“That’s troubling news on its own, but when you consider the ITRC’s recent study on what people do after receiving a data breach notice — which is very little — it’s clear that there is so much more we all need to do in terms of preventing identity crimes and compromises.”
The center’s third quarter report shows that as of Sept. 30, data compromises rose by nearly 17 percent over all of 2020. The report found that nearly 281.5 million people were victims this year.
There were 1,291 data compromise events so far this year, compared to 1,108 in all of 2020. The previous record was 1,529 in 2017.
Most consumers have been the victim of a data breach and more than half of social media users have had their accounts compromised, according to a new survey of 1,050 adult consumers in the U.S. by the resource center and DIG.Works, a consumer research company.
The survey found:
- 16 percent of respondents took no action after receiving a data breach notice.
- 48 percent changed the password only on the breached account.
- 22 percent changed all of their passwords.
- 3 percent of respondents took the most effective action, which is to use a credit freeze to block new accounts from being created.
- 15 percent of respondents use a unique password for each account, and 13 percent don’t think strong and unique passwords are important.
“Overall, consumers report a high level of awareness of data compromises and the range of actions they can take to protect themselves before and after a data breach,” according to the resource center’s analysis of survey results.
“However, there is a significant gap between the level of awareness and actions taken by consumers that leave most people vulnerable to additional attacks and a continuing risk of identity crimes.”
More than a quarter of those who took no action after a breach notice said they failed to act because “my data is already out there.”
Twenty-nine percent thought the organizations responsible for protecting their data would address the issue, and another 17% said they didn’t know what to do.
Fourteen percent thought the notice itself was a scam, the survey found.
The resource center recommended that organizations do a better job of notifying consumers of data breaches.
Data compromises include breaches, exposures and leaks. An exposure, typically caused by a system or human error, is generally considered lower risk because there is no indication information was accessed, copied or removed.
One bit of positive news in the third quarter report is there were zero data compromises attributed to skimming devices, as the use of chipped payment cards has steadily risen.
But data compromises were higher in nine of 13 sectors compared to 2020, with financial services, manufacturing and utilities, and education experiencing the largest increases.
Credit: Contributed
Credit: Contributed
Cyberattacks are the primary cause of all data compromises and those attacks were up 27 percent over 2020, according to the third quarter report. Six cyberattacks against unsecured cloud databases exposed 48 million victims in the third quarter alone, the report said. Another 99 million people had their data exposed when 20 organizations failed to secure cloud databases, the report said.
Phishing and ransomware attacks accounted for the bulk of cyberattacks in 2021.
Phishing is a fraudulent email or website masquerading as a legitimate business or person. Ransomware is malicious software — or malware — that hackers use to infect a computer network, locking out the owner by encrypting the data. The hacker demands money in exchange for a key to restore access and agreeing not to publicly release or destroy stolen data.
Prominent ransomware attacks last spring disrupted operations of Colonial Pipeline Co. and meatpacker JBS.
Cybercriminals exploit lax security protocols and the stolen personal information like logins and passwords available on the dark web to make their way into computers.
“Most attacks they start at a user. They start with an employee,” said Kyle Jones, associate professor and chairman of computer science and information technology at Sinclair Community College. “They start with that single entry point.”
It is crucial to have robust password protocols requiring 12-15 letters and special characters, and to require multifactor authentication, said Gordon Elder III, founder owner of No Name IT of Dayton.
Credit: Contributed
Credit: Contributed
He and other cybersecurity experts say companies should install protective software on computer networks, use virtual private networks for remote work, and do regular data backups that are stored off site. All security patches issued by suppliers and manufacturers should immediately be installed on all computers, servers, and other equipment.
“These are known vulnerabilities and now it’s a race,” said Eva Velasquez, president and CEO of the Identity Theft Resource Center. “Once the provider releases that patch and they’ve gone on record saying here are the vulnerabilities and how you fix them, it’s a race between you patching it and the thieves.”
| Publicly reported data compromises - U.S. | ||
|---|---|---|
| Year | Events | Victims |
| 2021* | 1,291 | 281.5 million |
| 2020 | 1,108 | 310.1 million |
| 2019 | 1,279 | 883.6 million |
| 2018 | 1,175 | 2.2 billion |
| 2017 | 1,529 | 1.8 billion |
| 2016 | 1,105 | 2.5 billion |
| 2015 | 785 | 318.3 million |
| * 2021 is of 9/30/21 | ||
| Source: Identity Theft Resource Center |
Follow @LynnHulseyDDN on Twitter and Facebook
About the Author
