ITRC: Data Breach Notices Nearly Doubled in Q1 2024

Source: Advisen - Erin Ayers | Published on April 12, 2024

Hackers plan to attack banks, insurance companies

The number of publicly reported data compromise events jumped 90% year-over-year in the first quarter of 2024, with the number of organizations falling victim to supply chain attacks nearly tripling, according to recent data from the Identity Theft Resource Center (ITRC).

While the number of data compromises increased from 442 to 841, the number of affected individuals dropped 72% to just under 28.6 million in Q1 compared to one year earlier, the ITRC found. This seems to reflect more refined techniques by cybercriminals, according to the report.

“The consensus among cybersecurity experts and the ITRC is that the number of victims per compromise is drifting lower as identity criminals launch more targeted assaults that are vastly different from the ‘pray & spray’ attacks of the late 20-teens,” said the ITRC. “However, more breaches with fewer people impacted does not mean individuals or businesses can reduce their level of diligence.”

The first quarter of the year historically features the lowest number of data compromises, according to ITRC, suggesting breach stats will only rise through the year. Last year’s data compromise events hit a new record of 3,203 events with 416,205,332 victims.

The financial services sector had the highest number of data breach events in Q1, up dramatically to 224 from 70 one year earlier. Attacks on professional services firms also more than doubled to 100.

ITRC broke the 841 data compromises down by type – 642 cyberattacks, 85 events caused by system or human errors, and 11 physical attacks (these include compromise of actual physical items like lost or stolen devices).

While cyberattacks remain the primary cause of compromised data, the percentage of data breach notices without information about the root cause of the event jumped from 44% to 68% of all cyberattack-related notices.

ITRC observed that new reporting requirements from the U.S. Securities and Exchange Commission (SEC) and the Federal Communications Commission (FCC) appear to be encouraging more information sharing on cyber events. However, just 75 of 841 entities experiencing cyber events in Q1 were subject to the new rules.