Spirion Releases Definitive Guide to 2021 Sensitive Data Breaches

Spirion Adds First-of-its-Kind Risk Score to Sensitive Data Platform

83 percent of last year’s record number of data breaches involved sensitive data compromising 889 million records and 150 million individuals

Spirion, a pioneer in data protection and privacy, released its Definitive Guide to Sensitive Data Breaches: America’s Top Leaks, Attacks and Insider Hacks, which provides a detailed look at 2021’s sensitive data breaches derived from analysis conducted against the Identity Theft Resource Center (ITRC) database of publicly reported data breaches in the United States.

Marketing Technology News: MarTech Interview with Melton Littlepage, Chief Marketing Officer at Outreach

“While we have seen significant sensitive data targeting in previous years, a combination of the steady state of remote work and increased sophistication in attack methodologies caused sensitive data attacks to skyrocket during 2021”

Tweet this

Spirion’s Definitive Guide to Sensitive Data Breaches is based on the analysis of more than 1,500 data incidents that occurred in the United States during 2021 that specifically involved sensitive data, including personally identifiable information (PII). The report identifies the top sensitive data breaches by the number of individuals impacted, number of records compromised, threat actor, exposure vector, and types of sensitive data exposed by industry sector.

2021 was the most prolific year on record for data breaches, surpassing 2017’s all-time high. Last year a total of 1,862 data compromises were reported by U.S. organizations—a 68 percent increase over 2020. ITRC data revealed that 83% of the year’s incidents exposed 889 million sensitive data records that impacted more than 150 million individuals.

“While we have seen significant sensitive data targeting in previous years, a combination of the steady state of remote work and increased sophistication in attack methodologies caused sensitive data attacks to skyrocket during 2021,” said Kevin Coppins, CEO, Spirion. “Spirion’s mission is to eliminate the lasting personal pain of a privacy breach by enabling organizations to take a proactive stance toward protecting sensitive data before attacks occur by automating the discovery, classification, and remediation of private information wherever it lives within their IT environment.”

Key Findings

The most common data targeted during sensitive data breaches last year included:

  • Social Security Number: 65% of all sensitive data incidents involved SSN
  • Personal Health Information: 41% of all sensitive data incidents
  • Bank account information: 23% of all sensitive data
  • Driver’s license: 23% of all sensitive data
  • Credit/debit card details: 12% of all sensitive data incidents
  • Email/password credentials: 10% of all sensitive data incidents

Marketing Technology News: Spirion CEO Identifies Top Data Protection and Privacy Predictions for 2022

The majority of sensitive data breaches were executed by external actors, accounting for 93 percent of total incidents. Targeted cyberattacks were the primary way external actors gained unauthorized access to personal data in 2021. External actors carried out more than 1,440 cyberattacks (89 percent of all sensitive data incidents), capturing the personal information of 148 million people. Cyberattackers leveraged the following top attack vectors to access sensitive data:

  • Third-party/supply chain vulnerabilities: 25% of sensitive data incidents impacted 6.9 million individuals
  • Phishing/smishing/business email correspondence: 23% of sensitive data incidents impacted 4.8 million individuals
  • Ransomware: 17% of sensitive data incidents impacted 14 million individuals
  • Malware: 8% of sensitive data incidents impacted 2.5 million individuals

Meanwhile, internal actors were responsible for 7 percent of sensitive data compromises that placed 878,556 people’s PII at risk, largely through human error including email correspondence and misconfigured cloud security or firewalls.

In 2021 the average sensitive data breach had a lifecycle twice as long as non-sensitive data breaches. From initial detection to breach containment, the average sensitive data breach took 112 days to resolve, while a non-sensitive data breach only took 52 days. It also took twice as long to detect and contain internal errors as external cyberattacks. On average, the lifecycle of data exposure induced by human error took 207 days to detect and contain, whereas external attacks had an average lifecycle of 75 days.

Three industries were responsible for a majority of sensitive data breaches that impacted 84 percent of all individuals in 2021:

  • Professional and business services: 157 incidents that impacted 52 million individuals (or 35% of total individuals)
  • Telecommunications: 8 incidents that impacted 47.8 million individuals (or 32% of total individuals)
  • Healthcare: 447 incidents that impacted 24.8 million individuals (or 17% of total individuals)

Interesting Trends

Evolving attack vectors: Supply chain and third-party attacks became a top contributor to sensitive data compromises in 2021. A total of 93 third-party attacks impacted 559 organizations, exposing more than 1.1 billion data records. Of these incidents, 83% contained sensitive data, revealing PII for 7.2 million people. Notably, the healthcare industry was impacted in 53 percent of all the supply chain attacks in 2021.

Multiple attacks in a single year: More than two dozen organizations experienced multiple data breaches last year. From Aetna ACE’s three data incidents to LinkedIn’s two massive data leaks that affected 1.2 billion people, the emergence of this unsettling trend is a result of the increasing levels of remote work that is putting greater amounts of data at risk than ever before.

Under-reporting data breaches: Despite more organizations experiencing data compromises, however, the ITRC found that 34 percent of organizations and state agencies underreported data breaches last year by not reporting their data incidents on a timely basis or failing to include relevant details. Although individual states require companies to notify customers of a breach, currently there are no blanket federal U.S. laws dictating that companies must report every data compromise.

Marketing Technology News: Senseforth.ai Recognized in 2022 Gartner Magic Quadrant for Conversational AI Platforms

Picture of Business Wire

Business Wire

For more than 50 years, Business Wire has been the global leader in press release distribution and regulatory disclosure.

You Might Also Like