An Apple-commissioned data breach report found 2.6 billion records were stolen by hackers between 2021 and 2022.
The report by MIT Professor of Information Technology Stuart Madnick, published Thursday, said breaches were up by 20% in the first three quarters of 2023 compared with all of 2022.
Increasingly sophisticated ransomware attacks and attacks on third-party vendors are key factors in the increasing scope of data breaches, according to the report. Cloud security was cited as being increasingly important, as 80% of breaches include data stored in the cloud.
The report compiles statistics and case studies from more than 200 sources to provide an overview of data breaches over the last two years.
Ransomware gangs change tack, expose more data
Ransomware attacks increased by nearly 70% in the first nine months of 2023 compared with the same time period last year, the report noted. Overall, more ransomware attacks were reported from January to September 2023 than in all of 2022.
Increasing organization and shifting strategies of attackers are reported as key contributors to the rising ransomware threat. Ransomware gangs like LockBit, ALPHV/BlackCat and Clop often launch multiple attacks on the same victim using different variants and expand their reach by providing ransomware-as-service (RaaS), Madnick noted.
The amount of personal information and sensitive records exposed on the internet is also amplified by ransomware gang activity as hackers shift strategy from ransoming encrypted records to threatening to leak them if ransom is not paid.
“As organizations have been able to retrieve their customer data through backups and other countermeasures, hackers are becoming more aggressive, often leaking the stolen data on the dark web,” the report stated.
Security failures of third-party vendors widen attack surface
Exploitation of vendors that provide software and services to multiple customers has been seen in some of the most extensive data breaches in 2023. The report highlights how attackers take advantage of the weaker cybersecurity posture of small- or medium-sized companies to get to their larger-sized customers and do the greatest damage in a single attack.
The vast majority — 98% — of organizations have a relationship with a vendor that has been breached within the last two years, according to SecurityScorecard research cited in the report. One major example of a third-party vendor breach is the MOVEit hack of May 2023, in which the ransomware group Clop exploited a vulnerability in the MOVEit file transfer software to access files from more than 2,300 organizations.
The breach has impacted more than 65 million individuals and cost more than $10 billion globally as of October 2023. Millions of sensitive records, including medical records and financial information, have been leaked as a result.
Apple urges greater cloud security, encryption
A “mass migration” of data to cloud environments over the last few years makes cloud misconfiguration a major security concern, Madnick wrote. The report cites IBM’s 2023 “Cost of a Data Breach Report,” highlighting that more than 80% of data breaches involve data stored in the cloud.
In a press release accompanying the publishing of Madnick’s report, Apple stressed the importance of encrypting data stored in the cloud to decrease the amount of readable data available to attackers.
Apple’s Advanced Data Protection for iCloud, launched in December 2022, uses end-to-end encryption to protect 23 data categories — nine more than default iCloud settings.
Madnick’s report cited this feature, along with Google’s February 2023 expansion of client-side encryption, WhatsApp default end-to-end encryption of messages and the “privacy-first” workspace suite Skiff as examples of ways that vendors are securing consumer data against breaches.