Ransomware to overtake phishing as top cause for data compromises, report says

Ransomware attacks are on track to surpass phishing as the leading cause for data compromises this year, according to a new report which indicated record-level data compromises in 2021 and pointed to potential compliance issues with state data breach notice laws. 

The Identity Theft Resource Center (ITRC) report published on Monday said data breaches surged last year, up 68% from the year prior with a total of 1,862 reported compromises. The report also showed ransomware attacks doubling each year since 2019, as compromises increased across virtually every sector, including government, healthcare, technology and manufacturing, among others. The military did not publicly report any data breaches. 

Consumer breach notices are increasingly lacking transparency, the report suggests,  with nearly triple the number of notices featuring missing details and a lack of actionable information compared to the year prior. Data breach notices in 2021 failed to include the root cause of a compromise in 607 cases, a rate that jumped 190% from the prior year.

"There are threats and risks that are not being addressed," said ITRC's Chief Operating Officer James Lee, who spoke at the organization's cybersecurity policy forum on Monday about the annual data breach report. 

Delayed or incomplete data breach notices may prevent consumers from taking effective protection actions, as the report showed less than 5% took the most effective actions after receiving a data breach notice, like freezing their credit to prevent new financial accounts from being opened. 

Just 48% of consumers identified in the report changed passwords on impacted accounts after being notified of a breach, while 16% took no action at all. Breaches involving sensitive information like Social Security numbers continued to rise to 83%, up from 80%, as high-profile cyberattacks targeted the nation's pipelines and critical infrastructure, along with companies and platforms accessed by millions of consumers daily. 

In a letter accompanying the report, ITRC President Eva Velasquez said current "legal, regulatory and policy frameworks" at the state and federal levels "do not adequately address the growing and evolving threats that data breaches represent to individuals, organizations and society as a whole." 

"We may look back at 2021 as the year when we moved from the era of identity theft to identity fraud," Velasquez said. "Many of the cyberattacks committed were highly sophisticated and complex, requiring aggressive defenses to prevent them. If those defenses failed, too often we saw an inadequate level of transparency for consumers to protect themselves from identity fraud."