Data compromises hit record high; cybercriminals use stolen information to attack businesses

Combined ShapeCaption
Kyle Jones, professor and chair of the computer science and information technology department at Sinclair Community College, discusses phishing.

Data compromises broke another record in 2021, and more businesses were targeted by cybercriminals armed with stolen personal information and passwords, according to the Identity Theft Resource Center’s 2021 annual report.

Publicly reported data compromises in the U.S., including breaches, exposures and leaks, totaled 1,862 in 2021, a 68% increase over 2020. Nearly 294 million people were victims.

ExploreCybercriminals likely to hit more businesses, exploit digital payments in 2022

Cyberthieves increasingly attacked businesses using stolen individual credentials, such as logins and passwords, or by tricking people into revealing information needed for those attacks, the report found.

“In 2021, we saw a shift in the identity crime space,” said Eva Velasquez, president and CEO of the resource center, which is a national nonprofit that tracks publicly reported data compromises in the U.S. and provides free assistance to victims.

“Too many people found themselves in between criminals and organizations that hold consumer information. We may look back at 2021 as the year when we moved from the era of identity theft to identity fraud,” she said.

ExploreCompanies skimp on cybersecurity defense at their own peril

Data compromises in 2021 were 23.6% higher than the previous record of 1,506 in 2017. Eighty-three percent of data compromises involved sensitive information, such as Social Security numbers, a slight increase from 2020 but still below the previous high of 95% set in 2017, the report said.

“The number of breaches in 2021 was alarming. Many of the cyberattacks committed were highly sophisticated and complex, requiring aggressive defenses to prevent them,” Velasquez said. “If those defenses failed, too often we saw an inadequate level of transparency for consumers to protect themselves from identity fraud.”

Compromised data incidents - U.S. - 2017-2021 
DataTotal
Social security number3,839
Personal health information2,170
Driver's license1,181
Bank account1,280
Email or password961
Other1,013
Source: The Identify Theft Resource Center, which tracks publicly reported data breaches, exposures and leaks.

The number of individual victims declined by 5% in 2021, a downward trend as cybercriminals in recent years turned their attention to stealing specific data types rather than mass data acquisition.

There also was an increasing trend toward supply chain attacks, where a cybercriminal attacks a single company and then uses that access to infect companies in its supply chain.

One of the prominent ones in 2021 was an attack on Accellion, a U.S. based software provider. Accellion’s file sharing software was compromised by ransomware gangs and other cyber thieves, impacting 38 customers and putting nearly 6.8 million consumers at risk, the report said.

ExploreCybercriminals make eye-popping ransom demands

Ransomware attacks are when hackers use malicious software — or malware — to infect a computer network, locking out the owner by encrypting the data. The hacker demands money in exchange for a key to restore access and agreeing not to publicly release or destroy stolen data.

It’s unknown exactly how many businesses were hit by ransomware attacks, as owners often keep the attack secret and broad gaps exist in reporting requirements, which experts say hinders efforts to battle the problem.

Two prominent ransomware attacks in 2021 were on Colonial Pipeline Co. and meatpacker JBS, both of which had significant business disruptions after the May attacks. Both paid ransoms in cryptocurrency, with JBS paying $11 million and Colonial $4.4 million. In June the U.S. Department of Justice announced its new digital extortion task force had recovered about $2.3 million of Colonial ransom payment after the company had acted quickly to notify the FBI and followed instructions to help investigators track the payment, CNN reported.

Explore5 experts: Cybercriminals want your data and ransom money

“That’s been my principal concern: the cryptocurrency,” said Kyle Jones, associate professor and chairman of the computer science and information technology department at Sinclair Community College. “It has ramped this up big time. It’s on its way to becoming a billion dollar enterprise because of cryptocurrency.”

Ransomware-related data breaches have doubled in each of the past two years and are on track to surpass phishing as the top root cause of data compromises, the report said.

Phishing is a fraudulent email or web site where the fraudster pretends to be a legitimate business or person.

Combined ShapeCaption
Data compromise sector trends reported for the last three years in the Identity Theft Resource Center's 2021 Annual report.

Credit: Contributed

Data compromise sector trends reported for the last three years in the Identity Theft Resource Center's 2021 Annual report.

Credit: Contributed

Combined ShapeCaption
Data compromise sector trends reported for the last three years in the Identity Theft Resource Center's 2021 Annual report.

Credit: Contributed

Credit: Contributed

Also in 2021, data compromises increased year-over-year in every primary sector but the military, which had no publicly disclosed data breaches. Financial services had the most compromises, but the largest percentage increase was in the manufacturing and utilities sector, which had a 217% increase over 2020, the report said.

“There is no reason to believe the level of data compromises will suddenly decline in 2022,” Velasquez said. “As organizations of all sizes struggle to defend the data they hold, it is essential that everyone practice good cyber-hygiene to protect themselves and their loved ones from these crimes.”

ExploreThieves stealing passwords can get ‘keys to the kingdom’

Most consumers have been the victim of a data breach and more than half of social media users have had their accounts compromised, according to a 2021 survey of 1,050 adult consumers in the U.S. by the resource center and DIG.Works, a consumer research company. It found that 16 percent of respondents took no action after receiving a data breach notice.

Victims of identity theft or those looking for assistance and information about the problem can get free help from the resource center by calling 888-400-5530 or visiting idtheftcenter.org to live-chat.

Cybersecurity best practices
Employee cybersecurity awareness training
Install firewall and anti-virus software
Replace equipment and software that is out-of-date
Install security patches and updates immediately
Do frequent and duplicative backups
Have a written cyberattack response plan
Install virtual private network
Scan emails before they go to employees
Change passwords frequently
Use multi-factor authentication

Follow @LynnHulseyDDN on Twitter and Facebook

ExploreSee more stories by Lynn Hulsey
ExploreExpert: Great managers, quality onboarding and training key to finding, retaining talent
ExplorePHOTOS: 500 people hear about Dayton region economic wins during DDC meeting in Carillon ballroom
ExploreHusted: Intel project sparks interest in Ohio and could be much bigger than announced
ExploreDayton businessman Brian Higgins found guilty of federal charges
ExploreRepublican Moreno ends U.S. Senate campaign in Ohio
ExplorePandemic tempers optimism about Dayton region economic prospects in 2022

About the Author