What Data Breaches Tell Us: An Analysis of 17,000 U.S. Data Breaches

Data Breach Blog

Data breach attacks are serious problems for companies, organizations and institutions all over the world. For example, in the US one data breach costs on average 9.4 Million USD, which is the highest worldwide.

To handle—or ideally, prevent—these attacks, we need to understand first the “why” and “how” of an attack. With this objective in mind, Bitsight analyzed more than 17,000 data breach events from the last seven years affecting 23 sectors in the US.

We start by looking at the evolution of reported incidents over the past years to identify trends and global patterns.

Since the beginning of 2018, data breach records have constantly increased in number. But at the end of 2021, this trend switches as the number of recorded attacks goes down again. Generally speaking, it is a positive trend and someone could assume that data breach attacks become less of a problem today than a few years ago. To confirm this assumption, it is necessary to understand these attacks on a deeper level.

Another interesting finding is the repetitive increase of data breach records at the beginning of each year. It might be the consequence of planning attacks close or during the holiday season at the end of each year.

Which sectors get attacked the most

Overall, we can identify seven sectors that are generally much more affected (dark blue). Potential explanations might be bigger market share as well as holding more sensitive hence attractive data in these sectors. Let’s deep dive into the first two sectors: healthcare and finance.

A deep dive into the healthcare industry’s data breach data

When checking recorded data breach attacks by sector, Healthcare is by far the most affected one. Organizations in this industry are interesting targets as they hold a large amount of sensitive data which can be used to commit theft or fraud. Healthcare clinics are threatened on two different levels, losing patient data through encryption or even facing access from third parties due to sales on the dark market.

Additionally patients themselves experience this threat which makes the attack a triple extortion. This type of triple extortion, where the organization as well as individual patients are threatened directly, happened for the first time in October 2020 at a Finnish psychotherapy clinic.

This type of attack may occur due to security weaknesses combined with becoming digital over the last years. Moreover, medical information may be seen as an attractive data type because it is highly sensitive and knowledgeable to third parties. According to the FBI, between June 2018 and January 2019, at least 65 healthcare payment processors in the US were targeted by cybercriminals who replaced customer banking information with the details of accounts controlled by the attackers.

A deep dive into the finance industry’s data breach data

Finance is the second most affected sector by reported data breach attacks. Obviously, institutions like banks and investment firms hold a lot of financial data that can be used to commit fraud or theft. Even though financial institutions have robust cyber security measures in place, there are still some vulnerabilities.

Types of incidents

When looking at the ranking of incident types we can identify "Error" and "Unknown" as the most common ones. Both categories don't allow much prevention because they are unspecific and undefined. Even though the "unknown" category might be in several cases only unknown to the public, hence the entity itself does know the real reason for the data breach attack.

Ransomware is the third most frequent type representing a type of criminal business developing around data breach attacks. Malicious activity is proliferating, in part because of the growing vulnerabilities but also because there are few barriers to entry for participants in the ransomware industry and little risk of extradition, prosecution or sanction. This trend is also confirmed by the insight according to ENISA’s Threat Landscape report.

The last two above average data breach types are “account takeover by employee” and “Privilege abuse.” Reasons can vary from individual interests to preparing ransomware attacks. According to the WEF Global Risk Report 2022, businesses also operate in a world in which insider threats represent 43 percent of all breaches.

When crossing sectors with types, interesting patterns appear. As seen before, the healthcare sector is generally most affected which is also the case across data breach types. Unspecified cases such as “errors,” “unknown,” and “lost asset” happen as well as intentional data breach attacks such as “ransomware,” “privilege abuse,” and “phishing.” Again it is important to have in mind that healthcare is legally asked to publish those in formation.

Factors that impact which companies are targeted

What does stand out is that finance seems to be threatened, particularly by human-related data entries such as “privileged abuse” and “account takeover: employee” (insider threat). On the other hand, the technology sector has “unsecured databases” as an overproportional threat.

Apart from “Healthcare” ransomware is affecting mainly two other sectors “Education” and “Governments.” Organizations and institutions in both sectors hold a lot of sensitive data including citizen, financial information, research data, and student and faculty records, which can be very resourceful to cybercriminals.

Data breach trends since 2015

After zooming in on the “when,” “where,” and “how” of all recorded data breaches, we still couldn’t explain the more recent decrease in cases shown in the first chart. We made an interesting observation, when checking on the severity of cases over time.

The visualization above consists of two graphs. The line chart represents again the total number of attacks over the last seven years. In the barcode chart below we added some important details by separating two groups of attacks: those that have a low-to-medium impact on the companies shown in blue (less severe) and those that actually have a severe impact shown in red (highly severe).

With this additional information we can see a connection between the downward trend starting in 2021 and an important increase in highly severe attacks. Now the question is why highly severe attacks went up: do data breach attacks become better organized and executed on a larger scale?

To dig deeper into the reason for this pattern, we created an interactive visualization which let us investigate by sector, type, motivation etc. what is behind these severe attacks (in red).

The most informative pattern around highly severe attacks over time appears when separating by data breach type. It is in particular ransomware and crimeware which includes these impactful incidents.

Groups like Conti represent the professional and highly organized structure behind these attacks, which even after collapses like in the case of Conti is expected to gain popularity again.