ITRC’s 2021 Data Breach Report: Sobering Stats

Episode Notes

Transcript

Sharon D. Nelson: Before we get started, I’d like to thank our sponsors PInow.com and CaseFleet.

[Music]

Intro: Welcome to Digital Detectives Reports from the Battlefront. We’ll discuss computer forensics, electronic discovery, and information security issues and what’s really happening in the trenches, not theory, but practical information that you can use in your law practice right here on the Legal Talk Network.

Sharon D. Nelson: Welcome to the 134th edition of Digital Detectives. We’re glad to have you with us. I’m Sharon Nelson, President of Sensei Enterprises, a digital forensics, managed cybersecurity, and managed information technology firm in Fairfax, Virginia.

John W. Simek: I’m John Simek, Vice President of Sensei Enterprises. Today on Digital Detectives, our topic is ITRC’s 2021 Data Breach Report: Sobering Stats. Today, our guest is James E. Lee, the Chief Operating Officer of the ITRC. A data protection and technology veteran, James is the former EVP and company secretary of Irish application security company Waratek and former SVP and chief marketing officer for Atlanta-based data pioneer ChoicePoint, now LexisNexis. He also chaired two working groups for the American National Standards Institute on identity management and privacy. It’s great to have you with us today, James.

James E. Lee: Great to be here and thank you for asking.

Sharon D. Nelson: Let’s start, James, by seeing if you can tell our listeners a little bit about the Identity Theft Resource Center and what it does, because I frequently find that when I mention it, I get a blank look, so not everybody knows what great work you all do.

James E. Lee: The IRTC has been around for more than 20 years now, and we have sort of two parts to our mission. One part is to provide free assistance to the victims of identity crimes. That’s pretty straight forward and back when we started in 1999, that basically meant that somebody had lost control of your information on a piece of paper to where today, and what we’re about to talk about, is the environment’s very, very different.

The second part of our mission is education, and that is to help people prevent becoming a victim of an identity crime. We do have a wide variety of programs to help individuals as well as businesses and we provide assistance and research to government agencies as well.

John W. Simek: James, let’s get a little bit into the report. Perhaps the highest level finding at your report is that last year in 2021, there were more data compromises report in the US than any year since the first state data breach notice law became effective in 2003. In fact, the overall number of data compromises is up 68% over 2020. Did this finding surprise you and why do you think we seemed so helpless to prevent data breaches?

James E. Lee: It’s not so much that the increase surprised us. It was the level of the increase and some of the components within it. When we think about the previous all-time high, which was back in 2017, and that was a little over 1,500 data compromises.  At that time even, it was about 50/50 between cyberattacks causing a data breach compared to whether it was a human error or a system error or even the physical theft of information, but we fast-forward to today, what we just saw was 1,800, almost 1,900 data breaches publicly reported in the US but 1,600 of those are the direct result of cyberattacks.

And that’s very different than what we expected and it’s very troubling. And if you think about what I just said about what the previous all-time high was, 1,500, for all kinds of data breaches, from all root causes to just, in this last year, more than 1,600 from a single source, cyberattacks, that tells us that we’ve entered into a very, very different environment than what we’ve been in historically.

Now you ask about what we can do about it. From an individual standpoint, there’s very little unfortunately that what we can do to prevent data breaches. What we can do as individuals is to make sure that we do everything we can to make that information less than useful to an identity criminal. And as we progress in our conversation, that we talk about that, but there’s a couple of things that people should think about immediately.

One is, when you get a notice that says your information has been breached, don’t ignore it, and we know most people do, but don’t ignore it. And the single most important thing you can do when you receive one of those is to freeze your credit. Freeze your credit. The second thing is change your password, not just on the account that was breached, but make sure that you change any password we’re using that same one.

(00:05:00)

And we know that most people reuse the same password on all their accounts. It doesn’t help if you only change the password on the single account that was impacted. If you do those two things, you’ve done just about all you can do to protect yourself as an individual. There’s some other things, we will talk about those as we move through the conversation.

