Surge in data-theft incidents highlights dynamic nature of the threat

Data privacy breaches represent the largest shift in criminal behavior over the past year. It’s indicative of the human behavioral nature of cyber risk: as controls are put in place to protect one area, attackers find avenues for monetary gain in another. Understanding this can help risk and security teams avoid becoming the next Cencora or ADT.

This year has seen some of the largest data privacy breaches and regulatory fines in history.

Cencora (formerly AmerisourceBergen), a $46 billion US-listed pharma distribution company, one of the largest in the world, experienced a data breach in February, its second public data breach in two years. The most recent event reportedly impacted at least 12 of the largest pharma companies in the world, including Bayer, Novartis, Regeneron, AbbVie and Genentech. Cencora has thus far reportedly notified over a million people around the US that their personal and protected health information was compromised in the breach.

In another large scale event, Snowflake, a $40 billion cloud-based data platform, was breached in May. This breach alone resulted in data breaches for 165 organizations (to date), including AT&T, Advanced Auto Parts, Ticketmaster, and Santander. In an event illustrating the extent of the supply chain risk for large organizations, AT&T disclosed in a regulatory filing that nearly all of their customer records of calls and texts made during a period starting around May 1, 2022 and ending around Oct. 31, 2022 were stolen in the breach tied to Snowflake.

This is no small matter, especially in the wake of T-Mobile’s $350 million class action settlement in July 2022 following its own large data breach in 2021.

Finally, the massive Change Healthcare breach has not yet reached the class action settlement phase of its story.

The regulatory risks are only increasing. In the US, the pressure is ratcheting up: since 2018, 14 states have enacted comprehensive data privacy legislation. Five of these are currently effective, and the remaining nine will go into effect between 2024 and 2026.

Growth in attacks outpacing ransomware

Looking at the rising frequency of data breaches and growing magnitude of the costs, it is easy to see why it has risen to the top of the list of cyber risks C-suites are most concerned about.

Data privacy breaches represent the largest shift by criminal actors over the past year. In the US, they now account for 72% of large (>€1 million) cyber claims overall in the first six months of 2024, according to Allianz, up from 41% in 2023. Two-thirds of large loss events thus far in 2024 are data-privacy related.

US companies alone recorded a record 3,205 data breaches in 2023 (78% more than in 2022), affecting 353 million known victims, according to the Identity Theft Resource Center (ITRC). The trend continued into 2024: the number of data breaches increased 14% in the first half, while the number of data breach victims increased 490% to over one billion. In Q3 this year alone, there were 672 data breach events according to the ITRC.

Changing tactics of attackers in response to controls

This spike in events is reflective of the nature of cyber as a human behavioral risk. Attackers are turning to data breaches as a means of avoiding cyber controls designed to mitigate ransomware attacks.

Data exfiltration has become the preferred method of attack for some ransomware groups because it is typically easier to steal data than encrypt it. Encryption requires higher levels of administrative access rights in the first place and has also been made harder through companies’ implementation of more effective backup strategies. Cyber criminals have also started relying increasingly on data exfiltration as companies have implemented more effective backup strategies, which make it harder to carry out successful encryption-based ransomware attacks.

Another trend is ‘non-BI’ extortion-style data breaches where the company’s data is stolen but not released in exchange for a payment to the hacker. US-listed insurance company Global Life is the latest victim of such an attack following an 8-K disclosure on Oct. 18.  Two noteworthy lines in the disclosure highlight this tactic:

“Globe Life Inc. (the “Company”) recently received communications from an unknown threat actor seeking to extort money from the Company in exchange for not disclosing certain information held and used by the Company and its independent agents…..

To date, the extortion attempts have not involved the use of ransomware or resulted in an interruption to the Company’s systems, services, or business operations.”

See the spike in data breach risk and avoid the large loss

Recent data breaches and the tactics deployed by attackers are the latest example of the ways companies’ cyber controls are being circumvented. It is an issue Intangic has consistently highlighted for risk managers in recent months.

These changes in attacker intensity of activity around the network can be identified by risk and security teams before they gain access to the network and move to exfiltrate large amounts of data.

Seeing this in real time is what helps teams make the best risk-informed decisions because only then can they take preventative action to lower the risk and avoid becoming the next Cencora or ADT.

The CyFi™ Platform was built to help companies deal with cyber as a high-frequency risk, and no form of the risk exhibits this trait today more than data breaches.

As we have seen with Snowflake, Cencora and ADT just this year, gaining better visibility into the supply change dimension of this risk is critical. It’s a topic we will tackle in our next note.