Supply-chain attacks and zero-day exploits, such as the widespread attacks against the MOVEit file-transfer service, are surging, according to the Identity Theft Resource Center.
Data breaches resulting in compromised personally identifiable information in the U.S. are at an all-time high this year, squashing a record set in 2021 with the final three months of the year yet to be recorded, according to Identity Theft Resource Center’s research released last week.
More than 2,100 organizations filed data breach notices through the first nine months of 2023, beating the previous record of 1,862 data compromises in 2021, ITRC found.
Supply-chain attacks are on the upswing, and they’re having far-reaching consequences. The majority of compromises, 3 in 5, are the result of attacks against just 87 organizations, the report said. Many of those downstream victim organizations were compromised by attacks against Progress Software’s MOVEit file-transfer service.
“Supply-chain attacks are definitely a part of the increase in compromises this year, and there is no reason to expect that will change,” James Lee, COO at ITRC, said via email.
“Supply chains are an attractive, easy target for attackers because vendors often have fewer cybersecurity resources but the data of multiple customers,” Lee said. “Stronger vendor requirements and due diligence will be required to reduce the number of supply-chain attacks.”
Four of the top 8 data compromises in Q3 2023 were related to a MOVEit attack, ITRC found.
Top 8 data compromises in Q3 2023
Data breach notices filed by Maximus, IBM Consulting, CareSource and PH Tech — all attributed to the mass exploits of a zero-day vulnerability in MOVEit — exposed the PII of more than 20 million people combined, according to the report.
The spree of attacks against MOVEit also explains the surge in zero-day attacks ITRC recorded. Zero-day attacks were reported in 86 data breach disclosures through the first nine months of 2023, compared to 5 in 2022.
All told, data breaches compromised the PII of almost 234 million people through the first nine months of 2023. The number of individuals known to be impacted this year is still much lower than the 425 million people compromised in 2022 when a breach at Twitter alone accounted for more than 221 million victims, according to ITRC.
“It certainly seems as if every scrap of data about every person has been compromised,” Lee said.
“To be sure, there are vast troves of data available as a result of compromises and scams, but that doesn’t mean we individually or collectively need to throw up our hands in frustration or despair,” Lee said.
“Defenders win more fights with attackers than they lose. The losses tend to get a lot of attention, but the vast number of attacks fail,” Lee said.