In 2020, the world entered completely new territory–in more ways than one. Despite the number of data breaches within the United States dropping by 19 percent from 2019, organizations began to face different kinds of threats, especially toward the end of the year.
With the sudden need for employees and students to work from home, and resources allocated elsewhere, cybercriminals were quick to adapt where companies perhaps couldn’t.
What happened with data breaches in 2020?
- 1,108 data breaches, down 19% compared to 2019
- 300,562,519 individuals impacted by publicly reported data breaches, down 66% over 2019
- Healthcare was the most impacted sector with 462 breaches, followed by education (275 breaches) and non-profits/NGOs (227 breaches)
- Data breaches increased over 83 percent from the first half to the second half of the year (655 compared to 1,200)
- Average cost of a data breach was $8.64 million
- Phishing was the most popular kind of attack, with the IC3 seeing phishing incidents nearly double from 2019 to 2020
- There were 464,420 unfilled cybersecurity jobs in the United States from April 2020 through March 2021
This report examines the costs and trends of data breaches across different sectors, the biggest attacks of the year, the impact working from home had on data breaches, and what action needs to be taken going forward.
What data breach trends did we see in 2020?
- Continuing from 2019, cybercriminals were less interested in stealing mass amounts of consumers’ personal information. Instead, they were more interested in taking advantage of bad consumer behaviors so as to attack businesses using stolen credentials such as logins and passwords. (Notified)
- Working from home became a no-choice trend in 2020 with one survey finding that 98 percent of organizations had at least 21 percent of their employees in a remote position. Of these organizations, more than 1 in 5 faced unexpected expenses in relation to a cybersecurity breach or malware attack, and just less than this faced a security breach due to a remote worker. (Malwarebytes)
- Healthcare data breaches tied to business associates and other third parties jumped from 46 percent in the first half of 2020 to almost 75 percent. Clearly, this proved to be an easy way for hackers to get payment. (CI Security)
- As with previous years, financially motivated attacks continue to dominate, but secondary motives account for over 20 percent of attacks. “So, if you are a software developer or service provider that has assets that could be repurposed in that manner, please make sure you are paying the proper attention to the operational parts of your organization.” Verizon 2021 Data Breach Investigations Report (DBIR)
What was the cost of data breaches in 2020?
Due to a lack of publicly available data, there is no exact figure for the cost of data breaches in 2020. However, IBM’s Security Report estimates that the United States has the highest global cost per data breach. At $8.64 million per breach, this is 77 percent more than the global average cost of $3.86 million.
Based on this figure per breach, that would put the total cost of data breaches to the United States at around $9.6 billion. While astronomical, this figure could be even higher, as state data breach notification laws often only require notification if a certain number of people are impacted (often 500 or more).
The IBM study also suggests that customers’ personally identifiable information (PII) is the most frequently compromised (and most costly) type of record. The average cost of a breach of this information is $150 per record. Across all types of breached information, the cost is only slightly lower at $146 on average. But if the record is breached in a malicious attack and involves PII, the cost goes up to $175.
Based on 300,562,519 individuals being impacted by publicly reported data breaches in the US in 2020, the cost of these records being exposed is estimated at around $44 billion (using the average cost of $146 per record).
How did it happen?
One ransomware attack can generate as much revenue in minutes as hundreds of individual identity theft attempts over months or years. (Notfied)
According to ITRC’s Notified report, cyber attacks accounted for the largest number of data breaches with 878 attacks and 169,574,338 individuals impacted. This was broken down by category with phishing/smishing being the most popular way of attacking (43.7%), followed by ransomware (18.1%).
Other root causes include :
- Human & System Errors (152 events with 130,043,536 individuals impacted).
- Physical Attacks (78 events with 943,645 individuals affected).
- Supply Chain Attacks (694 events and 42,323,106 individuals impacted).
Notified suggests that hackers predominantly preferred ransomware or phishing attacks because they “require less effort, are largely automated, and generate payouts that are much higher than taking over the accounts of individuals”. We can see this reflected in our own ransomware studies.
In 2019, there were 57 ransomware attacks on hospitals affecting 3,178,538 records. In 2020, the number of attacks increased by 61 percent to 92, and the number of records affected increased by 468 percent to 18,069,012. We estimated that these attacks cost healthcare organizations $20.8 billion in 2020 with hackers receiving over $2 million (this, however, is likely to be much higher but is based on actual reported figures–many organizations do not reveal figures so as to try and prevent future attacks).
Why the spike in ransomware attacks on hospitals in 2020?
