US data breaches up 13% versus 2022 with Q4 still to go

According to the Identity Theft Resource Center’s Q3 2023 Data Breach Report, there were 2116 reported US data breaches and leaks in the first nine months of 2023, already beating out previous all-time high of 1862 for the year set in 2021, with a whole quarter left to go.
The record figure is despite a 22% decline in Q3 from the previous quarter. Also, the ITRC counted an estimated 234 million victims from these breaches, 45% less than the 425 million individuals impacted by incidents last year.

Also notable, Zero-day attacks trended up 1620% in the first three quarters of 2023 versus the whole of 2022 and, due to the global MOVEit software attack campaign, supply chain attacks also remained a major threat in Q3, with 1321 organizations reporting breaches due to attacks on 87 third parties. 4 of the top 10 compromises in Q3 were caused by the MOVEit campaign.

A persistent concern is the lack of transparency from breached organizations with 53% of reported breaches not offering any explanation about the initial attack vector.

Craig Harber, Security Evangelist: Open Systems had this comment:

   “The rise in cyber breaches and the lack of transparency from impacted companies is not surprising. Frankly, most do not see the point because the attacks are predominantly generated from overseas and it is unlikely that law enforcement will offer any significant assistance to restore operations or prevent stolen data from switching hands. As a result, organizations focus their limited resources towards correcting internal deficiencies, ensuring that this doesn’t happen again, and fulfilling their legal obligations of notifying affected parties and regulators.

   “The new cyber incident reporting laws announced in recent years act on the long-held view that information sharing is vital to national security and private sector cyber-readiness. It is a major step forward from what has traditionally been ad hoc, industry-specific guidance for voluntary disclosures by companies that have experienced cyberattacks.

   “The Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) was signed into law last year. It required the Cybersecurity and Infrastructure Security Agency (CISA) to develop and implement regulations requiring covered entities to report covered cyber incidents and ransomware payments to CISA. These reports will allow CISA to rapidly deploy resources and render assistance to victims suffering attacks, analyze incoming reporting across sectors to spot trends, and quickly share that information with network defenders to warn other potential victims.

   “In addition, the Securities and Exchange Commission (SEC) established cybersecurity risk management, governance, and incident reporting requirements. These new requirements will apply to foreign private issuers and U.S. public companies with compliance deadlines starting at the end of this year.”

Paul Valente, CEO & Co-Founder, VISO Trust follows with this:
   “The Q3 2023 Data Breach Report by the Identity Theft Resource Center highlights a growing threat to CISOs and businesses. With 2116 data breaches in the first three quarters of 2023, exceeding the 2021 record, it’s imperative to focus on third-party risk management and adapt to evolving attack surfaces.

   “The rise in zero-day attacks and supply chain vulnerabilities, as exemplified by the MOVEit software campaign, underscores the growing urgency for robust cybersecurity measures. Organizations should also prioritize transparency, as 53% of breaches lack explanations about the initial attack vectors.”

This is really bad and shows that everyone needs to buckle down on making sure that environments are as secure as possible. And organizations who get pwned need to own up to it rather than hide it. Period.

Leave a Reply

%d bloggers like this: