Data breaches increased in 2023 and with them, internet security concerns

Justin Klawans, The Week US
·4 min read
Artistic locks on a blue background.
Artistic locks on a blue background.

As the world becomes ever more online, companies and individuals are trying to protect themselves from cyber criminals and bad actors who try to access their personal information. Despite this, evidence shows that the fight against data breaches is not getting better. In fact, it appears to be getting significantly worse.

Most reports indicate that 2023 was the worst year yet for data breaches, both in the United States and around the world. A report from the Identity Theft Resource Center (ITRC) released in January concluded that there was a 78% increase in data compromises year-to-year, from 1,801 in 2022 to 3,205 in 2023. Even as the global community is working to fight against hackers, criminals are "constantly finding new ways to access and exploit readable personal data, in particular when stored in the cloud," according to a data breach study from MIT Professor of Information Technology Stuart Madnick.

This has led to devastating consequences for personal finance security and problems for web safety, and marks a step back in the fight against identity theft. What made 2023 such a bad year for data breaches?

What were the figures on data breaches in 2023?

The numbers are staggering: The 3,205 compromising incidents in 2023 include 3,122 breaches of data, 25 data exposures, two data leaks and 56 compromises of an unknown nature, according to the ITRC's report. This translates to more than 353 million total victims, which "represents an all-time high for data compromises reported in the United States," the ITRC said.

Many of the data breaches in 2023 came in the form of ransomware, which are viruses that lock victims out of their files and hold their data hostage until a ransom is paid. The number of ransomware attacks "increased by almost 70%" compared to the prior year, Madnick said. While all data breaches are problematic, ransomware has become one of the most common culprits. Ransomware scams had "more than twice the number of victims in 2023 compared to 2022," said cyber security outlet SecurityWeek. And based on current trends, the threat of ransomware "will continue to increase and evolve in 2024," SecurityWeek said. The spike in ransomware can be measured "by an increase in the number of victims who have paid the ransom — up from 68% to 76% (and remember that is 76% of a higher number of victims)," the outlet said.

While the vast majority of these breaches were performed online, this was not all-encompassing; according to the ITRC, there were at least 729 breaches caused by human or system errors, 242 supply chain attacks, and 53 breaches caused by physical attacks on hardware. The healthcare industry was the most compromised, the ITRC said, leading the way with 809 incidents. Similar breaches were also seen in professional services, financial services, education and manufacturing.

What made 2023 so bad for breaches?

There are "three primary reasons behind this increased theft of personal data: cloud misconfiguration, new types of ransomware attacks and increased exploitation of vendor systems," Madnick said in the Harvard Business Review. First, cloud-based storage is often cheaper for companies on a wide scale, and so it is "estimated that more than 60% of the world's corporate data is stored in the cloud." This "makes the cloud a very attractive target for hackers," and more than 80% of breaches in 2023 involved cloud-based software.

The spread of ransomware attacks is also a contributing factor to these spikes, Madnick said. Third, many large companies use third-party vendors to help with everything from "air conditioning maintenance to providing software." To do these things, vendors "need easy access to your company's systems," Madnick said, which can prove a feeding frenzy for hackers given the vendors are "frequently small companies with limited cybersecurity resources."

Also concerning is that "the number of data breach notices without specific information such as what happened, what the company has done to correct it, or what steps have been taken to make sure the breach doesn't happen again has nearly doubled year over year," the ITRC's James. E. Lee said to USA Today. This lack of information "creates risk for other businesses who could be attacked in a similar fashion and consumers who need to know how to protect themselves."