Sharon D. Nelson: Well, the report suggests that we may look back at 2021 as the milestone year when we officially moved from the era of identity theft to the era of identity fraud. Would you please explain the difference between the two and tell us why you think this change occurred?

James E. Lee: We kind of use the term identity theft as a generic term and it has some legal connotations, and every state defines identity theft has an offense and they define it a little bit different way than the federal government defines it. But what we do is we try to help people understand what’s actually happening here so they can they can take specific actions to protect themselves or their business is to break that down.

Identity theft is when someone steals your information. They steal your personal information. They may be stealing it from you or they may be stealing it from an organization, but it is that acquisition of data that is actually identity theft and what you do to prevent that and protect that is fundamentally different than the second part when we talk about these things of identity fraud, which is when that information that has been stolen is actually misused, when it’s used to commit a financial crime or a crime of impersonation or some other kind of fraud, because how you prevent that and how you protect yourself and how you respond to that is again very different than if it was just identity theft.

We try to break those apart so people can understand that things have changed and they have changed dramatically just in the last three years in reality, starting in the late 2018. And what has changed is the shift from the people who do this for a living, the professional cybercriminal is they’re less interested in attacking individuals and they’re more interested in attacking businesses.

Now, the way they do that more often than not, is they use the information of individuals, of individual consumers so that personal information is still very important to an identity criminal but they’re not coming after your resources, they’re coming after the resources of a business using your information. That is fundamentally different than any other time since there has been what we have historically thought of as a data breach. It is a fundamentally different time period and the way that these crimes are being committed reflects that and it’s changing and, in some cases, it’s accelerating.

John W. Simek: James, we understand that you’re about to launch a new free data breach alert service. Can you expand upon that a little bit?

James E. Lee: One of the things that we found both in our research and talking to people who have had data breaches, would have been affected by data breach, or they received a data breach notice is that how people react to that notice is kind of discouraging. And a lot of it comes down to both the form of data breach notice and the way it’s delivered to people doesn’t really help an individual know how to respond. They don’t really know what actions they need to take. They don’t really understand the threat that may exist because their information is now in the wild.

What we have done is we’ve created a mechanism where someone can come to the ITRC, this will launch later in Q1, they’ll be able to come to our website, and they’ll be able to enter the names of organizations that are important to them. Your bank, your credit card number, your health provider. You enter those names, create a list.

And then, if at any point in the future, those organizations come into our database having issued a public notice of a data breach, then you’ll get an alert from us telling you what happened, when it happened and then you will have access to our resources that can help you prevent that information from being misused, because just because it’s been breached doesn’t mean it’s going to be misused immediately. There is usually a lag and sometimes, it can be years, sometimes it can be very soon and sometimes it may never be misused at all. But the thing we want people to do is when they receive a notice is to take those preventive actions immediately so you don’t have to worry about if your information is going to be misused because it can be blocked.

Sharon D. Nelson: Well, that sounds like a great service actually, so we’ll be anxious to see that go live. Ransomware related data breaches have doubled in each of the past two years and while that’s certainly not a surprise to us since we investigate and remediate data compromises as part of our work at Sensei, it’s a scary stat. What has made ransomware breaches so widespread and what can law firms and other businesses do to prevent these breaches?

(00:10:11)

James E. Lee: That’s a big part of these trends we were just talking about where things have really changed in the identity theft world and the identity crime world. If we go back to 2018, which I just mentioned, that’s when we really begin to see data breaches caused by ransomware. And at the time, they weren’t that many, just a handful and the ransom demands were pretty low dollar, less than $5,000 and most of the amount that was paid, if there was any paid, was anywhere from a couple of hundred dollars to maybe a couple of thousand dollars.

Now, fast forward to where we are today and that has become the fastest-growing root cause of a data breach. Phishing attacks have been the primary root cause for years. Now, ransomware, as you noted, doubled every year for the last three years. We are on pace for that to become the number one root cause and the reason why is it’s easy. It’s easy to commit a ransomware attack. It’s highly unlikely that you’re going to get caught if you do and you’re going to make a lot of money when you do it.