With reports of hospitals being under enormous amounts of pressure amid the pandemic, they could ill afford system shutdowns. And with the average downtime from ransomware attacks (when no payment is made and systems are restored manually) being two to three weeks long, this perhaps increased the chances of ransom payouts being made.
Phishing attacks across all sectors may also have been more successful/effective due to pandemic-related issues. From employees working from home without the right protections to lack of attention due to higher pressures and stresses elsewhere, phishing attacks slipped through the net for many organizations.
In 2020, the FBI’s Internet Crime Complaint Center (IC3) received 791,790 complaints with reported losses of more than $4.1 billion. This was a 70 percent increase in the number of complaints from 2019. Of these complaints, over 30 percent were phishing scams (241,342) which resulted in losses of around $54 million.
Other reports suggest 74 percent of US organizations experienced a successful phishing attack in 2020, which is 30 percent higher than the global average and a year-on-year increase of 14 percent. 35 percent of those surveyed also dealt with immediate financial loss, which is nearly twice the global average (Proofpoint).
Educational institutions were particularly vulnerable to phishing scams, too. Keith Krueger, CEO of the ed-tech advocacy group the Consortium for School Networking (CoSN), was quoted as saying: “In a school environment, about 3 percent of teachers click inappropriately on phishing scams. That was jumping to 15 to 20 percent from home, so a lot of cybercriminals are getting into the network.”
Why did it happen?
While data breach figures were lower in 2020, this doesn’t mean cybercriminals were quieter or any less successful than in previous years. Rather, they’d adapted to the pandemic and were targeting the most vulnerable–healthcare organizations under increasing amounts of pressure, educational institutions adapting to remote learning, and employees working from home/under new and unknown pressures. They exploited these vulnerabilities with specific attacks that would cause the most damage and provide the greatest financial gain.
Some of their success may also be attributed to organizations being underprepared for the changing working environments.
A survey conducted by Malwarebytes collected data from more than 200 managers, directors, and C-Suite executives in IT and cybersecurity roles in companies across the US. It found that when it came to preparedness for working from home:
- 18% admitted that, for their employees, cybersecurity was not a priority, while 5% admitted their employees were a security risk and oblivious to security best practices
- 44% of companies did not provide cybersecurity training that focused on potential threats of working from home (like ensuring home networks had strong passwords or devices were not left in reach of non-authorized users)
- Only 61% of companies provided work-issued devices to employees as needed, and 65% of these did not deploy a new antivirus solution on these devices
- 61% didn’t urge employees to use antivirus on their personal devices
This resulted in:
- 24% of companies facing unexpected expenses due to a cybersecurity breach or malware attack following shelter-in-place orders.
- 20% facing a security breach as a result of a remote worker
- 28% admitting that they’re using personal devices for work-related activities more than their work-issued devices
One of the key issues surrounding this lack of cybersecurity preparedness may stem from the significant number of cybersecurity roles that remain unfilled within the US.
A recent study by our researchers at Comparitech found that there were 46,866 unfilled “information security analyst” roles at the start of 2021. With the latest data suggesting that 125,950 workers are currently employed in these roles, this demonstrates that over a third more cybersecurity roles need filling than what are already filled.
This is reflected by the Bureau of Labor Statistics estimation that the number of information security analysts is expected to grow by 31 percent from 2019 to 2029. The average for computer occupations is 11 percent, while employment growth for all roles is a much lower 4 percent.
In an article in Forbes, Emil Sayegh, president and CEO of Ntirety, describes the current shortage of workers as a “cybersecurity talent drought”, suggesting it only got worse toward the end of 2020. He states that organizations need to have a 24x7x365 cybersecurity team in place to defend against attacks in real-time. By lacking in this, companies risk being exposed to threats, have inexperienced professionals trying to implement advanced security techniques, and lack knowledge when it comes to working with technology-based solutions.
What needs to be done?
There is no one-size-fits-all approach to shoring up companies against data breach attacks. But there are a number of best practices organizations can implement to better safeguard themselves from breaches and other cyber attacks.
- Improved cybersecurity training for all employees: If the shift to WFH for many employees has highlighted anything, it’s that each and every employee needs educating on cybersecurity to some level. From simple how-tos on avoiding phishing attacks to compulsory courses on how to use the latest cybersecurity technology solutions, having this additional training in place will help mitigate day-to-day risks that could be easily avoided. As Malwarebytes suggests, however, these training policies need adapting to specific departments and/or employees to ensure relevance and efficiency. A blanket approach to training will only get organizations so far. As Verizon’s DBIR suggests, “An ideally optimized solution would be to engineer solutions for the norm, and train your security operation teams to handle the exceptions.”
