Spirion Releases Definitive Guide to 2021 Sensitive Data Breaches
83 percent of last year’s record number of data breaches involved sensitive data compromising 889 million records and 150 million individuals
ST. PETERSBURG, Fla., April 12, 2022 /Business Wire/ — Spirion, a pioneer in data protection and privacy, today released its Definitive Guide to Sensitive Data Breaches: America’s Top Leaks, Attacks and Insider Hacks, which provides a detailed look at 2021’s sensitive data breaches derived from analysis conducted against the Identity Theft Resource Center (ITRC) database of publicly reported data breaches in the United States.
Spirion’s Definitive Guide to Sensitive Data Breaches is based on the analysis of more than 1,500 data incidents that occurred in the United States during 2021 that specifically involved sensitive data, including personally identifiable information (PII). The report identifies the top sensitive data breaches by the number of individuals impacted, number of records compromised, threat actor, exposure vector, and types of sensitive data exposed by industry sector.
2021 was the most prolific year on record for data breaches, surpassing 2017’s all-time high. Last year a total of 1,862 data compromises were reported by U.S. organizations—a 68 percent increase over 2020. ITRC data revealed that 83% of the year’s incidents exposed 889 million sensitive data records that impacted more than 150 million individuals.
“While we have seen significant sensitive data targeting in previous years, a combination of the steady state of remote work and increased sophistication in attack methodologies caused sensitive data attacks to skyrocket during 2021,” said Kevin Coppins, CEO, Spirion. “Spirion’s mission is to eliminate the lasting personal pain of a privacy breach by enabling organizations to take a proactive stance toward protecting sensitive data before attacks occur by automating the discovery, classification, and remediation of private information wherever it lives within their IT environment.”
The most common data targeted during sensitive data breaches last year included:
- Social Security Number: 65% of all sensitive data incidents involved SSN
- Personal Health Information: 41% of all sensitive data incidents
- Bank account information: 23% of all sensitive data
- Driver’s license: 23% of all sensitive data
- Credit/debit card details: 12% of all sensitive data incidents
- Email/password credentials: 10% of all sensitive data incidents
The majority of sensitive data breaches were executed by external actors, accounting for 93 percent of total incidents. Targeted cyberattacks were the primary way external actors gained unauthorized access to personal data in 2021. External actors carried out more than 1,440 cyberattacks (89 percent of all sensitive data incidents), capturing the personal information of 148 million people. Cyberattackers leveraged the following top attack vectors to access sensitive data:
- Third-party/supply chain vulnerabilities: 25% of sensitive data incidents impacted 6.9 million individuals
- Phishing/smishing/business email correspondence: 23% of sensitive data incidents impacted 4.8 million individuals
- Ransomware: 17% of sensitive data incidents impacted 14 million individuals
- Malware: 8% of sensitive data incidents impacted 2.5 million individuals
Meanwhile, internal actors were responsible for 7 percent of sensitive data compromises that placed 878,556 people’s PII at risk, largely through human error including email correspondence and misconfigured cloud security or firewalls.
In 2021 the average sensitive data breach had a lifecycle twice as long as non-sensitive data breaches. From initial detection to breach containment, the average sensitive data breach took 112 days to resolve, while a non-sensitive data breach only took 52 days. It also took twice as long to detect and contain internal errors as external cyberattacks. On average, the lifecycle of data exposure induced by human error took 207 days to detect and contain, whereas external attacks had an average lifecycle of 75 days.
Three industries were responsible for a majority of sensitive data breaches that impacted 84 percent of all individuals in 2021:
- Professional and business services: 157 incidents that impacted 52 million individuals (or 35% of total individuals)
- Telecommunications: 8 incidents that impacted 47.8 million individuals (or 32% of total individuals)
- Healthcare: 447 incidents that impacted 24.8 million individuals (or 17% of total individuals)
Evolving attack vectors: Supply chain and third-party attacks became a top contributor to sensitive data compromises in 2021. A total of 93 third-party attacks impacted 559 organizations, exposing more than 1.1 billion data records. Of these incidents, 83% contained sensitive data, revealing PII for 7.2 million people. Notably, the healthcare industry was impacted in 53 percent of all the supply chain attacks in 2021.
Multiple attacks in a single year: More than two dozen organizations experienced multiple data breaches last year. From Aetna ACE’s three data incidents to LinkedIn’s two massive data leaks that affected 1.2 billion people, the emergence of this unsettling trend is a result of the increasing levels of remote work that is putting greater amounts of data at risk than ever before.
Under-reporting data breaches: Despite more organizations experiencing data compromises, however, the ITRC found that 34 percent of organizations and state agencies underreported data breaches last year by not reporting their data incidents on a timely basis or failing to include relevant details. Although individual states require companies to notify customers of a breach, currently there are no blanket federal U.S. laws dictating that companies must report every data compromise.
Webinar: The Top Data Leaks, Cyberattacks, and Insider Hacks of 2021—and What to Expect in 2022
Spirion and the Identity Theft Resource Center (ITRC) will host a joint webinar on Tuesday, February 1 on the top data breaches of 2021 and predictions for the year ahead. ITRC will present the findings and key takeaways from its 2021 Data Breach Report (DBR), the most quoted source of comprehensive information about publicly reported data compromises in the U.S. It is the “go-to” source for organizations seeking trend analysis and tracking data on data breaches, exposures, and leaks dating back to 2005. Spirion will present actionable steps organizations can take today to preemptively protect sensitive data and reduce the impact of potential data breaches. Register here for the webinar.
About the Identity Theft Resource Center
The ITRC is a non-profit organization established to support victims of identity theft in resolving their cases and to broaden public awareness of identity theft, data breaches, cyber security, scams/fraud, and privacy issues. Since 2005, the ITRC has tracked over 10,000 publicly notified U.S. data breaches daily. Learn more about ITRC here: https://www.idtheftcenter.org/about-us/
Spirion has relentlessly solved real data protection problems since 2006 with accurate, contextual discovery of structured and unstructured data; purposeful classification; automated real-time risk remediation; and powerful analytics and dashboards to give organizations greater visibility into their most at-risk data and assets. Spirion’s Privacy-Grade data protection software enables organizations to reduce risk exposure, gain visibility into their data footprint, improve business efficiencies and decision-making while facilitating compliance with data protection laws and regulations.