Digital Transactions Authoritative, insightful and timely information for payments professionals
As digitalization of payments information continues to permeate society, the allure of getting a hold of that data illicitly is unabated. Already, for the first half of 2023, the number of U.S. data compromises is higher than the total compromises for every full year between 2005 and 2020, except for 2017, says the Identity Theft Resource Center in its “H1 2023 Data Breach Report” released Wednesday.
In a separate report, Verizon details the type of attacks faced by the financial and insurance industries.
While health care organizations had the most data compromises in the six-month period (379 compromises), financial-services entities reported 241, nearly double the amount compared to the same period a year ago in the ITRC report. By comparison, health-care compromises totaled 161 in the first half of 2022 and financial services totaled 127 in the same period.
Most—1,049—of the attack vectors were cyberattacks, followed by system and human errors, 311, supply-chain attacks, 108, and physical attacks, 31. Compromises with the most victims include breaches at T-Mobile, which affected 37 million users and PeopleConnect Inc., operator of Classmates.com and TruthFinder.com, which affected more than 20 million users.
The annual Verizon “Data Breach Investigations Report” tallied 1,832 breach incidents among financial and insurance-services providers, with 480 having confirmed data disclosures.
While the measures criminals take to attack these organizations may appear sophisticated, Verizon says simple vectors such as basic Web application attacks, miscellaneous errors, and system intrusion account for 77% of breaches in this segment. Basic Web-application attacks largely focus on an organization’s most exposed infrastructure, such as Web servers, though Verizon says attacks could be as simple as a brute-forced password.
“The basic Web application attacks pattern is the most prevalent in this sector, which means those not-so-complex attacks are succeeding splendidly for the adversaries. Why put forth a great deal of effort when just a little will do?” the report says.
Most of the threat actors—66%—are external, with internal actors accounting for nearly 34%, and multiple variants at 1%, of breaches. And personal information is the most sought-after data, with it being involved in 74% of instances, followed by credentials at 38%, other at 30%, and bank data at 21%.
“The top three patterns remain the same, but their order of ascendancy has rearranged. Personal data, very useful for fraud, continues to be the most desired data type stolen,” the report says.
