ITRC’s 17th Annual Data Breach Report Reveals Near-Record Number of Breaches

Episode Notes

Transcript

[Music]

Intro: Welcome to Digital Detectives Reports from the Battlefront. We’ll discuss computer forensics, electronic discovery, and information security issues and what’s really happening in the trenches, not theory, but practical information that you can use in your law practice. Right here, on the Legal Talk Network.

Sharon D. Nelson: Welcome to the 146th Edition of Digital Detectives. We’re glad to have you with us. I’m Sharon Nelson, President of Sensei Enterprises, a digital forensics, managed cybersecurity, and managed information technology firm in Fairfax, Virginia.

John W. Simek: And I’m John Simek, Vice President of Sensei Enterprises. Today on Digital Detectives, our topic is, “ITRC’s 17th Annual Data Breach Report Reveals Near-Record Number Breaches.” Our guest is James E. Lee, the Chief Operating Officer of the Identity Theft Resource Center, otherwise known as the ITRC. A data protection and technology veteran, James is a former EVP and Company Secretary of Irish application security company, Waratek and former SVP and Chief Marketing Officer for Atlanta-based data pioneer ChoicePoint, which is now LexisNexis. He also chaired two working groups for the American Nationals Standards Institute on identity management and privacy. Prior to joining ChoicePoint, James served as a global public affairs and communication executive at International Paper Company. It’s great to have you back with us, James.

James E. Lee: It’s great to be here. Looking forward to the conversation.

Sharon D. Nelson: Well, we’re delighted to have you James. And since, as always, many folks are not familiar with the Identity Theft Resource Center, can you tell us a little bit about the organization and what its mission is before we get started on our discussion?

James E. Lee: Absolutely. The ITRC is a 20-plus year old nonprofit based in San Diego, California, and we basically have two primary missions. The first one is to provide free assistance to the victims of identity crimes. So we can assist somebody whose identities have been stolen or compromised. If they’ve been misused, we provide those services free of charge. The second part of our mission is education. And that extends to not just consumers, but also to businesses and government institutions, academic institutions, other organizations to help prevent people from becoming the victims of identity crimes, as well as understand the trends and the dynamics of the crimes themselves. Because they are always changing, so we do a lot of research around those topics to make sure we’re staying on top of the latest trends that could impact individuals and businesses.

John W. Simek: James, how many years has the ITRC published its annual report? And over those time periods on many years, I’m sure it is, has its mission or what it covers changed over time?

James E. Lee: It absolutely has. We published our first data breach report in 2006. In 2005, it was really the first year that data breaches kind of came into our popular lexicon. There was a number of breaches that year that made it into the media for the first time and we’ve published this report every year since. So this is our 17th report based on what occurred in 2022. And over the time the report has changed as well as the dynamics of data breaches have changed. You know when we first started this back in 2005 and collecting the data 2006 when we published it I was a board member at that time. I had just joined the ITRC, and most of the incidents that were publicly reported and that required a data breach notice under state law. Most of those involved paper. I mean, we were still very much in an analog world, if you think about it. It was because somebody left a file out that was stolen or it may have been misplaced, but in some way data was exposed. It could have been dumpster diving. Remember dumpster diving? That was a big deal. And I can’t tell you how many times somebody left their laptop at the TSA gates. As we went through right after the end of the machine they say, “I cleared security” then walk off and leave their laptop, which was unencrypted so all that data on that laptop. That was really the first time we saw digital information being exposed, it was because somebody left her laptop and security at the airport.

Now, let’s fast forward to today where instead of a majority of data breaches involving paper, now a majority involves cyberattacks, directly cyberattacks.

(00:05:01)

And within that there’s three primary causes of a cyberattack that lead to a data breach. The number of times an actual piece of paper causes a data breach notice were rapidly approaching low double digits. At some point, we may very well get to single digits on that kind of an attack. We still see lost laptops. We still see lost thumb drives and things of that nature. There’s still data tapes that get sent around from time to time, though still get lost. But for the most part, we don’t see the physical kind of attack that we saw nearly 20 years ago now.