- Deploy antivirus solutions for home and work devices: It would be an incredible undertaking for employers to ensure all employees have an available WFH device. But an investment in antivirus/cybersecurity solutions that protect employees’ work, home, and remote work systems will help eradicate many of the issues faced when WFH. That said, it is important company policies and practices are able to stay on top of updates, ensure employee compliance, and run regular scans.
- Invest in skills development, third-party support, and new technologies: As well as making sure all employees have some know-how of the cybersecurity threats each organization faces, Sayegh (in his Forbes article) emplores businesses to invest in skills growth and technological development. It is vital employees and organizations can stay abreast of the latest technologies, which means broadening skills across all fields, including elected office, education, cybersecurity, and business leadership. He also says that companies should leverage help from specialist cybersecurity firms who are able to provide around-the-clock support so as to ward off day-to-day attacks as well as “Zero Day” threats.
- Introduce a national data breach law: As discussed in the Cyberspace Solarium Commission’s latest whitepaper, the Transitioning Book for the Incoming Biden Administration, a “national framework is needed to standardize consumers’ expectations and provide regulatory certainty to American businesses engaging in interstate and global commerce.” Despite all 50 states now having data breach notification laws (as well as the District of Columbia, Guam, Puerto Rico, and the Virgin Islands), the lack of national standard leaves gaps in the protections offered to Americans’ data.
- Pass an Internet of Things (IoT) security law: The Cyberspace Solarium Commission is also pushing for an IoT law that would require manufacturers of these devices to ensure basic security protections are in place. This would address well-known insecurities, such as those in Wi-Fi routers, and the growing importance of ensuring household IoT devices are secure for the large number of people who are now WFH. This includes the “foundational cybersecurity activities for IoT device manufacturers” as laid out by the National Institute of Standards and Technology.
- Reduce the vulnerability lifecycle: Vulnerabilities within devices and systems are an open ticket for hackers, with reports suggesting as many as 1 in 3 data breaches occur due to unpatched vulnerabilities (Tripwire). To reduce the lifecycle of these vulnerabilities, Trey Herr of the Belfer Center’s Cybersecurity Project at the Harvard Kennedy School suggests:
- Increasing discoveries of vulnerabilities by expanding bug bounty program availability to new companies (while limiting their scope by focusing on the most important bugs).
- Increasing the speed with which patches are issued after developers learn of their vulnerabilities by improving transparency around the length of time it takes to create these security patches.
- Increasing the number of customers that implement these patches by creating transparency around the companies that apply patches and those that do not.
- The Cyberspace Solarium Commission adds to this by suggesting a duty of care law be established by Congress so as to ensure software, hardware, and firmware providers’ are liable for damages if incidents arise as a result of vulnerabilities that aren’t fixed within a reasonable timeframe and/or are known when goods are shipped.
Insights and observations
- Ransomware and data breaches are often combined into a single attack that steals data and encrypts the original in place, allowing attackers to double-dip. They can demand a ransom for the decryption key, and either demand a second ransom for the data or sell it on the dark web.
- Data breaches have a small but negative impact on affected companies’ share prices.
- Hackers can find and access data that has been left unprotected online (often due to a security misconfiguration or oversight) in just a few hours after it’s been exposed.
2020 data breaches by sector
As we have already seen, healthcare was the most impacted sector with 462 breaches, followed by education (275 breaches) and non-profits/NGOs (227 breaches) in 2020. Government agencies also faced 66 data breaches in 2020 down 33% from 2019.
Healthcare data breaches in 2020
At least 462 healthcare organizations suffered data breaches in 2020. Breaches spiked in September and October with 77 and 55 reported respectively (compared to around 30 to 40 in all other months). Aside from Blackbaud (which was significant enough to warrant its own section), some of the most standout 2020 data breaches in healthcare were:
- MEDNAX Services, Inc.: This was 2020’s largest phishing attack, affecting the national medical company, MEDNAX. Almost 1.3 million patients’ PII, including names, financial information, Social Security numbers, Medicare/Medicaid numbers, and treatment data, may have been accessed by hackers through “multiple” phishing attacks on business email accounts from June 17 to June 22, 2020.
- Magellan Health Inc: In April 2020, Magellan Health Inc was hacked with what was described as a “sophisticated social engineering phishing attack”. Hackers impersonated a Magellan Health client and gained access to the health plan’s servers to launch a ransomware attack on the provider. According to the Department of Health and Human Services Office for Civil Rights’ breach tool, 1,013,956 people were affected.
