Data Breaches Just Keep Piling Up

The MOVEit and GoAnywhere breaches and another T-Mobile breach grabbed headlines this year, but these incidents were just a few among many in 2023. If you feel like you can hardly go a day without seeing news of yet another data breach, it isn’t just your imagination. Data breaches have been on a meteoric rise over the past decade.

Apple commissioned an independent study to dive into the numbers and reasons behind the billions of records that have been breached in just the past couple of years. With the massive amount of data that is being generated and motivated threat actors, will staggering breach numbers simply be inevitable?

Billions of Records

The Apple study, conducted by Massachusetts Institute of Technology professor Stuart Madnick, Ph.D., indicates that more than 2.6 billion personal records were breached in 2021 and 2022. And that trend shows no signs of slowing. In the first nine months of this year, the number of data breaches in the United States has jumped 20% compared to 2022 as a whole.

It is worth noting that the amount of personal data that companies gather and store has increased exponentially in recent years, and it is unlikely to slow given the value of having access to troves of data.

“Companies are processing more and more personal information, both internally and through third parties. The more personal information that is processed and/or shared with service providers or third parties amplifies the potential risk area wherein data can be compromised,” Erin Illman, a partner and privacy attorney with national law firm Bradley, tells InformationWeek in an email interview.

Related:Security Questions to Ask After the ZeroedIn Breach

Where that data is being stored is a considerable factor when evaluating breach trends. A total of 82% of breaches involved data stored in the cloud: public, private or across multiple different environments, according to the Cost of a Data Breach Report 2023 from IBM Security.

The migration to the cloud has had clear benefits, but threat actors are clearly paying attention and capitalizing on vulnerabilities. Sourya Biswas, technical director, risk management and governance at security consultancy, NCC Group, points out that cloud service providers operate on a shared responsibility model. “Cloud providers are responsible for security of the cloud and the customers are responsible for security in the cloud,” he explains.

Cloud misconfigurations can lead to significant data breaches. This year, Microsoft AI accidentally exposed 38 terabytes of sensitive information due to a cloud misconfiguration, according to TechCrunch.

Related:Damage Control: Addressing Reputational Harm After a Data Breach

The attack surface is growing in large part because of the interconnected nature of business and technology. Most organizations use a variety of third-party vendors to operate, and any vulnerabilities and resulting breaches at those vendors can have a ripple effect. Nearly all organizations (98%) work with a vendor that has been breached within the last two years, according to the Apple report.

Outsourcing is often necessary, but it means that organizations do not have full control of their security. Even if an organization conducts due diligence on a vendor, does that mean that vendor is maintaining their security practices? “Once you're working with a vendor there's no guarantee that those security practices are still being followed unless you have a very robust monitoring process,” says Biswas.

Personal data is valuable to threat actors, and they continue to target organizations that safeguard that information via ransomware attacks. Earlier this year, ransomware attacks were declining, but it seems that was a temporary lull. The Apple report notes that ransomware attacks surged 70% in the first three quarters of this year compared to the first three years of 2022.

Ransomware groups are becoming more organized and targeting organizations that store sensitive information in the pursuit of financial gain.

Related:FTC to Require More Data Breach Reporting, Security Plan

“Really, it is misleading to call them groups. They are enterprising businesses that are well resourced, have entire supply chains of third parties (such as initial access brokers and ransomware negotiation providers), and are successful at generating profit,” Heather Gantt-Evans, CISO of card issuing and payment solutions company Marqeta, tells InformationWeek via email. “It is no surprise that this successful business model is being replicated.”

Individual Impact

With billions of personal records being exposed, it can be easy to forget that a data breach, particularly one involving sensitive information, can cause individual harm. Compromised information can have consequences that impact a person’s finances, privacy and personal safety.

Earlier this year, hackers stole and leaked data from genetic testing company 23andMe, claiming they had gathered a list of people with Ashkenazi Jewish heritage. More information came to light, and hackers accessed the personal information of approximately 5.5 million people, according to TechCrunch.

The Apple report also pointed to a breach of Minneapolis Public Schools in March. The breach exposed more than 300,000 sensitive files that included incredibly private student information on sexual assaults, abusive homelife and mental health.

Individuals have may control over what personal information they share in some circumstances, but often they do not. People need to receive health care, for example, and they must share sensitive data that has the potential to be swept up in a breach.

Protecting Data

The proliferation of data, motivated threat actors seeking to exploit vulnerabilities, and a sprawling attack surface make protecting data a challenge. But there are ways for defenders to evolve and reduce the number of breaches.

For example, enterprises can evaluate their cloud security policies to prevent the deployment and subsequent exploitation of misconfigurations. Additionally, the Apple report emphasizes the importance of end-to-end encryption to improve cloud data security.

“In addition to encrypting data at rest and in motion, there are solutions emerging that provide decentralized storage of fragmented and encrypted data that is worthless to attackers but automatically reassembled when required by authorized users,” says Gantt-Evans.

Emerging solutions like these can be powerful tools, but effectively safeguarding data requires a holistic approach that encompasses not only technical solutions but also training, incident response and buy-in across all stakeholders.

“In order to successfully implement the mechanisms necessary to … protect data, educating decisionmakers and supporting compliance initiatives must be addressed at the top of the organization with clear implementation processes throughout the company as a whole,” says Illman.