Sharon D. Nelson: I feel like you’ve taken us through a time warp here, but you’re right. And I remember 20 years ago. We’ve come a long way, baby. So in this report this year, what was the single most important finding in your judgment?

James E. Lee: I think the thing that we found this year, it was actually a trend that started in late 2021 but it certainly came into full view in 2022, and that is the fact that we don’t know the primary cause of data breaches and that’s something we have not seen before. Historically, if you go back all the way back to 2005, most of the data breach notices included information that would tell us what happened and why, and what was done to prevent that from happening again. In this report, that’s not true. In fact, if you looked at, let’s go back just five years ago, you would see 98%, 99%, 100% of data breach notices giving attack details. In 2022, that dropped only 58%. So for the first time, the number one root cause of a data breach is not specified. So as a category that’s very troubling. We’re not getting the information. We think we know why, but there’s never any one factor. There’s always multiple factors, but a lot of it has to do with just some very practical elements. They’re not required to say that in a data breach notice in many states. So, even though organizations have volunteered that information historically, now they’re following the very strict letter of their states law, so you’re seeing less information that way. You’re seeing it as a matter of just corporate policy, we’re not going to share that information because it could at some point result in litigation from shareholders, result in litigation from the data subjects, or they just don’t believe it is in their corporate best interest to do it so they’re not doing it because they’re not required to do it.

Sharon D. Nelson: Well, they made headlines all the time. They didn’t like making the headlines, that’s for sure.

James E. Lee: That is absolutely true. And we also think that there’s still a significant number of organizations that are making the decision not to issue a data breach notice at all. Because remember, in the US because where data breach notices are creatures of state law not federal law, so there’s no uniformity. And most states don’t require any outside review of the decision to issue a notice or not. So there’s only a couple of states that do. So Oregon, for example, it’s a joint decision between law enforcement and the organization that was attacked. But every other state, it allows the organization who lost control of the information to decide, is there risk. If there is risk to the individuals who is the data subject, then they have to issue a notice. But if that organization decides there is no risk, then there is no notice. So we have a disparity around the number of breach notices in their entirety that over time is becoming more obvious that attacks are going up but somehow breeches aren’t staying in sync. So there’s a lot of dynamics around this year’s reports in the information because you’re seeing a very different approach in this last year to issuing data breach notices.

John W. Simek: James, a little bit deeper into the actual numbers, the number of victims from 2021 to 2022. I assume that 2022 was an increase. It seems to be everything, right? The ransomware attacks are going up. The breaches are going up. I assume the number of victims as gone up. But how much is that number changed and do you have an explanation for that increase?

James E. Lee: It’s a fascinating dynamic. We actually came close to setting an all-time high again this year, but we missed it by about 60. If you look at how the data breaches, which is never really a pattern that you can discern year to year, but last year there was very clearly a pattern during the year and that was we started out high with a lot of attacks.

(00:10:03)

We dipped through the middle of the year and then we came on strong at the end of the year. But in terms of victims, we saw a steady decline all year long until December. And most of the victim count, so if we look at the number of attacks there is 1,802 data breach notices, 1,802 compromises, and that compares to 1,862 the year before. That was the all-time high. But if you can look at victims, there are two breaches that account for more than 50% of the number of victims. So there are 422 estimated number of victims. So we say estimated, because we know there’s not 422 million Americans, especially not adult Americans. So there’s duplication in there, but we don’t know how much. But 422 individuals received notices this past year. But 221 million of that was because of Twitter and that happened in December.

Sharon D. Nelson: Twitter had a really bad year.

John W. Simek: Even though it shut down for a period of time.

James E. Lee: Yeah. Sometimes when it rains, it pours. It was not Twitter’s year in many respects. And there were also two other breaches that accounted for a significant chunk of what remains. So if we look at it, there was like 200 million roughly victims if you X out Twitter. Well, there’s still another 90 million of those that are directly tied to two breaches. One at organization called Neopets, which probably most people don’t remember. I know my kids played with Neopets when they were young. They were the little toys that you had to do something to it to keep it alive. It was just a digital toy, they’d walk around with it and it had made noises of really obnoxious and I tell my daughter to turn that thing off. But that data has been sitting there all these years. It’s all these people who are now adults in many cases if not all cases, all of a sudden their data was breached so they’re going, “I don’t remember that I have an account with Neopets.” So that that accounts for a significant number, that was 69 million victims there.

