Spirion released a guide which provides a detailed look at sensitive data breaches in 2021 derived from analysis conducted against the Identity Theft Resource Center (ITRC) database of publicly reported data breaches in the United States.
The guide is based on the analysis of more than 1,500 data incidents that occurred in the United States during 2021 that specifically involved sensitive data, including personally identifiable information (PII). The report identifies the top sensitive data breaches by the number of individuals impacted, number of records compromised, threat actor, exposure vector, and types of sensitive data exposed by industry sector.
2021 was the most prolific year on record for data breaches, surpassing 2017’s all-time high. Last year a total of 1,862 data compromises were reported by U.S. organizations—a 68 percent increase over 2020. ITRC data revealed that 83% of the year’s incidents exposed 889 million sensitive data records that impacted more than 150 million individuals.
“While we have seen significant sensitive data targeting in previous years, a combination of the steady state of remote work and increased sophistication in attack methodologies caused sensitive data attacks to skyrocket during 2021,” said Kevin Coppins, CEO, Spirion.
The most common data targeted during sensitive data breaches last year
- Social security number: 65% of all sensitive data incidents involved SSN
- Personal health information: 41% of all sensitive data incidents
- Bank account information: 23% of all sensitive data
- Driver’s license: 23% of all sensitive data
- Credit/debit card details: 12% of all sensitive data incidents
- Email/password credentials: 10% of all sensitive data incidents
The majority of sensitive data breaches were executed by external actors, accounting for 93 percent of total incidents. Targeted cyberattacks were the primary way external actors gained unauthorized access to personal data in 2021. External actors carried out more than 1,440 cyberattacks (89 percent of all sensitive data incidents), capturing the personal information of 148 million people.
Top attack vectors cyberattackers leveraged to access sensitive data
- Third-party/supply chain vulnerabilities: 25% of sensitive data incidents impacted 6.9 million individuals
- Phishing/smishing/business email correspondence: 23% of sensitive data incidents impacted 4.8 million individuals
- Ransomware: 17% of sensitive data incidents impacted 14 million individuals
- Malware: 8% of sensitive data incidents impacted 2.5 million individuals
Meanwhile, internal actors were responsible for 7 percent of sensitive data compromises that placed 878,556 people’s PII at risk, largely through human error including email correspondence and misconfigured cloud security or firewalls.
In 2021 the average sensitive data breach had a lifecycle twice as long as non-sensitive data breaches. From initial detection to breach containment, the average sensitive data breach took 112 days to resolve, while a non-sensitive data breach only took 52 days. It also took twice as long to detect and contain internal errors as external cyberattacks. On average, the lifecycle of data exposure induced by human error took 207 days to detect and contain, whereas external attacks had an average lifecycle of 75 days.
Three industries were responsible for a majority of sensitive data breaches that impacted 84 percent of all individuals in 2021:
- Professional and business services: 157 incidents that impacted 52 million individuals (or 35% of total individuals)
- Telecommunications: 8 incidents that impacted 47.8 million individuals (or 32% of total individuals)
- Healthcare: 447 incidents that impacted 24.8 million individuals (or 17% of total individuals)
Evolving attack vectors: Supply chain and third-party attacks became a top contributor to sensitive data compromises in 2021. A total of 93 third-party attacks impacted 559 organizations, exposing more than 1.1 billion data records. Of these incidents, 83% contained sensitive data, revealing PII for 7.2 million people. Notably, the healthcare industry was impacted in 53 percent of all the supply chain attacks in 2021.
Multiple attacks in a single year: More than two dozen organizations experienced multiple data breaches last year. From Aetna ACE’s three data incidents to LinkedIn’s two massive data leaks that affected 1.2 billion people, the emergence of this unsettling trend is a result of the increasing levels of remote work that is putting greater amounts of data at risk than ever before.
Under-reporting data breaches: Despite more organizations experiencing data compromises, however, 34 percent of organizations and state agencies underreported data breaches last year by not reporting their data incidents on a timely basis or failing to include relevant details. Although individual states require companies to notify customers of a breach, currently there are no blanket federal U.S. laws dictating that companies must report every data compromise.