Cyberattacks, ransomware hit a new record in 2021
Hackers made up for some lost time last year. After seeing the number of data breaches decline in 2020, the Identity Theft Resource Center’s 16th Annual Data Breach Report says the number of security compromises was up more than 68% in 2021. That tops the all-time high by a shocking 23%.
All told, there were 1,862 breaches last year — 356 more than in 2017, the previous busiest year on record, according to the ITRC.
“Many of the cyberattacks committed were highly sophisticated and complex, requiring aggressive defenses to prevent them,” Eva Velasquez, ITRC president and CEO, said in a statement. “If those defenses failed, too often we saw an inadequate level of transparency for consumers to protect themselves from identity fraud.”
There was some good ... well, not so bad ... news in the report. For instance, while the number of hacks that involved sensitive data, such as Social Security numbers, was up slightly from 2020 (making up 83% of all attacks), the total number of victims was down 5% compared to the previous year. And the total number of hacks that obtained sensitive personal information was nowhere close to 2017, when 95% of all breaches had that data.
What’s concerning, though, is that the ITRC count is likely low, though to what extent is a mystery. The group notes that there has been a growing lack of actionable information in 2021, which prevents consumers from taking appropriate actions to protect themselves. One state, it noted (but did not identify), updated its breach notices in December 2021 for the first time since the fall of 2020.
All told, 607 breaches that resulted in a consumer notice were missing details last year, compared to just 209 in 2019.
Of course, there’s a question of how much that matters when many consumers aren’t taking the most effective actions to protect themselves anyway. Of the 72% of consumers who were aware of a breach notice, less than half (48%) changed their passwords on the affected accounts. Some 16% took no action whatsoever. And just 3% froze their credit, which would prevent a new credit or financial account from being opened in their name.
Hackers are still interested in personal information for identity-theft reasons, but increasingly last year, they used the passwords and logins they collected to infiltrate a business and attack it from within.
Ransomware-related data breaches have doubled for the past two years, and the ITRC expects this type of attack to bypass phishing as the most common cause of data compromises this year. Supply chain attacks, like DarkSide’s ransomware attack on Colonial Pipeline, are on the rise as well. (That particular attack saw 100 GB of data stolen and disrupted the petroleum supply chain for much of the East Coast.)
“In 2021, we saw a shift in the identity-crime space,” Velasquez said. “Too many people found themselves in between criminals and organizations that hold consumer information. We may look back at 2021 as the year when we moved from the era of identity theft to identity fraud.”