Publicly reported data compromises are increasing, but there isn’t as much detail around these reports as we’d like. According to the Identity Theft Resource Center (ITRC), “unknown” was the largest attack vector in the first quarter of 2022.
The ITRC publishes quarterly and annual reports that analyze the number, types, and root causes of data compromises reported in the United States. Sources for the analysis include news media, government agencies, research firms, and company announcements. Only publicly reported compromises from U.S. companies are considered, and exposed data that is not protected by a state data breach law is not included. The ITRC also measures the impact of a breach by counting victims, not records.
The two most recent reports are the one from Q1 2022 previously mentioned, and the Data Breach Annual Report for 2021. Both of these reports suggest trouble ahead in terms of compromises, breaches, and exposures.
Types of data compromise
The National Institute of Standards and Technology (NIST) has defined data compromise as the industry term for all events where personal information is accessible by unauthorized parties and/or for unintended purposes. Data compromise can refer to any of the following:
- Data breach ― Unauthorized parties access personal information from where it is stored. This could be data stolen from a workstation, a server, cloud storage, or any other medium that holds digital records. You could be on the hook for a data breach even if someone steals your laptop, you lose a thumb drive, or you fail to get a mobile device back from a former employee. Cyberattacks are not the only cause of data breaches.
- Data exposure — Personal information is accessible to unauthorized parties, but there is no evidence of a breach. This is usually due to misconfigurations or vulnerabilities that leave gaps in the security around the data. Exposures are not considered data breaches unless there is evidence that an unauthorized party accessed the data.
- Data leak ― A publicly available collection of low-risk data that can be used to profile an individual. This collection does not include sensitive information like Social Security Numbers (SSNs), but there’s enough data here to craft an effective social engineering or phishing attack against the victim. This category was added to the ITRC report in 2021.
Compromises continue to increase
The ITRC Q1 report suggests that 2022 will be another good year for the bad guys. Publicly reported data compromises increased for the third consecutive year, resulting in a 14% increase over Q1 2021. Phishing and ransomware are the top two identified causes, though the majority of breach disclosures do not identify a root cause. ITRC calculates that this lack of transparency in Q1 “represents a 40% increase of the total number of unknown breach causes for full-year 2021.”
There were 1,862 data compromises in 2021, which is the largest number of compromises since 2003. A total of 1,789 of these were data breaches, with 88% of these breaches caused by cyberattacks. Phishing and related attacks made email the most common primary cause of data breaches in 2021.
If you like this post, check out The three email threat types that are hardest for users to detect by Olesia Klevchuk.
Christine Barry is Senior Chief Blogger and Social Media Manager at Barracuda. Prior to joining Barracuda, Christine was a field engineer and project manager for K12 and SMB clients for over 15 years. She holds several technology and project management credentials, a Bachelor of Arts, and a Master of Business Administration. She is a graduate of the University of Michigan.
Connect with Christine on LinkedIn here.