Lack of Actionable Information in Notices Continues to Grow: ITRC Data Breach Analysis

Source: ITRC | Published on May 2, 2023

Web outages at American Family

The Identity Theft Resource Center (ITRC), a nationally recognized nonprofit organization established to support victims of identity crime, released its U.S. data breach findings for the first quarter of 2023. According to the Q1 2023 Data Breach Analysis, there were 445 publicly-reported data compromises in the Quarter, a 13 percent decrease compared to the previous Quarter (512 compromises).

The number of victims (89,140,686) decreased 64 percent over that same span (252,778,204 victims). Compromises in the Manufacturing & Utilities, Technology, Healthcare, and Transportation industries impacted the most people, with an estimated 84 million victims. Also, the number of data breaches with no actionable information about the root cause of the compromise grew to 187 in Q1 2023 compared to 155 in Q1 2022 and five in Q1 2021.

“The number of victims and compromises normally drop in Q1 each year,” said Eva Velasquez, President and CEO of the Identity Theft Resource Center. “However, it is troubling to see the trend of a lack of actionable information in data breaches continue from 2022. Among the top ten breaches we saw in Q1, 60 percent did not include information about the root cause of the event, compared to 40 percent in Q4 2022. This means individuals and businesses remain at a higher risk of cyberattacks and data compromises.”

Other findings in the Q1 2023 Data Breach Analysis include:

  • For the third consecutive quarter, the Healthcare industry reported the most data compromises among the top ten compromises in Q1 2023. Eight of the top ten compromises impacted more than one million people.
  • Supply chain attacks continued to be a significant attack vector for threat actors seeking personal information in Q1. Of the 378 breaches attributed to cyberattacks, 53 were supply chain attacks compared to 54 ransomware attacks. Phishing remained the most common attack vector that led to a data breach (106) in Q1.