The number of publicly reported US data breaches and leaks last year dropped 19% as attackers continued to move away from mass theft of customer data to more lucrative tactics like ransomware, according to a leading non-profit.
The Identity Theft Resource Center (ITRC) compiled its annual report from company announcements, mainstream news reports, government agencies, recognized security firms and researchers, and other non-profits.
In total, it recorded 1108 incidents, down by nearly a fifth on 2019’s figures, while nearly 301 million individuals were affected, a drop of 66% on the previous year.
Breaking it down further, there were 1001 actual breaches and 107 data exposures, which often result from misconfiguration of cloud servers. More people were affected by the latter (156 million) than the former (145 million).
The ITRC claimed the stats show that cyber-criminals are gravitating to ransomware and targeted email compromises, using previously stolen log-ins and phishing tactics, and away from bulk theft of personal data.
“Ransomware and phishing require less effort, are largely automated, and generate pay-outs that are much higher than taking over the accounts of individuals,” it continued. “One ransomware attack can generate as much revenue in minutes as hundreds of individual identity theft attempts over months or years.”
In fact, the average ransomware payment was $233,000 in Q4 2020, up from just $10,000 in Q3 2018, according to Coveware.
Phishing can also help attackers reap massive Business Email Compromise (BEC) profits. Total losses for BEC in 2019 reached $1.8bn, or half of all cybercrime losses reported to the FBI.
In terms of actual compromises, the ITRC recorded 878 cyber-attacks, with the largest number (44%) going to phishing/smishing and BEC, followed by ransomware (18%).
However, in spite of these macro-trends, ITRC CEO Eva Velasquez warned that the breach problem is not going away, with hundreds of millions of consumers still being impacted. The headline 2020 numbers may also have been skewed by the increasing popularity of supply chain attacks, where only the initial breached company is counted but many more clients may be affected.
For example, the ransomware attack on Blackbaud last year affected over 475 of its corporate customers and led to the compromise of information on 11 million people.
“Cyber-criminals are simply shifting their tactics to find a new way to attack businesses and consumers,” argued Velasquez. “It is vitally important that we adapt our practices, and shift resources, to stay one step ahead of the threat actors.”