For the identity criminal, it’s a win-win-win situation. It’s a low barrier to entry and you’re going to make a lot of money, and you’re not going to get caught, and if you do get caught, not much is going to happen to you because you’re probably not in the United States, you’re in another country.

Those factors combined kind of lead us to this point where ransomware is now not a — every so often, it’s a very often and we actually have seen now ransomware payments in the tens of millions of dollars, not a couple of hundred dollars. The average now payment is in excess of $300,000. Demand is in excess of several million dollars.

This is a situation where, again, we’re using the information of individuals, of consumers, but they’re using it to attack businesses and it’s not just big businesses, the gig numbers get people’s attention and draws media attention, but the reality is these ransomware attacks are happening against small businesses, medium businesses, very large businesses and every kind of sector. Hospitals, in retail, in government services, again, headline-grabbing, but things like water systems and the entire computer systems of cities like the City of Atlanta, the City of Baltimore, and where entire city services are offline for months, or in the case of businesses, they can be out of business for a period of time not being able to serve their customers. And in hospital setting, obviously, something that would be very troubling is not being able to provide patient care.

Ransomware is a very serious issue both from a cybersecurity perspective, but also from the data protection perspective because people are stealing individual’s data so they can go commit these ransomware attacks and they do it because they want their logins and passwords. That’s what is getting the threat actors into these organizations increasingly is they don’t have to break in using some sort of sophisticated cyberattack. They don’t have to have some sort of hacking event that most people think of when they think of cyberattacks, they just walk right in because they’ve got a legitimate login and password that’s been stolen from an individual.

Sharon D. Nelson: We’ve also started to see them going to the insiders and offering a percentage of the ransom if an insider will turn over the access.

James E. Lee: And if you want to look at what — this always fascinates people when I have these conversations is because we think that our social security number is the single most valuable piece of information we have. That’s not true. Do you need to protect it? Absolutely. Is that valuable? Absolutely not. It’s worth about 2 bucks.

Your Gmail account is worth between $80 and $100. If you are the administrator of a business email system, your administrator password is worth hundreds of thousands of dollars to an identity criminal. That’s one of the things we have to sort of get our heads around is the world has changed and it’s not that we have to stop protecting the information we’ve been protecting for the last decade. It’s we’ve got to start protecting other kinds of information with the same level of care.

John W. Simek: Before we move on to our next segment, let’s take a quick commercial break.

(00:14:47)

[Music]

Sharon D. Nelson: What could be more important than knowing the facts of your case inside and out? CaseFleets Powerful Software makes it easy to create a chronology of each case and to track the evidence for each fact. With an intuitive interface, full text search and built-in document review, CaseFleet makes fact management easy. Sign up for a 14-day free trial at casefleet.com/DigitalDetectives and get 10% off your first subscription.

[Music]

Male Speaker: Does your law firm need an investigator for a background check, civil investigation or other type of investigation?  PInow.com is a one-of-a-kind resource for locating investigators anywhere in the US and worldwide.  The professionals listed on PInow understand the legal constraints of an investigation are up-to-date on the latest technology and have extensive experience in many types of investigation, including workers’ compensation and surveillance.  Find a prescreen private investigator today.  Visit www.PInow.com.

[Music]

Sharon D. Nelson: Welcome back to Digital Detectives on the Legal Talk Network. Today, our topic is ITRC’s 2021 Data Breach Report: Sobering Stats. And our guest is James E. Lee, the Chief Operating Officer of the ITRC.

John W. Simek: Sharon and I were surprised by your finding that data breach notices do not reveal the root cause of a compromise and that they grew by more than 190% since 2020. Why do you think that’s the way it is?

James E. Lee: At this point for us, it’s more speculation probably than anything else. And these cases, it’s never any one reason. There are so many of the government agencies who publish breach notices that are a source for us, have been short-staffed and underhanded. The organizations themselves who are issuing data breach notices are short-staffed and overwhelmed these days.

At the end of the day, there’s two factors here that we have to pay attention to though and that is, one, without that kind of information, it leaves other organizations and individuals a little bit of at a disadvantage because what the real value of these notices beyond the individuals who are personally impacted is, it helps other organizations know what kind of attacks are occurring and what they should be preparing for in their own organization.

