Both the number of data breaches and the number of individuals affected by data breaches plummeted in 2020, as attackers moved away from collecting mass amounts of information and instead targeted user credentials as a way to infiltrate corporate networks to install ransomware.
That's according to a new report, out Jan. 28 from the Identity Theft Resource Center, which estimates that more than 300 million individuals were affected by data breaches in 2020, a large number but a drop of 66% over the previous year. In addition, the number of reported data breaches fell to 1,108, a decline of 19% over 2019.
Because more than half of workers shifted to remote work during the year, many expected data breaches to increase, but instead cybercriminals became more focused, says James Lee, chief operating officer of the ITRC.
"What has happened is that threat actors are not as interested in mass data collection," he says. "The data breaches that do occur are not about 'hoovering' up everything in sight, as they were five and ten years ago. Now they are very targeted and very strategic."
The top findings of the breach report reflect two major economic trends. As companies shifted to a remote workforce due to the pandemic, more than half of workers moved to working from home. The shift made credentials an even more valuable commodity for hackers, as valid credentials could be used to infiltrate a business.
And what to do with credentials? Cybercriminals continued to double down on ransomware, attacking companies, encrypting and exfiltrating sensitive data, and demanding payment for the keys to the data, in a one-two punch known as "double extortion."
"What [cybercriminals] are really looking for, and this is reflected in the value you see in the identity marketplace, … is credentials," Lee says. "They know that most people reuse passwords, so even a personal compromise, they know, can lead them to a corporate setting, the ability to get into a company."
Both the number of breaches and the number of people affected are down significantly from the highs of the past five years. In 2017, the number of annual reported breaches hit a high of 1,631 incidents, 47% more than in 2020. In 2016, the number of individuals affected by data breaches spiked, reaching 2.5 billion, more than seven times higher than in 2020.
Unlike other data breach reports, the ITRC does not use the number of records exposed as a measure of impact. A report released earlier this month by Risk Based Security also saw breaches decline but noted that the number of exposed records increased, mainly due to large databases left accessible online.
Phishing — including business email compromise, a form of spear-phishing — topped the list of data breach causes, accounting for 382, or 44%, of data breaches. The second major cause is ransomware, accounting for 158 breaches or 18%, followed by malware with 104 breaches or 12% of the total.
Companies' focus on security — and the lessons that past breaches have provided — is likely one reason that breaches have declined, says ITRC's Lee.
"You look at an Equifax, you look at a Target, you look at all these companies, and the pain that they have gone through to come out on the other side as stronger organizations — it is a very painful process," he says. "People look at that and say I don't want that to happen to me, so there is a lot of practices and security tools they put in place."
Yet attackers have started to adapt as well. Supply chain attacks have become more popular, with more than 668 companies affected by attacks on third-party providers, according to the report.
Data breaches affecting individuals continued to prioritize sensitive data, such as Social Security numbers, personal health information, and credentials, with 558, 407, and 231 data breaches including those types of data, respectively, according to the report.
In a worrisome trend, the US government is reducing the support for identity-theft victim assistance; in fact, no federal funds have been specifically reserved for such assistance in the current fiscal year, according to the report.
"The US government has been the primary source of funding for victim assistance offered by the ITRC and other non-profit organizations as well as state and local government agencies," the report states. "Those funds are steadily being reduced."