Data breaches are tracking toward a record-setting year in 2024, as cybercriminals aggressively target valuable information across various industries. On average, each data breach exposing sensitive information, such as Social Security numbers, has around 172,000 victims. This is according to an analysis of the Identity Theft Resource Center’s (ITRC) database from 2018 to the first quarter of 2024. These breaches cause significant headaches for consumers, who must then check if their information is secure elsewhere, as they become more susceptible to identity theft scams. In the first quarter of 2024, there were 841 publicly reported data breaches, nearly doubling from a year ago, according to the ITRC, a nonprofit that researches and advocates for identity theft issues. Data from previous years show numbers trending higher later in the calendar year, suggesting that 2024’s final count may surpass last year’s record of 3,203 data breaches, up from the previous record of 1,860 in 2021. James Lee, the ITRC’s chief operating officer, stated, “If we stay on the same path, we will break the record again.”
1. Millions of Consumers Have Been Victims of Data Breaches
The largest data breach at the beginning of 2024 occurred at mortgage lender LoanDepot, affecting nearly 17 million victims. This incident marks the company’s second data breach since 2018, bringing its total to around 33.5 million victims with exposed sensitive information. In January, the company announced an investigation into the incident and offered credit monitoring and identity theft protection services for free to the victims.
In the first quarter of 2024, financial services such as LoanDepot overtook health care as the industry with the most breaches, reaching 224 notices and surpassing the 124 notices from health care organizations. Since 2018, the hospitality sector has pulled far ahead of other industries due to a massive breach at Marriott in November that year, which compromised up to 383 million guest records. Marriott later clarified that “the number of payment cards and passport numbers involved is a relatively small percentage of the overall total records involved.”
Financial services and health care organizations are closely ranked, with around 197 million and 190 million victims, respectively. The technology sector follows with around 126 million victims. “It’s no surprise that financial services companies are frequent targets of bad actors because of the role the industry plays in most people’s lives,” said Lee from the ITRC. “The same applies to health care companies.” He also noted that the large number of victims in the hospitality industry reflects the massive amounts of personal information handled by hotels, airlines, and entertainment companies, making them prime targets.
2. Cybercriminals Targeting Specific Information
Even as the number of victims falls, the number of successful attacks rises. Privacy experts ascribe this to criminals launching more targeted assaults for specific types of valuable information, instead of grabbing as much data as possible. “The bad guys are impacting fewer individuals,” said Lee. “They’re doing that on a broader basis, so aggregated together, the total number of breaches is higher.”
3. Not Enough Data on Data Breaches
The surge in data breaches comes as the Federal Trade Commission (FTC) expanded reporting requirements for nonbanking financial institutions like mortgage brokers and vehicle dealerships. These institutions must now have security programs in place to protect customer information. Privacy experts say the FTC rule should provide a better understanding of when and where data breaches are occurring. The public’s understanding of how many data breaches are actually taking place is limited, partly because companies can be unaware of cyberattacks for months. Additionally, companies report breaches under a patchwork of state requirements that vary in terms of how quickly and detailed their disclosures need to be, compared to the more stringent nationwide laws in Europe.
MIT Sloan School of Management professor Stuart Madnick noted during recent talks with cybersecurity professionals that no one raised their hand when asked if they thought a quarter of cyberattacks were being reported. Most hands went up when asked if they thought 1% or fewer of cyberattacks were reported. Cyberattacks are by far the leading cause of data breaches. Madnick emphasized, “We don’t know what we don’t know.”
An FTC spokesperson mentioned that the rule requiring nonbanking financial institutions to report data breaches impacting 500 or more people within 30 days of discovery would help the agency gain better knowledge. “We are hopeful this requirement will motivate companies to implement appropriate safeguards to protect consumer data,” the spokesperson stated. However, some experts believe the FTC’s rule falls short compared to the European Union’s data protection rules, which require companies to disclose breaches within three days, and some U.S. states, which mandate that the breached organization pay for credit monitoring for the victims.
