Data breaches reached new highs in 2023, smashing old record

The number of reported compromises was 72% higher than the previous record, the ITRC reports.

Although the number of data breaches reached a new high, the number of victims affected in 2023 declined 16% compared with the year prior, according to the Identity Theft Resource Center. Credit: nadia_snopek/Adobe Stock

Data breaches hit a new record in the U.S. this past year, which had 3,205 reported data compromise events, according to the Identity Theft Resource Center (ITRC).

The record level of events seen in 2023 was around 72% higher than the previous record of 1,345 that was set in 2021, the ITRC reports. The number of events seen during 2023 was also 78% higher than the total for 2022.

Although the number of data breaches reached a new high, the number of victims affected in 2023 declined 16% compared with the year prior.

“These are startling findings, but they are a stark reminder that there is much work to be done to improve data protection and help victims recover when their personal information is misused,” Eva Velasquez, president and CEO of the ITRC, said in a release.

According to the ITRC, a major driver of the increase in breaches is the growth in supply chain attacks, which can potentially impact thousands of individuals and businesses. Additionally, regulations around notices are outdated, and result in business underreporting or non-reporting events.

These outdated notification guidelines result in victims being left in the dark when it comes to what happened during a data breach event as well as what to do next, according to James E. Lee, chief operating officer for the ITRC. During the past 12 months, more than 1,400 public breach notices did not contain any information about the attack.

Lee explains that the lack of details in notices is driven by decisions made by federal courts in recent years regarding who can file a lawsuit following a data breach.

“You had one set of courts say that you must have actual harm as a result of a data breach to be able to sue, but then another set of courts said, ‘no, there only has to be the risk of harm,’” Lee says.

Ultimately, federal courts determined, for the most part, that actual harm had to have occurred for a victim to have standing to sue. Following that decision, legal counsels started urging companies to be extremely selective in the types of details they included in breach notices in hopes of limiting the information that could be used in a lawsuit, according to Lee.

“From 2005-2021, it was 99% or 100% of every data breach notice had information about what happened. Then you started seeing a decline. Now after a cyberattack, more than 50% of notices do not have any information. That creates a whole new kind of risk.”

Further, Lee says that recent findings prove what the ITRC has long held as a truth: In many cases, companies simply do not issue any breach notice at all.

“That’s OK in many circumstances because state laws allow them to do that,” he says, explaining state laws often allow companies to determine if a data breach will result in a risk that would require disclosure to victims.

Avoiding missteps, tailoring policy requirements

While the scope of data breaches in the past year was frightening, businesses are far from helpless and insurance carriers can play a vital role.

Lee explains that every year attack vectors change, the effects of data breaches shift and how organizations react varies. This makes underwriting these risks extraordinarily difficult.

“One of the things that is going to be very important going forward for cyber insurance and the stability of the market, as well as individual carriers, is looking at and mandating within a policy certain best practices,” he says.

However, these security requirements should not leverage a one-size-fits-all approach, Lee cautions, explaining prudent underwriters will understand the particular risks a company faces and make sure that the right policy is accompanied by procedures and rules that are tailored to that organization.

Sculpting those requirements will require a deeper understanding of cybersecurity measures and processes, such as the advantages certain types of software protections can offer or the vulnerabilities specific applications might have, Lee gives as examples.

Related: