Digital Transactions Authoritative, insightful and timely information for payments professionals
Data compromises reported in the United States reached a record high in 2023, totaling 3,205, a 78% rise over 2022 and up 72% from the then record high of 1,860 in 2021, according to the Identity Theft Resource Center’s annual Data Breach Report. It is the first time the number of U.S. data compromises reported in a single year exceeded 2,000, the ITRC says, as new technology like generative artificial intelligence began to play a role.
Data compromises include data breaches, data exposures, data leaks, and unspecified data events, according to the ITRC.
Three industries—health care, financial services, and transportation—reported more than double the number of compromises reported in 2022. Some 809 data compromises were reported in the health-care industry, up from 343 in 2022. Financial-services providers reported 744 data compromises, up from 269 in 2022, while 101 data compromises were reported by transportation companies, up from 36 a year earlier.
As the number of overall data compromises grows, one emerging trend is that attackers are increasingly targeting vendors within the supply chain to gain a back-door entry into larger companies. The number of so-called supply-chain attacks more than doubled in 2023 to 242, up from 115 from a year earlier.
“It’s much easier for a cybercriminal to attack a smaller company with less security that has access to the information of multiple companies or stores the information of multiple companies, than to attack one company at a time,” says James E. Lee chief operating officer for the ITRC, in an email message.
Disturbingly, one weapon that cyber criminals have added to their arsenal is generative AI, a form of artificial intelligence that can generate text, images, synthetic data, or other media using generative models. generative models can, for example, predict the next word in a sequence.
The use of generative AI has improved the quality of phishing emails, or lures, designed to trick recipients into giving up their personal information or online security credentials. Before generative AI, phishing lures were typically riddled with poor grammar and spelling errors, which gave them away as inauthentic. Generative AI is now making it possible to produce lures that can easily fool people into giving up personal data or their online credentials.
“It’s difficult to quantify how many attacks are linked to AI, but we know that the quality of phishing lures is improving,” Lee says. “Better grammar, spelling, and design means more people are falling for phishing attempts. AI is also improving the effectiveness of social-engineering scripts, resulting in more personal or business information being exposed.”
Another emerging trend is that public companies affected by a data compromise are becoming less forthcoming about the root cause of the breach, despite adoption of new rules by the Securities and Exchange Commission regarding disclosure of such events.
Analysis of breach notices by the ITRC revealed that 47% of public companies withheld information about an attack compared to 46% of private companies, government agencies, educational institutions, and nonprofit organizations.
“The reality is that organizations in all sectors—public, private, non-profit—are withholding valuable information about data breaches because they are not legally required to [disclose], depending on the state (where they are headquartered),” Lee says in his email message. “A lack of statutory requirements and court decisions that require proof of actual harm (not just the risk of harm), means that entities across a broad spectrum of organizations are following the advice that they should not disclose information about the cause of a breach unless required to do so. The rationale is that disclosing such information could give potential litigants a roadmap to filing a lawsuit.”
