Quarterly breaches are down, but for 2023, hackers are having a banner year
The Identity Theft Resource Center® (ITRC) released its Q3 2023 Data Breach Report, revealing a concerning surge in data compromises. Although Q3 showed a 22% decline in publicly reported data breaches compared to the previous quarter, the year-to-date statistics underscore a disquieting trend.
The Q3 report indicates 733 publicly reported data breaches, significantly down from 941 in the previous quarter. Nevertheless, the year-to-date data breach tally surpassed the annual record set in 2021, with 2,116 data breaches reported in the first nine months of 2023.
Of the 733 breaches in Q3, a notable 53% lacked an attack vector, raising concerns about the transparency and reporting standards for these incidents.
The number of victims affected in Q3 dropped by 39% from Q3 2022, totaling 66.7 million. However, the overall count for the first three quarters of 2023 stands at 233.9 million victims, still significantly less than the pace set in 2022, which recorded 425 million estimated victims.
In the report, cyberattacks retained their lead as the primary cause of data breaches, accounting for 614 incidents. Among breaches with reported attack vectors, phishing attacks were the most frequent (80), followed by Zero-Day attacks (69), which exceeded Ransomware (64) and Malware attacks (17). Cybersecurity experts attribute the rise in data breaches to the increasing number of successful Zero-Day attacks.
The ITRC reported a 1,620% increase in Zero-Day attacks in the first three quarters of 2023, totaling 86 incidents, compared to just 5 in the entirety of 2022.
Eva Velasquez, president and CEO of the center, emphasized the trend, stating, "While setting a record for the number of data breaches is attention-grabbing, unfortunately, it is not surprising." She pointed to factors such as the surge in Zero-Day attacks and a new wave of ransomware attacks by emerging criminal groups as contributors to the rise.
Additional insights from the report include supply chain attacks that affected numerous entities, even if they were not the direct target. More than 1,000 organizations reported data compromises due to an attack against 87 entities, including third parties that utilized the MOVEit file transfer software.
By September 30, a total of 344 U.S. organizations had been impacted by one or more vendors utilizing a vulnerable MOVEit product. An additional 79 organizations reported direct impacts from attacks against MOVEit software or services. Four of the top ten breaches in Q3 were connected to a MOVEit attack.