'We're losing control of our data' as breaches reach an all-time high

Data compromises -- especially in the form of cyberattacks -- are increasing.
Written by Allison Murray, Staff Writer

The number of data breaches hit a record high last year, and experts are concerned explicitly with the increasing number of cyberattacks.

According to the 2021 Annual Data Breach Report published by the Identity Theft Resource Center (ITRC) on Monday, the overall number of data compromises (1,862) is up more than 68% compared to 2020  (1,108). Out of the 1,862 compromises, 1,600 of those were cyberattacks.

"The thing that probably concerns me the most is that not only was last year a record high for data compromises but that so many of them were cyberattacks. And particularly, they were the kind of cyberattacks that it's very difficult for individuals to react to," James E. Lee, the COO of ITRC, told ZDNet.

Lee said the previous all-time high for all data breaches for all causes was 1,500 back in 2017, so the fact that cyberattacks alone accounted for 1,600 compromises last year is a considerable concern for individuals and businesses alike.

"We're talking about losing control over our data by another party, and there's not very much a consumer can do to prevent that from happening," he said. "To me, that is very concerning that we've now gotten to the point where we've got so many cyberattacks going on, it's hard for an individual consumer to keep up."

Another concern outlined in the report is the increasing amount of ransomware attacks. Over the past two years, ransomware-related data breaches have doubled -- from 83 in 2019 to 321 in 2021.

"If we continue on pace where we are right now, ransomware will become the number one root cause of data breaches by the end of 2022, surpassing phishing," Lee said.

Even with the number of overall data compromises reaching an all-time high, the report revealed that the number of victims continues to decrease (down 5% in 2021 compared to 2020) as identity criminals focus more on specific data types than mass data acquisition. Lee said the reason for this is because there has been a shift from identity theft, or stealing someone's data, to identify fraud, or committing some other crime or making money off that stolen data.

"People who are seeking data are being more sophisticated about it, their attacks are more complex, and then how they turn around and use that how they monetize that equally as sophisticated, equally as complex," he said.

Lee said that the ITRC also found that fewer details are being published in breach notices, making it more difficult for businesses and consumers to figure out how to protect themselves or find out a breach even occurred.

To help with this problem, the IRTC is introducing a free alert service to consumers within the next two months. The service will allow individuals to create a list of companies they interact with -- whether that be their bank, mobile phone carrier, or credit card company -- and receive email alerts from the IRTC when the organization was breached with a link to full details. In addition, Lee said the IRTC would introduce the same type of service for businesses to pay to use that would be even more robust.

Lee added that if people find out that they have been affected by a data breach this year, it doesn't always mean the worst.

"The first thing to remember is a data breach does not mean your information is being misused; it just means it's been exposed," he said. "There's no reason to panic just because you got a data breach notice. However, you do need to act on it."

Consumers can do some things if they receive a notification about a data breach, or even proactively prepare for one, to change their passwords frequently and make sure they are long and unique. Lee said it's also important to freeze your credit if you get a data breach notification and get in the habit of using a multi-factor authentication app.

As far as the business side, Lee said training should be a huge priority for everyone in an organization.

"More than anything else, security has to be part of an organization's culture," he said. "You have to make it something that everybody understands that they have both a personal and a professional responsibility to help."

Editorial standards