But there is another one that was 22 million, almost 23 million and that was AT&T data. Now it has said AT&T data because AT&T said they didn’t have a breach. They said yes that’s our data, but no it didn’t come from us. It must have come from some other third party who has access to our information. We just don’t know whom.

Sharon D. Nelson: That’s a little scary.

James E. Lee: Yeah, well. Again, this is one of those circumstances were AT&T says we are not issuing a data breach notice. We don’t have a legal obligation to do so, so we’re not going to. The only reason we know about the breach was because of cyber security researchers who found the data in an identity marketplace. So those 22.7 million people do not know directly that their information was compromised because no one notified them. Again, that’s one of those little quirks in the system that we really need to start paying attention to in ways we have not historically. So victims trended down, X those three really large breaches. The other thing about victims it’s interesting this year, is it’s two parts. That is the number of supply chain attacks really shot up. Now, if you don’t know what a supply chain attack, that’s where cybercriminal will go and they’ll look for a small vendor of a larger organization. Or they’ll look for a small vendor that has hundreds of companies in their portfolio business. So they have the data of hundreds of companies. And that’s what you saw targeted in big ways this year.

Some of the largest accounts were healthcare organizations because they have dozens and hundreds of vendors. And so those healthcare organizations vendors were attacked and they got all of the information, the patient information that they held. So those were big numbers, 3.7 million. In one case is 3.3 million, in another case 3 million. There was one just announced this week in February of 2023 that actually occurred in December of 2022 but they just announced the number of victims and the actual breach that occurred this year. Another large health system in the State of California with more than three million victims.

(00:14:54)

So this idea of finding a small organization attack one time, but get dozens to hundreds of organizations data, really coming to the forefront as a method of attack. We saw that in 2022. We are already seeing that trend that we saw last year continuing into 2023. So by the time we get to the end of this year, we’ll probably be having another conversation about supply chain attacks.

Last thing I’ll say about that one is, for the first time supply chain attacks surpassed malware as an attack method. So we talked about earlier about we used to have paper and how over time data breaches have changed, we don’t see paper breaches much anymore. Malware, what we traditionally think of is the cause of a data breach or of a cyberattack that there’s some sort of malware involved, it’s malicious software or you’re exploiting a vulnerability in software. We are seeing those number of attacks dwindle down. Out of the 1,800 roughly data breach notices last year, only 70 were related to malware. Now that compares to 117 supply chain attacks. Those malware attacks impacted a couple of million people, the supply chain attacks more than 10 million people impacted. So when it comes to supply chain attacks, the thing we to remember that it’s so easy for an identity criminal to attack one organization and get the data from dozens to hundreds. They’re going to do that every time. It’s low risk, its high return for them and we’re going to see more of that.

John W. Simek: Before we move on to our next segment. Let’s take a quick commercial break.

Sharon D. Nelson: As a lawyer, insurance is one of the last parts of your job you want to spend unbillable hours on, that’s why thousands of lawyers have switched to Embroker. Embroker offers A plus rated insurance for law firms. You can quote and buy instantly online. If you need help, they have experts on standby. Go from sign up to purchase in 15 minutes by visiting and embroker.com/law. That’s E-M-B-R-O-K-E-R.com/law.

Craig Williams: Today’s legal news is rarely as straightforward as the headlines that accompany them. On Lawyer 2 Lawyer, we provide legal perspective you need to better understand the current events that shape our society. Join me, Craig Williams and a wide variety of industry experts as we break down the top stories. Follow a Lawyer 2 Lawyer on the Legal Talk Network or wherever you subscribe to podcasts.

