching, heuristics—or they were not built in anticipation of the style of attacks that are emerging,” he said.

Security pros are now facing attack vectors based on the efforts of threat actors who have the time and resources to reverse engineer and dig into mainstream software in a way that even the OEMs don’t do.

“As a result, we’re seeing attacks that exploit more zero-days that escaped the development process,” Lee pointed out.

Also on the rise are daisy-chains of medium and low-severity flaws that can be exploited, a threat that often flies below the alert threshold of many organizations that prioritize patching based on CVSS scores, where a lower score equals lower priority.

“In other words, we are using old weapons to fight new battles against a well-organized and well-equipped enemy,” he said.

Lee said if you dig into the current data breach statistics, it paints a picture of the present and near-future where cybercriminals continue to change their tactics while the cybersecurity community plays catch-up. What’s lost in most of these discussions, he said, is the fact that each data breach and cybersecurity attack has a real-world impact on a person.

“As threat actors become increasingly aggressive in their actions, the impacts are also likely to continue to grow beyond the risks of harm and inconvenience to actual harm on an ever-larger scale,” he said.

Nathan Eddy

Nathan Eddy is a Berlin-based filmmaker and freelance journalist specializing in enterprise IT and security issues, health care IT and architecture.

nathan-eddy has 243 posts and counting.See all posts by nathan-eddy