A new record for data breaches reported to the Identity Theft Resource Center (ITRC) was set in 2023, spurred by zero-day and supply chain attacks, according to the organization’s annual data breach report released Thursday. The report noted that the number of data compromises in 2023 jumped 78% over 2022, to 3,205 from 1,801 and exceeded, by 72%, the previous high of 1,860 breaches recorded in 2021.
Some of that increase was fueled by old adversaries. “Some of the organized criminal groups that had been on the sidelines during the early part of the conflict between Russia and Ukraine have gotten back into the identity crime business,” says ITRC COO James E. Lee.
“We also saw an increase in a big way of supply-chain attacks, where you had organized groups attacking vendors to get information on multiple companies,” he adds.
Open-source software components may contribute to rise of zero-day attacks
Third-party supply chain attacks aim to find weak links in an organization’s ecosystem. “If you’ve hardened the system that the attacker is ultimately going after, but a supplier is easier to get into, the supply chain attack is going to look more appealing to the attacker,” says Tim Bach, senior vice president of security engineering at SaaS security provider AppOmni.
Lee also notes that the ITRC found more zero-day attacks among 2023’s data breach reports. “We’ve had zero-day attacks for a number of years, but they’ve always been a very low number when it comes to causing data breaches. We’ve gone from years where we had one or four zero days to last year, when we had 110. That’s a big increase over 2022 when we had eight.”
Increased use of open-source software components may be contributing to the rise of zero-day attacks, says Roger Neal, head of product at Apona Security, an application security company. “Over 80% of almost all code bases contain at least one third-party component,” he explains. “This is great for development efficiency, but we often neglect to realize that these components are available for anyone to access and exhaustively test in a controlled environment, opening the door for more and more zero-day attacks.”
“The complexity of modern software supply chains adds to this challenge, as it can hide potential security flaws and make comprehensive vetting difficult,” Neal adds.
Number of data breaches rise, but fewer victims
While the number of data breaches was up, the ITRC found a decline in the number of victims affected by the compromises, to 353,027,892, a 16% decline from 425,212,090 in 2022. That decline is part of a longer trend. “If you go back to 2018, which was the high point for victim count, we’re down 84%,” Lee says. “Identity thieves have changed their tactics. They’re more targeted, both in what they’re attacking and the information that they’re seeking.”
“Attackers today who want personal identifying information are more able to target the right systems,” Bach says. “If you’re more precise about the systems that you target, there’s going to be less collateral damage. That’s how we can see the number of attacks go up while the number of affected individuals goes down.”
“The breaches we’re seeing affect organizations more directly than individuals,” adds Luciano Allegro, co-founder and CMO of BforeAi, a threat intelligence company. “Many companies have stepped up their data privacy efforts due to GDPR and CCPA, but they are so focused on this aspect of data protection that they overlook the rest of their infrastructure.”
Supply-chain and zero-day attacks will continue to rise
The ITRC also reported that nearly 11% of all publicly traded companies were compromised in 2023 and that while most industries saw modest increases, healthcare, financial services, and transportation reported more than double the number of compromises compared to 2022.
For the coming year, Lee expects breach numbers to continue to trend upwards. “I don’t see any reason for it to go down,” he says. “With the increase in supply-chain and zero-day attacks, I believe we’re going to see another year of increases.”
Bach agrees. “We are just on the cusp of a bunch of new AI tools that–as much as they can help defenders–are going to help attackers,” he maintained. “And they’re probably going to help attackers first because attackers only need to find one good use case for them to launch a wave of successful attacks.”