- Florida Orthopedic Institute: A healthcare provider in Tampa, Florida noticed a ransomware attack on April 9, 2020. It was reported that 640,000 people were affected in the attack with compromised data potentially including names, DOBs, SSN and medical information relating to appointments, history, insurance plans, payment amounts, and more. Furthermore, the FOI faces a lawsuit from Morgan & Morgan, who is asking for $99 million due to the FOI not acting quickly enough in response to protecting patients’ data.
Education data breaches in 2020
There were 275 educational entities affected by data breaches in 2020, with the second half of the year accounting for almost 80 percent (218) of the year’s breaches. November was the hardest-hit month with 51 breaches in total.
Here are some of the most high-profile educational data breaches of 2020:
- Clark County School District: This school district in Las Vegas, which is home to about 320,000 students, refused to pay a ransom to Maze hackers who published documents containing social security numbers, student grades, and other private information online. This is thought to be the largest attack on a school district during the COVID-19 pandemic. A similar case also occurred in Fairfax County Schools and in Toledo Public Schools (TPS)–both of which were also carried out by Maze.
- Illinois Valley Community College: In November 2020, over 160,000 current and former students, applicants, and faculty members were sent warning letters from IVCC following a data breach (through a ransomware infection) in April of the same year. The college stated that it knew some data had been taken but couldn’t be certain exactly what data this involved.
- Indiana University: A tool designed to help staff members at the university gain access to student grades was inadvertently made public. At least 100,000 current and former students’ grades were made publicly available.
Government data breaches in 2020
There were 66 government data breaches in 2020 with peaks in January (11) and May (12). Of significant size were the following:
- SolarWinds: Multiple government agencies were affected during a data breach of the information technology firm, SolarWinds (who, at the time of the attack, had 33,000 customers). While the company was updating software for its clients, malicious code was added by hackers. It is alleged that hackers may have been stealing data for as long as 9 months. The US Treasury Department, Department of State, and Department of Homeland Security were among those affected.
- Jailcore Prison Provider – A correctional facility and cloud-based application, JailCore, which stores the personal data of inmates, was hacked in January 2020. The data compromised included 36,077 files of visible data on an Amazon server. These files included the prescription records for inmates (including medicine names and dosage amount), up-to-date mugshots, the prison location of inmates, an activities report, and other PII.
During the month of May 2020, a professional ransomware group stole information from cloud provider company, Blackbaud, affecting 480 customers. The stolen information included personal information relating to more than 12.5 million people. This was later reported to have been destroyed by the cyber attackers after Blackbaud paid the undisclosed ransom.
Of the 480 customers impacted by the attack, Comparitech calculated that this included 100 US healthcare organizations and 12,328,221 patient records. 16 universities are also reported to have been affected along with numerous other organizations.
While the start of 2020 may have shown promise when it came to the low number of data breaches, hackers, like everyone, had to adapt to a wildly different year than we’d all anticipated. And the panic, uncertainty, and vast unpreparedness worked to their advantage. They exploited businesses’ vulnerabilities, employees’ lack of cybersecurity awareness, and organizations under pressure to make the second half of 2020 a “successful” year of data breaches.
And, as the pandemic continues in 2021, so too do the data breaches. As of the end of May, Notified had recorded a total of 1,019 data breaches, almost double what the figure was at this time last year (528). Perhaps more worrying was the peak of data breaches in healthcare last month with 139 in total. This is an 81 percent increase on 2020’s highest monthly figure of 77 (in September). Financial services also appear to have taken a hit in 2021, with 133 attacks to date (in 2020 they had just 30 more than this in total–163). This makes them the second-most-impacted sector for data breaches in 2021 (as it stands), replacing education which appears to have seen a decline in data breaches in Q2 of 2021.
So, with more companies and businesses moving online, it’s clear that cybersecurity is more important than ever. Businesses and the government need to prioritize cybersecurity funding to create secure systems, greater cybersecurity knowledge, and quicker adaptability to our ever-changing landscapes. Without this, personal data will remain a profitable business for cybercriminals, whether they can infiltrate systems to sell the data on the dark web or they are able to hold it to ransom.
Researcher: Charlotte Bond
IC3 (PDF): https://www.ic3.gov/Media/PDF/AnnualReport/2020_IC3Report.pdf
2021 Data Breach Investigations Report (DBIR): https://www.verizon.com/business/resources/reports/dbir/