4. More Sophisticated Threats
New and more sophisticated cyberattacks are contributing to the rise in data breaches. According to MIT’s Madnick, there are three major emerging threats: the cloud, advanced ransomware, and vendor exploitation.
The cloud, where about 60% of corporate data is now stored, is an area where companies often lack long-term security experience. This can lead to cloud misconfigurations, where organizations inadvertently create back doors that hackers can exploit. Companies hastening their move to the cloud without due caution is one of the main reasons data breaches are escalating.
Traditional ransomware locks up a computer, scrambles data, and demands payment to unscramble it. The new breed of ransomware, however, often makes a copy of private information, with cybercriminals threatening to publish it as blackmail. Ransomware criminals are now acting like franchisees, creating teams that use their software, dramatically increasing the volume of attacks.
Vendor exploitation occurs when cybercriminals target third parties that work with multiple companies and have access to their data. The 2023 data breach stemming from the file transfer service MOVEit demonstrated this, allowing criminals to access sensitive information from the U.S. Department of Energy, British Airways, pension funds, and more.
Another compounding factor is that cybercriminals no longer need advanced technical skills. They can simply purchase the software and information needed to carry out attacks against data hubs. According to Silverfort’s Chief Information Security Officer John Cunningham, research shows that 65% of companies only protect some of their users with multifactor authentication, which makes hacking into accounts harder by adding extra password protection. With new technology, however, cybercriminals can now crack passwords in minutes instead of months.
5. Follow the Notification
Companies should notify you if you are a victim of a data breach. It is crucial to read this notification carefully to get more information about what data was exposed and the steps the company recommends you take to protect yourself.
6. Freeze Your Credit
To prevent criminals from opening cards or other lines of credit in your name, contact each of the three credit bureaus—Experian, Equifax, and TransUnion—and request to have your credit frozen. This step is essential in thwarting potential identity theft attempts.
7. Credit Monitoring
In some instances, companies will offer free credit monitoring or other services after a data breach. Taking advantage of these services can help you keep an eye on suspicious activity related to your credit.
8. Reset Passwords
If your information has been compromised, it is crucial to change your passwords and use different ones for each service. This reduces the risk of further exploitation of your data.
9. Use a Password Manager
Employing a password manager, such as LastPass or services built into web browsers like Google Chrome and Microsoft Edge, can help create and store strong passwords. This adds another layer of protection to your online accounts.
10. Opt Out of Data Collection
Some states allow you to email services and request that they do not collect your data for use by third parties. Exercising this right can provide greater control over your personal information.
11. Request to Have Your Data Deleted
Despite a decrease in the number of victims, the frequency of successful cyberattacks has actually increased. Privacy experts have noted that this is because cybercriminals are becoming more selective in their targets. Rather than collecting a large volume of data indiscriminately, they are now focusing on acquiring specific, valuable information. This strategy allows them to maximize the impact of their efforts while affecting fewer individuals. Lee explains, “The bad guys are impacting fewer individuals. They’re doing that on a broader basis, so aggregated together, the total number of breaches is higher.”
These targeted attacks are often more sophisticated and can lead to significant consequences for the affected parties. By honing in on particular types of information, such as financial data, intellectual property, or personal identifying information, cybercriminals can extract more value from each breach. This approach benefits them in multiple ways: They can sell the targeted data at a higher price on the black market, use it to blackmail victims, or perpetrate further fraudulent schemes.
Moreover, the rise in successful targeted attacks reflects an evolution in cybercriminal tactics. They are increasingly employing advanced techniques such as phishing, social engineering, and ransomware to achieve their goals. These methods often involve detailed planning and knowledge about the victims, making the attacks harder to detect and prevent. As these strategies continue to develop, individuals and organizations must remain vigilant and enhance their cybersecurity measures to protect against such threats.