The 2023 Escalation in Personal Data Threats: Key Drivers
Recap from Apple's security report
In 2023, cybercriminals are increasingly targeting personal data, with attacks and data breaches escalating globally. This trend, already at historically high levels last year, shows alarming signs of intensification. Particularly in the U.S., data breaches have surged by nearly 20% in the first nine months of 2023 compared to 2022, signaling an all-time high for such incidents.
Two primary factors are driving this increased threat to personal data. First, ransomware attacks are becoming more frequent and dangerous. In 2023, these attacks reached unprecedented levels in terms of number and sophistication, with hackers often organizing into ransomware gangs. These gangs target entities with sensitive data, such as governments, genetic testing companies, and healthcare facilities, frequently opting to leak corporate and consumer data, causing significant harm to consumers.
Second, attacks exploiting vendors are on the rise, often affecting numerous organizations that depend on these vendors. In today's interconnected world, hackers need only to use a single vulnerability in a vendor's system to access the data of all organizations reliant on that vendor. Remarkably, 98% of organizations have a relationship with a vendor that experienced a data breach within the last two years.
While organizations recognize these threats and invest heavily in defense, hackers continue to outmaneuver security measures. Organizations' persistent collection of unencrypted personal data only fuels hackers' efforts to devise new intrusion methods. This reality underscores the necessity for organizations to limit the amount of personal data stored in readable formats and adopt innovative solutions like end-to-end encryption to mitigate individual risks to individuals.
Alejandro Mayorkas, the U.S. Secretary of Homeland Security, and Bernardo Pillot of INTERPOL's Cybercrime Operations have highlighted the escalating nature of ransomware attacks and the increasing sophistication of cyber threats.
Cybercriminals breached over 2.6 billion personal records in 2021 and 2022, and data breaches more than tripled from 2013 to 2022. In just the first nine months of 2023, data breaches in the U.S. increased by nearly 20% compared to 2022.
Cybercriminals have notably targeted organizations handling sensitive personal information, such as schools, genetic testing companies, and healthcare institutions. For instance, 23andMe reported a breach in October 2023, exposing sensitive customer data, including genetic information. The Minneapolis Public Schools and the Better Outcomes Registry & Network in Ontario, Canada, also reported significant data breaches, exposing sensitive information about students and patients.
Over the years, hackers have shifted their strategies, focusing more on acquiring personal data and often leaking it on the dark web. Western Digital, for instance, suffered a significant breach where hackers accessed over ten terabytes of data and demanded a substantial ransom to prevent its publication.
Moreover, cybersecurity insurance has led to perverse incentives, with some hackers specifically targeting insured organizations because they are more likely to pay ransoms. However, paying a ransom does not guarantee the security of the data against leaks.
Hackers have also become more sophisticated, forming ransomware gangs that operate like enterprises, offering customer service and franchising opportunities. These gangs often target individuals within organizations, using aggressive tactics to gain access to systems.
Several notable breaches include Capita, GoAnywhere, and 3CX, affecting many organizations and exposing vast amounts of personal data.