Data breaches near historic high

Last year was a banner year for cybercriminals.

The 1,802 data compromises reported last year in the U.S. was the second highest reported in a single year, with at least 422 million instances of private data being accessed, including individuals hit multiple times, according to the recently released Identity Theft Resource Center’s 2022 Data Breach Report. It fell only slightly behind 2021, which saw 1,862 compromises.

Notably for 2022, the number of data breaches resulting from supply chain attacks — those targeting third-party vendors — significantly exceeded compromises linked to malware.

“What’s really fueling that is return on investment,” says Eva Velasquez, President/CEO of the Identity Theft Resource Center (ITRC), a nonprofit established to minimize risk and mitigate the impact of identity compromise and crime.

Rather than going after companies one at a time in a piecemeal fashion, threat actors can gain access to data of multiple organizations if they hit a large supplier or vendor, she says.

“The size of these entities is very attractive to thieves,” Velasquez says.

Take password manager LastPass, where last year a threat actor targeted a senior engineer “by exploiting vulnerable third-party software.” As part of that, they gained unauthorized access to cloud backups. The data accessed from those backups included encrypted and unencrypted LastPass customer data, according to a post from LastPass.

Armando D’Accordo, president of CMIT Solutions of South Nassau, a Merrick-based information technology and security services provider, likens this tactic used by cybercriminals as “fishing with a net versus fishing with a hook.”

He said companies need to really research their suppliers and vendors. For instance, "do they have a repeat history of being infiltrated by cyberattackers?," D’Accordo says. “What are their security procedures and reputation in the industry?”

 As a best practice, he advises clients to never use free versions of products because they generally offer less protection.

Beyond supply chain attacks, phishing threats continue to be prevalent, D’Accordo says. Phishing involves scammers sending messages, generally through email, pretending to be a trusted person or organization.

Recently, an accounting client was sent a phishing email that looked legitimate from Microsoft asking for her email login credentials, D’Accordo says. She gave her credentials thinking it was Microsoft and then the hacker started sending out messages to people within her email network pretending to be her. Clients started to tell her they were getting strange emails and CMIT was able to override the hackers’ access and change the credentials.

According to the ITRC report, phishing, smishing (a form of phishing using mobile text messaging) and business email compromises were among the top cyberattacks that led to breaches last year.     

Also noted in the report is a trend away from transparency by impacted companies with the number of breach notices in the U.S. with detailed attack and victim information dropping by more than 50% since 2019.

This makes it harder for those affected to know what countermeasures to take, Velasquez says.

In New York, though, there are greater protections when it comes to providing affected parties with breach information, says Debbie Isaacson, counsel in the privacy, data and cyberlaw practice at Rivkin Radler, which has offices in Uniondale and Manhattan.

New York’s SHIELD Act, signed into law in 2019, triggers a notification requirement, with limited exceptions, in the case of a breach of any person or business, that owns, licenses or maintains computerized data that includes the private information of any New York resident, she says. That notification requirement would go into effect “if that private information was or is reasonably believed to have been accessed or acquired by a person without valid authorization,” she says.

It also requires a “description of categories of the information that were or are reasonably believed to have been accessed or acquired, including specifics as to elements of personal and private information,” Isaacson says.

Further, the SHIELD Act requires that businesses using third-party vendors take certain reasonable administrative safeguards, including making sure the vendor they’re selecting is capable of maintaining appropriate cybersecurity protections, she says.

Still, generally speaking, “companies who suffer a cyberattack or data breach are waiting far too long to report them,” says Steve Morgan, founder of Northport-based Cybersecurity Ventures, a cybersecurity industry market researcher. “We’re seeing anywhere from six months to a year.” Reasons include reputational concerns and investor and consumer backlash, he says. 

Morgan notes companies sometimes may not realize they were hacked for some time. 

“Knowledge is power in the war against cybercrime,” he says. Morgan notes there are various public sources for tracking cyberattacks and breaches, including Cybercrime Magazine, which publishes Cybercrime Wire daily, listing the latest data breaches and cyberattacks at cybercrimewire.com. 

ITRC also offers a breach-alert service free to consumers and paid subscription for businesses with a searchable database to check if companies they're doing business with have had a breach, Velasquez says.

By Jamie Herzlich

jherzlich@aol.com

Herzlich writes the Small Business column in Newsday.