3rd Party Risk Management , Cybercrime , Fraud Management & Cybercrime
ITRC Report: Breaches Up 78% in 2023, Breaking 2021 Record
Identity Theft Resource Center's James E. Lee Calls for Uniform Breach ReportingSupply chain attacks and zero-day exploits surged in 2023, helping to set yet another record for data breaches tracked by the Identity Theft Resource Center. James E. Lee, COO of the group, explained why the number of compromises grew so dramatically - from 1,801 incidents in 2022 to 3,205 in 2023. The previous all-time high was 1,860 compromises in 2021.
See Also: Cloud Security and Developers: Role of Zero Standing Privilege
The short answer is that supply chain attacks on popular software products had a multiplier effect on a broad range of public and private sector organizations that use those applications. Last year, supply chain attacks affected over 1,000 organizations, compared to just over 100 a few years ago, Lee said.
Other major factors include a record number of zero-day vulnerabilities, the return of large criminal organizations, previously on the sidelines during geopolitical conflicts, and the increasing use of generative AI tools to create more convincing and more automated phishing attacks. "We don't see anything that indicates these trends are going to reverse, so it's really an open question as to how high we go from here," he said.
Lee also sees a worrying trend in the information gaps in data breach notices. In the 2023 report, the number of breach notices with no specific information doubled. From 2005 to 2020, 100% of notices provided details on the attack vector, but today that number has dropped to 54%. The lack of standardized state laws results in a "patchwork system," he said, and hinders effective preparation for cyberattacks.
Lee said security leaders should advocate for "a more uniform and updated set of state laws" to address this growing issue and enhance organizational readiness.
In this video interview with Information Security Media Group, Lee discussed:
- Key trends and patterns in the report and how they differ from previous years;
- How the emergence of generative AI has affected the findings;
- How to bring uniformity to the breach notice process to protect both consumers and businesses.
Lee, a data protection and technology veteran, is the former executive vice president and company secretary of Irish application security company Waratek and former senior vice president and chief marketing officer for Atlanta-based data pioneer ChoicePoint - now LexisNexis. He chaired two working groups for the American National Standards Institute on identity management and privacy. Prior to joining ChoicePoint, Lee served as a global public affairs and communication executive at International Paper Co.