2023 is already a record year for data breaches and exposures

CareSource vendor was breached in third quarter

This year isn’t over yet, but the previous record is already broken for annual data compromises, which are breaches and exposures of personal information and consumer data, according to the third quarter report by the Identity Theft Resource Center.

From January to September there were 2,116 data compromises in the U.S., surpassing the annual all-time high of 1,862 data compromises set in 2021, the report said. The 2023 data compromises impacted 234 million victims.

The 733 data compromises and 66.7 million victims reported for the third quarter of this year include a hack of MOVEit software used by Dayton-based CareSource, which the report said had 3.18 million victims. CareSource and four other companies using MOVEit, a file transfer program owned by Progress Software, had the most data compromise victims in the third quarter, the report said.

In September a class action lawsuit over the MOVEit breach was filed against CareSource in U.S. District Court, alleging the company had inadequate cybersecurity protections.

“CloP, a Russia-based ransomware gang, recently victimized more than 65 million people and 2,000 plus organizations, including CareSource,” a CareSource statement released Friday said. “Recognizing the need to help members safeguard their data, CareSource quickly took steps to support members impacted by this global security event that exploited the MOVEit platform, including: retaining a leading cybersecurity firm, providing complimentary credit and identity monitoring, fraud consultation and identity theft restoration services, and training teams to help members access these free services to protect and monitor their data.”

The Identity Theft Resource Center (ITRC) is a nonprofit that tracks publicly reported incidents of compromised personal information and consumer data in the U.S. and offers online assistance for people with questions about identity theft, email phishing, scams, data breaches and other cybercrime issues.

“While setting a record for the number of data breaches is attention-grabbing, unfortunately, it is not surprising,” said Eva Velasquez, president and CEO of ITRC. “There are a handful of reasons for the rise in data compromises, ranging from the drastic uptick in Zero-Day attacks to a new wave of ransomware attacks as new ransomware groups enter the criminal identity marketplace. Now that we have broken the previous annual data compromise record, the question remains: by how much?”

What are data compromises?

Data compromises include breaches, exposures and leaks.

Breaches can be through ransomware attacks, when hackers use malicious software to infect a computer network and demand money from the victim.

Phishing is a fraudulent email or website where the fraudster pretends to be a legitimate business or person. It was the most common method of attack reported in the third quarter.

Zero-Day attacks, which ranked second, occur when the hackers exploit a previously undisclosed software flaw before it is patched.

Those Zero-Day attacks totaled 86 so far in 2023 compared to 2022, when there were 5, the report said.

A leak is when information people have put online is scraped from a website, which occurred in past years on the Facebook and LinkedIn social media platforms, according to the center.

Exposures, typically caused by a system or human error, are generally considered lower risk because there is no indication information was accessed, copied or removed.

In the third quarter all but six data compromise incidents were breaches.

Breaches can compromise personal information like Social Security numbers, logins and passwords, credit card numbers, consumer information, and in some cases also expose company data to the cyber intruders.

If those passwords are used to take administrative control of a company’s computer network, the thieves have the “keys to the kingdom,” Velasquez said during an earlier interview about cybersecurity.

The top compromises by industry in the third quarter were financial services, health care, professional services, manufacturing and education, according to the report.

Data compromises - U.S.  
This year there have already been a record number of data compromises, including exposures and breaches of data for individuals and businesses.  
20232,116234 million
20221,802425 million
20211,862298 million
20201,108310 million
20191,279884 million
20181,1752.2 billion
20171,5061.8 billion
Notes: Data is for publicly reported data compromises. 2023 is January-September 2023  
Source: Identity Theft Resource Center 

“The rise in compromises can also be attributed to a new wave of ransomware attacks as cybercrime groups return after being sidelined in the first year of the war in Ukraine, along with new ransomware groups entering the criminal environment,” the report said.

While data breaches have increased, the number of annual victims are much less than in 2018, when there were 2.2 billion victims, and 2017, when there were 1.8 billion, according to the center.

Prominent data compromises those years occurred at Equifax, Starwood Hotels (Marriott International), River City Media, Google, Facebook, Orbitz, T-Mobile, Verizon, and Uber Technologies Inc., according to James E. Lee, chief operating officer at ITRC.

Cybersecurity best practices

Employee cybersecurity awareness training

Install firewall and anti-virus software

Replace equipment and software that is out-of-date

Install security patches and updates immediately

Do frequent and duplicative backups

Have a written cyberattack response plan

Install virtual private network

Scan emails before they go to employees

Change passwords frequently

Use multi-factor authentication

Follow @LynnHulseyDDN on Facebook, Instagram and X (formerly known as Twitter)

About the Author