Sharon D. Nelson: Welcome back to Digital Detectives on the Legal Talk Network. Today, our topic is ITRC’s 17th Annual Data Breach Report Reveals Near-Record Number of Breaches. Our guest is James E. Lee, the Chief Operating Officer of the Identity Theft Resource Center, otherwise known as the ITRC. A data protection and technology veteran, James is the former EVP and Company Secretary of Irish application security company Waratek, and former SVP and Chief Marketing Officer for Atlanta-based data pioneer ChoicePoint, now LexisNexis.

John W. Simek: Well James, in our first segment you talked about the data breach notices and how they’re starting to lack some details. Can you give us a little more information about why some of that — you talked a little bit about why that happened, but a little more on that. And what specifically are the implications of that since we don’t have so many details anymore?

James E. Lee: Yeah. It’s really a fascinating circumstance where we find ourselves. One of the reasons why this is happening is we’ve had a number of federal court decisions around the country that basically say, if you cannot show actual harm of a data breach then you don’t have standing. So as a result, there are organizations that are making the decision that either were not going to issue a data breach notice, or if we do, we’re not going to include more information than we’re required because we don’t want to basically don’t want to do discovery for potential plaintiffs in our data breach notice. So that’s is a driver that a number of organizations have all come to the same conclusion. The risk here though is not so much to individuals but to businesses, because other organizations are subject to the same kinds of attacks. But if we don’t have good information sharing, they don’t get the information necessary to prepare for a similar attack if they have similar data, if they are a similar organization, or just they have similar technology systems.

(00:20:03)

They need the information about what other organizations have seen when they’re attacked so they can prepare. If we don’t have that in data breach notices, we don’t have that in other information sharing forms, which we don’t, then it puts those organizations at risk which ultimately puts all of us at risk because the data continues to be compromised as a result of organizations are not prepared well.

Sharon D. Nelson: Thank you, James. What were the statistics for 2022 regarding data breaches and exposure to unprotected cloud databases?

James E. Lee: That’s a very cool part of this report, is we’re seeing a steady decline in the number of cloud databases and cloud systems being both attacked and also people just frankly forgetting to put the password on the cloud database. We saw high numbers several years ago. Now we’re seeing far fewer compromises caused that way. So when you think of it, just a few years ago, we had nearly 100 and 200 in some cases data breaches resulted from somebody not preparing their cloud security correctly because they thought the cloud provider was going to do that for them. They thought it was going to be Amazon. They thought it was going to be Oracle. They thought it was going to be Microsoft. Now, everybody knows that’s not true. So we’re seeing that steady decline. In fact we’re almost, but not quite, into the single digits in terms of the number of compromises you can draw directly to an unsecured cloud environment. We are in single digits by the way, if it comes from a cyberattack, but we’re not quite there and those that are just compromised where the data is exposed but it hasn’t been stolen.

John W. Simek: So James, what about physical attacks though? And for the benefit of our listeners, if you could define that term. Did they have a downward trend in that regard?

James E. Lee: We do. We have a downward trend in physical attacks. We were still, and we talked you know when we were if we were having this conversation 15 years ago, that’d be the majority of the kinds of attacks. Last year we had 46 out of the 1,800. And when you think of a physical attack, it is exactly what it sounds like. There’s something tangible. It’s not an electron. It’s not some form of a digital asset. This is a physical thing you can touch, you can feel. It’s a document. It’s a device. It’s somebody took a document or a device and they didn’t dispose of it correctly. Those are physical attacks. And we saw the highest number within that category was device theft. So there again, that’s somebody was stealing something that was tangible to get data at. Those have been trending down for the last 10 years. They’re going to continue to trend down. They’ll never get to zero, but we will see very low numbers in that. Same thing with system in human errors. We’re getting much better at dealing with the kinds of issues that cause either a compromise or a cyberattack because of something that we do as humans or our systems, they fail because everything fails at one time or another but those numbers are getting lower and lower over time.

John W. Simek: Before we move on to our last segment. Let’s take a quick commercial break.

Female: As you know, it’s important to keep your voice down when you’re inside a library. But it would be really annoying to talk like this all the time. So I’m happy to say that even though the APA journal’s Modern Law Library podcast discusses a new book with its author every episode. It doesn’t take place inside a library, so we don’t whisper on the show. What a silly idea that would be. The Modern Law Library podcast, part of the Legal Talk Network. Follow along wherever you get your podcasts.

