Last year saw exponential growth in the number of organizations impacted by supply-chain attacks, although the increase in the number of organizations targeted has remained slow. According to the 2023 data breach report from the Identity Theft Resource Center (ITRC) the number of organizations impacted has surged by more than 2,600 percent since 2018, affecting over 54 million victims.
“We must acknowledge the significant impact of Supply Chain Attacks and their effect on all organizations. A single supply chain attack can directly or indirectly impact hundreds or thousands of businesses that rely on the same vendor,” warns the ITRC.
While supply chain attacks have been around for many years, the ability to automate and launch the attacks at scale accelerated in 2018. The MOVEit attack last year shows the scope and scale a Supply Chain Attack can have. According to the report, 102 entities were directly impacted by threat actors exploiting a MOVEit product. However, 1,271 organizations were indirectly affected when information stored in or accessed by a MOVEit product or service was compromised via a vendor or vendors.
Data compromises impacted 353M people
Last year also saw an overall rise in data compromises. A new record high of 3,205 publicly reported data compromises impacted over 353 million individuals – a 78 percent increase in events over 2022.
“The sheer scale of the 2023 data compromises is overwhelming. Just the increase from the past record high to 2023’s number is larger than the annual number of events from 2005 until 2020 (except for 2017),” says ITRC CEO Eva Velasquez.
The majority of data compromises were linked to cyberattacks during 2023. According to the report, phishing-related and ransomware attacks were down slightly, while malware and Zero Day attacks jumped significantly compared to previous years. Data compromises resulting from system and human error more than tripled in 2023, led by a 590 percent increase in data exposure in emails and correspondence. However, data breaches involving physical action, such as the loss of a document or device theft, have fallen by 65 percent since 2018.
However, the ITRC’s 2023 Data Breach Report calls for more robust reporting requirements to warn vulnerable businesses, together with increased due diligence when it comes to vendors and data protection.
“The two-decade-old legislative and regulatory framework designed to alert consumers to breaches is broken. A Supply Chain Attack victim from 2020 confirmed in 2023 what was suspected for years: businesses under or non-report breaches. We need to bring a level of uniformity to the breach notice process to help protect both consumers and business,” says the ITRC.
