Ransomware, Vendor Hacks Push Breach Number to Record HighReport: 2.6 Billion Personal Records Exposed in the Last 2 Years
The number of data breaches in the U.S. has hit an all-time high amid mounting attacks against third party vendors and aggressive ransomware attacks, says a report from Apple and a Massachusetts Institute of Technology researcher.
Data breaches have more than tripled between 2013 and 2022, compromising 2.6 billion personal records in just the past two years - and that trend has continued to worsen in 2023, says the report written by MIT professor Stuart Madnick and published Thursday.
In the first eight months of 2023, more than 360 million people were affected by corporate and institutional data breaches, and 1 in 4 people in the U.S. had their health data exposed in data breaches.
More ransomware attacks were reported through January to September 2023 than in all of 2022, the report said. In the first three quarters of 2023, the number of ransomware attacks increased by nearly 70% compared to the same period in 2022.
A 2023 survey of 233 IT and cybersecurity professionals across 14 countries working in the healthcare sector found that 60% of organizations have faced a ransomware attack, which is almost double the 34% reported by the sector in 2021.
The largest health data breach so far this year was an email hacking incident reported by HCA Healthcare, affecting 11 million people.
Breaches have also affected millions of individuals in other economic sectors this year. That especially includes incidents involving third-party vendors, such as exploitation of vulnerabilities in Progress Software's MOVEit and Fortra's GoAnywhere file transfer applications.
"Vendor exploitation attacks often have broad ripple effects. As the initial attack allows hackers to gain access to the vendor's system and data, it may also allow hackers to access the systems and data of that vendor's clients," the report says (see: Known MOVEit Attack Victim Count Reaches 2,618 Organizations).
This is precisely what happened with the campaign targeting flaws in MOVEit and in GoAnywhere. "In both cases, an unpatched vulnerability allowed hackers to compromise the data of organizations that relied on those two vendors and steal sensitive information from their customers" (see: Clop GoAnywhere Attacks Have Now Hit 130 Organizations).
The study said that about 98% of organizations reported having a relationship with a vendor that had experienced a data breach within the last two years.
"Given the prevalence of data breaches and their real-life consequences for individuals, keeping personal data safe should be at the forefront of organizations' priorities," the report says.