This year is unlikely to be a record one for data compromises, although Q3 saw a massive increase in supply chain attacks and nearly 242 million US breach victims, according to the Identity Theft Resource Center (ITRC).
The non-profit tracks publicly reported US data breaches and accidental leaks, to compile its quarterly reports.
The latest revealed a 77% quarterly decline in the number of data breach and leak victims – but that’s only because Q2’s figures (940 million) were inflated by two mega breaches at Ticketmaster and Advanced Auto Parts.
The total number of so-called “data compromises” – which includes breaches and leaks – stood at 672 for Q3, an 8% quarterly decline.
However, there were some concerning findings – notably that supply chain attacks rose 203% quarter-on-quarter in Q3 after dropping in the first two quarters of 2024. Some 97 entities were impacted by 31 breaches and data exposures, affecting almost one million victims.
Read more on ITRC data: US Smashes Annual Data Breach Record With Three Months Left
“While we will likely not set a new record for the number of data compromises in a single year as we did in 2023, there are some interesting trends in the Q3 2024 Data Breach Report,” said Eva Velasquez, ITRC CEO.
“In particular, the number of businesses reporting multiple data breaches in the past 12 months and the return of mega-data breaches that impact more than 100 million people. These trends prove that businesses must continue to prioritize data and identity protection, and consumers must take the steps needed to make their information less valuable to criminals.”
Mega Breaches Continue
The mega breach Velasquez was referring to came involved telco giant AT&T. Some 110 million victims were impacted after threat actors downloaded customer data including call logs from its Snowflake account.
Another ‘mega breach’ in Q3 was actually an accidental data leak by MC2 Data, in which the background check specialist left 2.2TB of sensitive data accessible online without password protection. However, there’s no indication that threat actors got hold of the information before the privacy snafu was fixed.