Adriana Linares: Are you looking for a podcast that was created for new solos? Then join me, Adriana Linares, each month on the New Solo Podcast. We talk to lawyers who have built their own successful practices and shared their insights to help you grow yours. You can find New Solo on the Legal Talk Network or anywhere you get your podcasts.

Sharon D. Nelson: Welcome back to Digital Detectives on the Legal Talk Network. Today, our topic is ITRC’s 17th Annual Data Breach Report Reveals Near-Record Number of Breaches. Our guest is James E. Lee, the Chief Operating Officer of the Identity Theft Resource Center, otherwise known as the ITRC. So are we getting the reports we used to get? What’s going on with all of this and what are the implications? If you would please, James.

(00:25:02)

James E. Lee: Sure. We’ve always wondered if we’re getting all the breeches people receiving the notices that other breaches that occur. And in some of that goes back to, we talked about earlier, about the way the state laws are structured, that every state has a different definition. So what may be require a notice in one state may not require a notice in the state next door as a matter of fact, or the kind of data that qualifies as being the trigger point, it’s going to vary from state to state. But generally speaking, we are of the belief that there are more data breaches occurring than data breach notices being issued. If there are 1,800 compromises last year, that works out to be about 7 per business day in the United States. Now let’s contrast that to Europe. Their privacy and their data security laws, which on this point are not too dissimilar from the U.S. except for one thing, and that is who you notify. If it’s 7 a day in the US, it’s 350 a day in the European Union. Now that is main consumers get that information, but that all important information about how cyberattacks are occurring that lead to data breaches, that information is being reviewed. It’s being generated and it’s available to share with other organizations to protect themselves because you have to notify a government agency. And then that government agency determines does a consumer have to be notified. So we’re confident that there’s a lot more that can be done to protect both businesses and individuals if we had a more robust and uniform data breach law.

John W. Simek: James, you give us a little bit of your predictions in the first two segments, but it’s crystal ball time. What do you predict we’re going to see as part of the 2023 report?

James E. Lee: Well, I’ve learned a long time ago that my crystal ball is kind of fuzzy, and I probably need to change the batteries. But I think it’s pretty clear, absent some other circumstances we don’t know about today, we’re going to see more supply chain attacks this year. We are going to see a return to the ordinary course of business with ransomware. We had a little dip last year because of the conflict in Ukraine, but now those cybercrime groups just kind of worked out their workload and they’re back to their almost business as usual.

John W. Simek: Work from home.

James E. Lee: Yeah, they’re all working from home now. So I think we’ll see ransomware return. It’s highly likely we will see another year of 1,800 plus perhaps higher data breach notice just based on what we’re seeing so far, and that impact because of the supply chain, the nature of the supply chain attack with a lot more victims than what we’ve seen over the last few years.

Sharon D. Nelson: Well, I certainly enjoyed the entire podcast, but I enjoyed our conversation pre podcast too when we were talking about what was a threat 20 years ago versus now, and it certainly has all changed a lot. But this was very engaging to learn about how the statistics have changed and why. And I think it’s kind of alarming, and I’m sure our listeners do too, that were not reporting nearly as much as we were. I understand the reasons but I don’t necessarily think it serves everybody well. But we’ll see how that turns out. Thank you so much for being with us today, James. It’s been a great pleasure and very, very instructive.

James E. Lee: Sharon, John, it is always a pleasure to talk to you and I look forward to this conversation about 12 months from now.

John W. Simek: See whether you got it right? Well that does it for this edition of Digital Detectives. And remember, you can subscribe to all the additions of this podcast at legaltalknetwork.com or in Apple podcast. And if you enjoyed our podcast, please rate us on Apple podcast.

Sharon D. Nelson: And you can find out more about Sensei’s digital forensics, managed technology and managed cyber security services at senseient.com. We’ll see you next time on Digital Detectives.

Outro: Thanks for listening to Digital Detectives on the Legal Talk Network. Check out some of our other podcasts on legaltalknetwork.com and in iTunes.