It also heightens the sensitivity of people who were not impacted, that well, maybe I need to go and check to make sure I’m protected as well. But when you don’t have the information, it’s problematic. And the other thing this is indicative of is every state defines personal information differently. Every state sets a different trigger for when a notice is required. And most states, in fact I think it’s all states but Oregon, actually allow the organization who lost control of the information to determine if a breach notice is even required. Oregon requires a law enforcement review.

And so, I think we’re also seeing more organizations just decide they’re not going to issue a notice or they’re not going to issue a notice directly to the individual. Some states require to go to the attorney general as well as the individuals, so a lot of this is about the difference in this patchwork quilt of requirements for notices.

One last thing, if you want to think about it, in a country our size, there are about five breach notices issued every day. In the European Union, which has a similar breach requirement, the most of the states do, but a little stronger, there are 356 notices issued per day on average. There’s a lot of data breaches that are going unreported. We just don’t know how many.

Sharon D. Nelson: We’ve been saying that for a long time as well, but those numbers are really kind of staggering.

John W. Simek: Wow. You said sobering stats? You just got it.

Sharon D. Nelson: Yeah, that’s a sobering one, all right. Make sure they do a transcript of this one because I want to get back to that. Can you explain to us what a supply chain attack is and why your reports data says that in 2021, supply chain attacks would be classified as the fourth most common attack vector, if they were classified as a standalone cause such as phishing, ransomware, malware, et cetera.

James E. Lee: A supply chain attack, most of your listeners know or are very familiar with the supply chain, it’s essentially, it’s looking for the weak link and attacking an organization that gives you access to multiple organization’s data. And we’ve seen an increase in those kinds of attacks over the last several years to the point where because they’re cyberattacks, they kind of get hidden by the broader category of a cyberattack, but within that, we’re now seeing more organizations being attacked so they can get access to the information of multiple organizations.

Thinking from the perspective of a cyber criminal, why would I attack 10 companies when I can attack 1 and get the information for all 10? That’s what’s happening. And we have had some extraordinarily large supply chain attacks over the last several years.

(00:20:19)

And you’re also seeing just pure cyberattacks in this vein as well, the SolarWinds attack, which occurred at the end of 2020 was a supply chain attack. Didn’t involve data, but that was a supply chain attack. The one that is probably most prominent that people may be aware of as a supply chain attack against Blackbaud, which is a tech company that supports colleges, universities, health care systems, nonprofits, more than 500 organizations, nearly 600 organizations impacted by that single attack that also touched an estimated 12 million people.

It’s a very efficient way of attacking people if you’re a cybercriminal, but if you’re an organization, it can be problematic and that’s why you’re seeing some of the new privacy laws being looked at by states requiring organizations to essentially certify that not only are your cybersecurity practices solid, so are those of your vendors and your vendor’s vendor, if you’re in the state of California, for example. We’re going to see these kinds of attacks also increase over time, but we are seeing also some responses from government regulators on how to help address those.

John W. Simek: I know Sharon and I have always had issues as we deal in the cyber world with these carbon-based units, they called humans. Can you talk to us a little bit about human errors and how they’re often part of the cause of these data compromises?

James E. Lee: If there is good news in these numbers, one of them is we see the continuing decrease in the number of attacks that are directly attributable to a human error. They still happen but not at the rate they did. And even something that was just a few years ago was very problematic, and that was where, as we were moving to the cloud, companies moving their information into cloud environments, often times you’d see that somebody forgot to put the password on the cloud. Kind of cybersecurity 101, but hey, we’re all human, we all make errors.

We’ve even seen those kinds of issues come down, but the problem is even when those issues when they occur, even though there may not be very many of them, they tend to impact a lot of individuals because those cloud databases tend to be huge. If you look at the number of individuals impacted this last year, almost half of them were just because somebody forgot to put a password on a cloud database.

Sharon D. Nelson: That’s really amazing. Tell us what types of data are most often compromised and what they are used for.

