The Weekly Breach Breakdown Podcast by ITRC - Q3 2024 Data Breach Analysis - S5E32

Show Transcript

Welcome back to the Identity Theft Resource Center's (ITRC) Weekly Breach Breakdown, supported by Sentilink. I'm James Lee, the ITRC's COO, and this is the episode for Friday, October 11, 2024. Each week on this podcast, we look at the most recent events and trends related to data security and privacy. Today, we will look at the latest data breach trends from the third quarter of 2024 and year-to-date trends.

Let's start with the question everyone asks: will we set a new record for data breaches this year? The short answer is – probably not. You can never say never in the world of data compromises. However, right now, it does not appear that we'll reach or exceed last year's record high of a little more than 3,200 compromises.

At the end of September, we had racked up 2,242 compromises, which makes this year the second-highest number of compromises in a single year. It's a different story regarding the number of compromise victims. 

According to the latest data breach trends from the year's third quarter, the estimated number of victims in Q3 2024 totaled 241 million people, including those impacted by multiple breaches. That brings the annual victim total to 1.3 billion. That number is bad, but it's also not as bad as it sounds. Here's why:

The victim count continues to be skewed by a small number of very large data breaches in Q3 and earlier quarters. Two examples of these mega-breaches include:

• An AT&T data breach that compromised the personal information of 110 million individuals, nearly every customer of the telecom company, and 
• MC2 Data, a data broker that primarily sells personal information for background checks, acknowledged a data leak impacting 100 million people. The compromise was not a data breach but a lower-risk event where a database of personal information was open to attack because of misconfigured security. There is no evidence the data was ever copied or removed by a bad actor. 

If you set these two compromises aside, the victim count drops to 31 million people in Q3, including people who received more than one notice. Victim counts are notoriously volatile, though, and can change quickly.

I'm sure many of our regular followers have received breach notices from Change Healthcare or a related company. However, Change has not revealed exactly how many people were sent notices. Once that number is known, the annual victim count could increase by significantly more than 100 million people.

A Couple of Other Stats About Q3:

• After dropping in the first two Quarters of 2024 – supply chain attacks against vendors jumped back up in Q3 by more than 200 percent compared to Q2.
• According to the latest data breach trends, Financial Services companies continued to be the most targeted industry in 2024 with 141 compromises, slightly ahead of Healthcare with 121 compromises. 
• "Not Specified," at 69 percent, remained the most reported cause of a cyberattack listed in breach notices issued in Q3 2024, flat with the previous two Quarters. That lack of information puts individuals and other businesses at risk from similar attacks.
• Lastly, data breach notices issued in Q3 from businesses of all sizes showed that five percent of companies compromised in the quarter were previously compromised in the past 12 months. The latest data breach analysis shows that more than half of those companies were also compromised multiple times in Q3. That level of repeat compromises of the same organization indicates the unrelenting challenge cybersecurity teams face when protecting personal information. That's why it's important they act quickly to improve data protections.

The Q3 2024 Data Breach Analysis is the last data compromise update for the year. We'll publish a full-year analysis in late January 2025 with the latest data breach trends from the year. Also, on October 30, we will publish our annual impact report on how identity crimes and cybersecurity attacks affect people and small businesses. This year, we're combining the consumer and business impacts into a single report. We will talk about the findings on a future podcast.

If you want to know more about how to protect your business or personal information or think you have been the victim of an identity crime or a funeral streaming scam, you can speak with an expert ITRC advisor on the phone, via text message, chat live on the web, or exchange emails during our normal business hours (6 a.m.-5 p.m. PT). Just visit www.idtheftcenter.org to get started.

Thanks again to Sentilink for their support of the ITRC and this podcast. Next week, we will have an episode of our sister podcast, the Fraudian Slip, featuring Stephanie Shuckers, Director of the Center for Identification Technology Research at Clarkson University. Shuckers and ITRC President and CEO Eva Velasquez will discuss all things biometrics. We will return in two weeks with another episode of the Weekly Breach Breakdown.