The number of reported data compromises in the US in 2023 increased by 78% compared to 2022, reaching 3205, according to the Identity Theft Resource Center’s (ITRC) latest report.
The number of victims of these data breaches reached 353,027,892. While this is still a staggering number, it represents a 16% decrease compared with 2022.
The ITRC said the general trend of the number of victims dropping each year is because organized identity criminals now focus on specific information and identity-related fraud and scams rather than mass attacks.
Overall, the ITRC’s 2023 Annual Data Breach Report found:
- Nearly 11% of all publicly traded companies were compromised in 2023.
- Publicly traded companies withheld information about an attack in 47% of notices compared to 46% of other organizations.
- Healthcare, Financial Services and Transportation reported more than double the number of compromises compared to 2022. While Healthcare led all industries in terms of the number of reported compromises in each of the past five years, Utilities companies led in the estimated number of victims in 2023.
- Supply chain attacks continue to impact more organizations and victims. The number of organizations impacted has surged by more than 2600 percentage points since 2018. The estimated number of victims has also risen by 1400 percentage points.
In a letter from ITRC’s CEO, Eva Valasquez, published in the report, she said: “The sheer scale of the 2023 data compromises is overwhelming. Just the increase from the past record high to 2023’s number is larger than the annual number of events from 2005 until 2020 (except for 2017).”
The majority of data compromises were linked to cyber-attacks. The report found that phishing-related and ransomware attacks were down slightly, while malware and Zero Day attacks jumped significantly compared to previous years.
No Notice Data Breaches
The number of data breach notices without specific information nearly doubled year-over-year, according to the ITRC report. This is especially significant with the growth of organizations targeted by supply chain attacks.
In 2023, more than 1400 public breach notices did not contain information about an attack vector compared to 716 in 2022.
The ITRC noted that there is a flaw in data breach notice laws. There is a significant gap between organizations that lost data and those who notify victims.
Reducing the Impact of Data Breaches
The ITRC suggests action in three areas that will help reduce the rate and impact of data breaches on individual and business victims:
- Uniform breach notice laws: The ITRC believes that state data breach laws and federal agency regulations can be more helpful to victims by adopting uniform provisions.
- Digital credentials & facial comparison systems: The expanded use of facial verification and digital credentials is crucial to reducing the number of identity crimes involving the use of stolen personal information.
- Improve vendor due diligence: Understanding the risk represented by vendors is imperative, including knowing the breach history of an organization.
The 2023 Annual Data Breach Report contains information on the ITRC's new Breach Alert for Business (BA4B) service that helps organizations verify vendors are meeting or exceeding a company's cybersecurity policies and performance.
The ITRC's BA4B service confirms vendors' previous data breaches and issues alerts if a vendor is the subject of future data compromises.