Cybersecurity crisis in numbers
The number of US data compromises in 2024 (3,158) decreased 1% compared to 2023 (3,202), 44 events away from tying a record for the number of compromises tracked in a year, according to the Identity Theft Resource Center.
Data breach notices surge
The number of data breach notices issued in the past year (1,728,519,397) increased 312% from 2023 (419,337,446). The increase was primarily due to six “mega-breaches” that resulted in at least 100 million breach notices being issued in each event. Mega-breach victim notices totaled more than 1.4 billion of the more than 1.7 billion victim notices issued in 2024.
Six mega-breaches account for only .001% of compromises in the past year but ~85% of data breach notices.
If the six mega-breaches are excluded, the ~266 million other victim notices issued last year decreased by 36% compared to 2023.
According to the report, approximately 70% of cyberattack-related breach notices did not include attack information, compared to 58% in 2023. In 2019 and previous years, ~100% of breach notices included attack vector information.
In 2024, the financial services industry, led by commercial banks and insurance, was the most breached industry, followed by healthcare (the most attacked industry each year from 2018 until 2024), professional services, manufacturing and technology.
“With a near-record number of compromises and over 1.7 billion victim notices, often tied to inadequate cyber practices, we are also seeing an increase in notices that provide limited actionable information for victims,” said Eva Velasquez, CEO of the Identity Theft Resource Center.
“On a positive note, 40% of states have enacted comprehensive privacy laws to better protect consumers,” noted Velasquez. “Innovative technologies like passkeys offer promising solutions to prevent breaches caused by stolen and compromised passwords, which accounted for four of the six mega-breaches.”
Better cyber practices and requirements could have prevented at least 196 compromises and more than 1.2 billion victim notices. Attacks using stolen credentials against Ticketmaster, Advanced Auto Parts, AT&T, Change Healthcare
and other organizations could have been blocked with the addition of MFA or passkeys.
Disclosure laws fall short
State and Federal disclosure requirements are having no significant impact on data breaches. New Securities and Exchange Commission breach disclosure rules resulted in a 60% increase in disclosures in 2024. However, less than 10% of the notices included details of the event.
There were fewer zero day and supply chain attacks. However, they had more significant impacts. Supply chain attacks directly impacted 134 organizations and indirectly impacted 657 entities, resulting in 203 million victim notices. At least 190 million notices were related to the Change Healthcare breach.
Publicly traded companies represented only 7% (221 companies) of all compromised organizations. However, they issued 76 percent of victim notices in 2024.
Of the 133 cyberattacks against publicly traded companies resulting in a data breach notice, a stolen credential was the leading attack vector. 74% of the breach organizations did not list an attack vector in a breach notice.
There are risks that come with overly focusing on mega-breaches. They give consumers a skewed sense of risks and contribute to “breach fatigue” and despair. Focusing on mega-breaches may also lead businesses—especially small ones—to misallocate limited cybersecurity and data protection resources.
No data breach notice directly linked the use of AI to a compromise in 2024. However, it’s clear that AI is enabling identity-related phishing attacks and identity scams that do lead to data compromises. The quality of phishing lures – emails, spoofed websites, texts, pitch scripts, etc. – has dramatically improved since the introduction of generative AI into the mainstream in 2022.