By Roy Urrico
Last month, the Identity Theft Resource Center (ITRC) reported the number of publicly reported data breaches for 2022 at 1,802 incidents. Additional analysis of the ITRC data by Sontiq, a TransUnion company, revealed the number of entities compromised by those 2022 breaches reached 3,495 — almost half of which were third-party incidents.
Jim Van Dyke, senior vice president of innovation at Nottingham, Md.-based identity security company Sontiq, explained to Finopotamus that Sontiq’s breakdown is based on how BreachIQ, the company’s proprietary artificial intelligence (AI) algorithm, accounts for breaches.
Van Dyke said the company runs the reported breach data, which it obtains from a partnership with ITRC, through Sontiq’s AI algorithm. “We love our partnership. We report on (the data) in slightly different ways.” One difference is that the ITRC’s figure is based on the number of initially breached organizations, while Sontiq includes all entities whose data was exposed by each breach. Both are considered valid breach counts by the industry.
“One of the big issues going on right now is all these third party breaches, or what they call supply chain breaches. It is a massively growing trend,” said Van Dyke. Sontiq’s analysis shows 1,745 2022 incidents originated from a third-party data breach. This is a nearly 45% increase over the 2,417 compromised entities Sontiq analyzed in 2021 and a year-over-year increase in third-party breaches of more than 220%.
Third-Party Breaches Bring Higher Return
Van Dyke noted that cybercriminals are pursuing supply chain attacks for a higher return on effort. Often organizations deal with third parties that utilize records from customers, patients, students, employees or accountholders. By focusing attacks on the accounting, payroll or administrative firms that serve multiple clients, a single breach can give an attacker access to the data of multiple organizations at once, he added.
“The hackers have figured out if they just breach one of these organizations, they get the keys to the proverbial kingdom and they might get 50, a hundred, even a thousand organizations’ records at once,” said Van Dyke.
Van Dyke also noted that the severity of third-party data breaches, as measured by Sontiq’s BreachIQ, is also trending higher. BreachIQ analyzes more than 1,300 factors to curate a breach score based on the severity and risks of a publicly reported data breach. Sontiq assigns a unique Breach Risk Score on a scale of 1 to 10 for each incident. The algorithm also identifies the primary risks associated with a breach as well as recommended protective action steps specific to that breach.
In examining the average Breach Risk Score year-over-year, the severity of third-party breaches increased 10% in 2022. Meanwhile, the severity of primary breaches increased only 2%. According to Van Dyke, individual data breaches that score higher than 4 warrant stronger action from those affected due to the potential risks.
“When a data breach reaches a score greater than 4, typically several pieces of sensitive personal information have been compromised,” said Van Dyke. “This greatly increases the odds of serious identity theft and fraud scams, which give criminals direct access to a victim’s workplace or personal financial, medical and social accounts.”
That said, Van Dyke added that even low-scoring breaches can be dangerous because cyberthieves are willing to work harder to access a victim’s financial accounts. When criminals obtain less-sensitive information in a data breach, they often use social engineering techniques to extract more personal information to gain direct account access or commit payments card and peer-to-peer (P2P) payment fraud.
Hackers Circumventing CU Protection
“It’s a real startling trend,” Van Dyke conveyed. “The criminals generally are not successful in trying to hack a credit union or bank (directly). They try; no one gets more hacking attempts than credit unions or banks, because that is where the money is. That is where hackers could save themselves a lot of trouble if they could just hack the credit union and then use the data to go right back at the credit union.”
Instead, cybercriminals must circumvent the better fortified financial institutions. “What the cybercriminals generally do is go to some other easier target, which is often a healthcare institution — everything from a local doctor's office to a big hospital or patient medical record processing group. They hack the data successfully there. And then crime number two of this two-crime crime is they go back to the credit union.” The hacker is then able to answer some commonly asked authentication or challenge questions — such as the Social Security number (SSN) and mother's maiden name — with information obtained from a third party.
Van Dyke cautioned, “The problem is the credit unions cannot stop the breaches from happening somewhere else.” And increasingly, the somewhere else is a third-party services provider that the healthcare institution, number one, or educational institution, number two, is paying to manage records. “I hope we see increased focus on these third parties because they're, bleeding data left and right.”
Van Dyke acknowledges that, the financial services industry, and the general public, usually seem unaware of the third-party threat. “I don't think awareness has yet caught up to the reality that (almost) half of all entities breached, are coming from third parties.” He noted. In addition to people not understanding the severity of the breach, there is sometimes a lack of information forthcoming from the breached entities. “They may not divulge critical information like quantity of patients.
Knowledge is power, Van Dyke said. At the very least, faced with possible breach aftershocks, the affected consumer or credit union should know to look for things like identity fraud used to originate new credit accounts or within existing banking or payment accounts, he explained.
Sontiq, through its BreachIQ, wants credit unions and members to know specifics about the stolen data. “When we get that information, our algorithms are able to instantaneously tell the credit union and the credit union's member, ‘Hey, here's how severe that breach was,’ just like an earthquake or hurricane. Was it a one? Was it a five? Was it a seven?” explained Van Dyke.
Van Dyke conceded, “When these third parties do not divulge what credentials were exposed, all people can do is just get mad and then do nothing. They do not have any specific information to take actions. If the credit union had deployed our product (BreachIQ) to their members as a part of digital banking, the member could find out about all the breaches, their risks and actions to take to protect themselves.”
A free online tool is available from Sontiq for any executive who wants a risk score and recommended actions for a particular data breach.