informa

Cybersecurity In-Depth

3 min read
article

The 3 Most Common Causes of Data Breaches in 2021

Phishing, smishing, and business email compromise continue to do their dirty work.

With reports of a data breach coming nearly every day, and sometimes multiple times a day, it is getting difficult to keep track of all of them. There were 69% more data breaches in 2021 compared with 2020, according to the Identity Theft Resource Center (ITRC) in its annual report on data breaches.

In the report, ITRC identified threee primary causes of a data breach: data was exposed or stolen because of a cyberattack, such as phishing or stolen credentials; a mistake, such as lost devices or incorrect configuration a system; and a physical attack, such as a skimmer at a gas station pump that steals payment card data. Just over a third (38%) of data breaches did not reveal the root cause of a compromise (not specified, unknown, or not available), a 190% increase since 2020. 

As expected, the bulk of the data breaches in 2021 were the result of cyberattacks. There were more cyberattack-related data compromises in 2021 than all data compromises in 2020, ITRC says.

Phishing and related attacks — such as smishing (phishing lures sent over SMS messages) and business email compromise (phishing messages sent by someone pretending to be a colleague or a supervisor) — was the most common primary cause of data breaches in 2021. Ransomware was not too far behind, and malware was the third most common cause of data breaches. At the current growth rate, ransomware attacks will pass phishing as the No. 1 root cause of data compromises in 2022, ITRC predicts.

About a quarter of data breaches were the result of a cyberattack, but it's unknown what the method was. 

Security incidents aren’t always malicious — humans are fallible and prone to making mistakes. The most common error that resulted in a data breach in 2021 was an all-familiar one: Someone emailed sensitive information to the wrong person. A salesperson could have accidentally sent a customer list to someone outside the organization with a name similar to the intended recipient. Or the employee did not realize who was on the recipient list when replying to all, accidentally sending proprietary information outside of the organization. Mistakes happen.

Configuration mistakes were the primary cause for a little over a third of data breaches that were the result of errors. These include both mistakes configuring the firewall – allowing attackers to access internal systems they shouldn’t have been able to see from outside the organization – as well as cloud systems and servers that were misconfigured to allow unauthorized access. Gartner has predicted that misconfigurations will cause 99% of all firewall breaches through 2023.

Physical attacks, on the other hand, seem to be on the decline, with 51 incidents in 2021, compared with 118 in 2019. That may have more to do with the pandemic being in its second year and people were still limiting their physical activities. Many people are still working remotely, and the rise of online shopping and delivery services means there are fewer opportunities for attacks that require the victim to be physically present, such as skimming payment cards or stealing devices.

ITRC says there were 294 million victims of data breaches in 2021.