U.S. Consumers and Organizations Reported All-Time High Number of Data Compromises in 2021

Individuals and organizations in the United States reported a record-high number of data compromises in 2021. The Identity Theft Resource Center (ITRC) announced the overall figure of data compromises of 1,862 from almost 294 million victims in 2021 is a 68 percent increase from its 2020 report of 1,108 publicly reported data breaches from 310 million victims. The 2021 data on reported compromises is a 23 percent increase over the previous record of 1,506 publicly reported data breaches reported in 2017. However, the number of victims who reported data compromises in 2021 decreased about 5 percent from 2020 and the number of victims dropped to the lowest since 2015.

James Lee, chief operating officer with the ITRC, shared these findings from the nonprofit’s 2021 Data Breach Report during the two-day online conference, “Identity, Authentication, and the Road Ahead: A Cybersecurity Policy Form.” The event was presented by the Better Identity Coalition, the FIDO Alliance and the Identity Theft Resource Center on January 24, 2022 and January 25, 2022.

Cyberattacks Shot Up Big Time

There was a significant increase in overall data breaches, specifically those associated with cyberattacks at 1,613 breaches in 2021 versus 878 in 2020 (supply chain attacks were included in the 2021 cyberattack data), according to Lee. He also said there were more cyberattacks in 2021 than every type of data compromise reported in 2020. If supply chain attacks were considered a separate category, it would be the fourth most frequent kind of attack, which has increased year over year and could catch up to malware, which has been flat over time, Lee said.

He also mentioned that sensitive information compromises were up slightly (83 percent in 2021 versus 80 percent in 2020), but below the all-time high of 2017 when 95 percent of every breach included some form of sensitive information. There was a big jump in drivers’ license compromises in 2021 because of the higher demand that people use this form of identification to authenticate their identity to access certain accounts.

Cyberattack Vectors in 2021

Source: The Identity Theft Resource Center’s 2021 Annual Data Breach Report

Data Compromise Trends

Source: The Identity Theft Resource Center’s 2021 Annual Data Breach Report

Compromised Data Types

Source: The Identity Theft Resource Center’s 2021 Annual Data Breach Report

Some Stolen Data is Not Valuable to Crooks

While more people reported that their Social Security numbers were compromised in 2021, it doesn’t mean that criminals sold them, Lee said. He cited data supplied by Privacy Affairs, a group that tracks the value of data elements on the dark web, which shows a selfie photo from a U.S. citizen is valued at $100.00 and a U.S. Social Security number is valued at $2.00 on the dark web due to the ubiquity of this information. The scan of a New York driver’s license is worth $80.00 on the dark web. Login information and passwords associated with Gmail are worth $80.00 on the dark web.

“So the relative value is not reflective of necessarily the quantity of information that’s available through these identity marketplaces,” Lee said.

Ransomware Attacks Continue to Grow

Ransomware attacks will surpass phishing as the number one root cause of data compromises by the end of 2022 based on the current growth rate of this data and the fact that this data doubled every year since 2018.

Transparency with Data Breach Notifications Decreased and Some People Don’t Care about Them

In 2021, there were more breach notifications sent to consumers with 607 sent in 2021 versus 209 notices distributed in 2020, but they contained less information. “As a result of that, we believe that there are more organizations that maybe are not complying with data breach notices as they are imposed by state law,” Lee said.

“But the trend line certainly shows a dramatic increase in less information being shared. That hurts businesses that rely on this information to be able to resource plan and to be able to figure out where do I need to focus my attention on because I’m likely to be a victim of a similar attempted attack? And it’s harmful for consumers…,” Lee continued.

At the end of 2021, the ITRC spoke with people who received breach notifications to find out what they did when they received them. Of the 72 percent of consumers who got notified about an account breach, 48 percent of them changed the password connected to the single breached account; 16 percent of people did not do anything because they said their data was already out there or they thought it was the responsibility of the organization that experienced the data breach to remediate the breach. “Then lastly, only three percent of people who received one of those data breach notices acknowledged that they did the single most effective action they could do–freeze their credit,” Lee said.

The Identity Theft Resource Center Will Offer Consumers New Breach Alert Service

In the next several months, consumers can access a free alert service from the ITRC that will email them with breach notices connected to five organizations they want to monitor. A paid alert service will be available for businesses that want public breach information about their vendors and their vendors’ vendors later in 2022.