New data from the Identity Theft Resource Center (ITRC) shows record numbers of data breaches were reported in 2021, beating the previous record of 1,506 data breaches set in 2017 by 23%. 1,862 data compromises were reported in 2021, which is a 68% increase from 2020. There was also a slight increase in the number of reported breaches involving sensitive information such as Social Security numbers, which jumped from 80% in 2020 to 83% in 2021, although the percentage was well below the record of 95% set in 2017.
While data breach numbers broke records, there was a decrease in the number of individuals affected by data compromises, which fell 5% from 2020. ITRC says the continued decrease in the number of victims indicates identity thieves are increasingly focused on obtaining specific types of data rather than mass data acquisition.
The ITRC data show the number of ransomware attacks has continued to increase, with attacks doubling in each of the past two years. That trend looks set to continue in 2022 with ransomware overtaking phishing as the main cause of data compromises. The number of cyberattacks (1,603) increased in 2021 and exceeded the total number of data compromises in all of 2020. There were year-over-year compromises in all primary sectors except the military, although no data breaches affecting the military have been publicly revealed.
One worrying trend is the number of individuals who have had their sensitive personal data compromised multiple times per year, another is the lack of transparency in data breach notifications. When data breach notifications are sent to consumers, the cause of the data compromise may not be revealed, which makes it difficult for affected individuals to assess the risk they face. 607 companies did not disclose the cause of the data compromise in their data breach notifications – a 190% increase from 2020.
“We may look back at 2021 as the year when we moved from the era of identity theft to identity fraud,” said Eva Velasquez, ITRC President and CEO. “Many of the cyberattacks committed were highly sophisticated and complex, requiring aggressive defenses to prevent them. If those defenses failed, too often we saw an inadequate level of transparency for consumers to protect themselves from identity fraud.”
The ITRC has warned there are no indications that the number of cyberattacks or data compromise events will decrease in 2022. Many organizations are struggling to protect the sensitive data they hold, so data compromise events may continue to increase. Given the high risk of the exposure of sensitive data, everyone needs to practice good data hygiene.
ITRC has also announced that it plans to launch a new free alert service later this year. Consumers will be able to register for the service and create a list of all companies they do business with. If any of those companies are added to the ITRC’s data compromise database, consumers will receive an alert, allowing them to take prompt action to protect themselves against identity theft and fraud.