James E. Lee: No surprise, the single most often compromise piece of data is your name and it’s used for most everything involving some sort of identity crime. The natural thing that you would see would be social security numbers, your date of birth, things like that. Now, just because that information though is part of a data breach doesn’t actually mean it’s going to be used and that’s kind of back to we’re talking about a minute ago, what’s the relative value of the information that’s being stolen?

A social security number has very low value because it’s already out there. It may have been involved in a data breach, but that doesn’t mean anybody’s going to use it because they already have most of them. What we’re seeing though that’s different this year is driver’s license. Driver’s license have not been a big target for most identity criminals because unless you’re trying to get into a bar when you’re underage, there’s not a lot you can do with driver’s license. But now, because more organizations, particular government organizations are using a driver’s license as part of the identity authentication process they use, all of a sudden, those drivers licenses which have pictures on them are far more valuable.

If you look, you go again back to the what’s that price list on the dark web? Well, a driver’s license, photo of you and a driver’s license, doesn’t even have to be your driver’s license — photo of you and a driver’s license is worth about 100 bucks on the dark web. An actual false driver’s license can be worth, depending on what state it is, anywhere between $80 and $100. We’re seeing more driver’s license information being stolen and misused that we’ve ever seen before.

John W. Simek: A good reason why the IRS got rid of that facial recognition, huh?

Sharon D. Nelson: Now the trademark office needs to do the same thing.

James E. Lee: It’s interesting how that all is going to play out. When you think about how identity criminals, because they’re very smart. They may not have high morals or ethics, but they’re very smart. They will find the way to use just about any data they can get their hands on and it’ll be interesting to see now do we see them continue to use driver’s license in ways we haven’t thought of or seen in the past. Once they start something, they generally don’t stop. It will be interesting to see if the demand for that does go down next year.

(00:25:17)

John W. Simek: I suspect that there’s probably a question we didn’t ask it all but would be something really great. What would that question be in and how would you answer it?

James E. Lee: Well, the question would be gee, is there any good news in this report? I’m always one to look for the silver lining. The answer to that is, why, yes, James, there is and it’s this. We’ve seen the number of individuals impacted by data breaches drop. Now, it’s dropped each year for the last three. That’s a good thing. Now, there’s still too many people who are being impacted, but the reality is because identity criminals are being very strategic about who they attack and how they attack and what information they need to accomplish that attack, they’re just not stealing as much information. They’re looking for very specific kinds of information so that means they have to go to more places, so there’s more cyberattacks, but how that translates to the individual is fewer people being impacted directly.

Now, when we talk about fewer people, we’re still talking about somewhere in the neighborhood of 295 million people, but that includes people that have been impacted more than once in the same year and there’s too many of those people as well. That’s a good trend. We need to figure out how to, though, continue to drop the number of victims and figure out a way to also drop the number of attacks.

Sharon D. Nelson: You found a great last question in that silver lining, so thanks for that and thank you for being our guest today, James. The sobering statistics were fascinating. I’m sure that some of what you said was a revelation to our listeners and the conversation about everything here is just fascinating to many people. And I think some folks have a better idea of how to protect themselves as well. And your resource is definitely a great one, which is wonderful. We thank your organization for all it does. Thanks for being with us.

James E. Lee: Thank you for asking, and look forward to talking to you again sometime.

John W. Simek: Well, that does it for this edition of Digital Detectives. And remember, you can subscribe to all the editions of this podcast at legaltalknetwork.com, or in Apple Podcast. And if you enjoyed our podcast, please write us on Apple Podcast.

Sharon D. Nelson: And you can find out more about Sensei’s digital forensics technology and cyber security services at senseient.com. We’ll see you next time on Digital Detectives.

[Music]

Outro: Thanks for listening to Digital Detectives on the Legal Talk Network. Check out some of our other podcasts on legaltalknetwork.com and in iTunes.

The views expressed by the participants of this program are their own and do not represent the views of nor are they endorsed by Legal Talk Network, its officers, directors, employees, agents, representatives, shareholders, and subsidiaries. None of the content should be considered legal advice. As always, consult a lawyer.

Podcast transcription by Tech-Synergy.com