New statistics compiled by the Identity Theft Resource Center (ITRC) have revealed that there were far more reported data breach incidents in 2023 than in any other year. And yet, compared to 2022, the overall number of estimated victims declined by 16 percentage points.
Altogether, the ITRC counted 3,205 compromises in 2023 – a whopping 72 percentage point increase over the year 2021, which held the previous highwater mark. However, the total victim count of approximately 353 million was in keeping with the “general trend of the number of estimated victims dropping slightly each year,” the ITRC stated in a January 2024 report.
These data points might sound contradictory, but the ITRC report offered a theory behind this phenomenon: Rather than performing mass attacks, organized identity criminals are strategically choosing their targets by parsing through their wealth of stolen data and then “focusing on specific information and identity-related fraud and scams.”
That’s troubling when you consider the amount of highly personal information that’s out there for malicious actors to exfiltrate and then use to enable impersonation scams and fraudulent account creations or takeovers. Industrial espionage and extortion are also on the table for cybercriminals who are less interested in identity-based cybercrimes.
Indeed, it’s not uncommon these days for data breaches to involve information that extends beyond just basic PII (which is bad enough when stolen).
Consider the data breach that took place in October 2022 against biotech firm 23AndMe. According to the company’s SEC disclosure, a breach affecting 0.1% of its customers allowed malicious actors to access “a significant number of files containing profile information about other users’ ancestry that such users chose to share when opting in to 23andMe’s DNA Relatives feature.”
More recently, a ransomware-driven data breach in January 2024 impacted Schneider Electric’s Sustainability Division, which consults with enterprise clients on strategies related to eco-friendly practices, social responsibility and economic viability.
Now think about how clever fraudsters could use high-profile individuals’ personal information (perhaps stolen from a company like 23AndMe) or various clients’ corporate secrets (perhaps lifted from a professional services firm like Schneider Electric’s Sustainability Division) to craft a clever business email compromise scam designed to phish, fool or impersonate those same individuals or clients, or perhaps their co-workers or partners.
These disturbing possibilities, along with the ITRC’s latest findings, are a reminder that users and consumers should think twice before openly sharing highly personal data, and that online services must act as responsible stewards of any customer or client data they collect.
There’s no perfect solution to stop all data breaches, but it’s wise to adopt a defense-in-depth strategy that relies on multiple layers of data/network security solutions capable of detecting and responding to signs of unwanted intrusions, and then mitigating these breaches promptly before attackers can inflict a heavy toll. Companies should also encrypt data when possible and establish stringent policies for data storage, management and deletion.
As for identity-based crime that results from breaches, the ITRC in its report specifically recommended that online services boost their anti-identity fraud efforts through the “expanded use of facial verification and digital credentials,” because data alone unfortunately can “no longer be trusted as the sole source of truth about a person’s identity in most processes.”
