The ITRC has released its 2024 Annual Data Breach Report, which shows a near-record number of compromises, only 44 short of the record!

According to the 2024 Annual Data Breach Report from the Identity Theft Resource Center (ITRC) (available for download here), the number of data compromises in 2024 (3,158) decreased one (1) percent compared to 2023 (3,202), 44 events away from tying a record for the number of compromises tracked in a year.

Here’s the bad news. The number of data breach notices issued in the past year (1,728,519,397) increased 312 percent from 2023 (419,337,446). The increase was primarily due to six “mega-breaches” that resulted in at least 100 million breach notices being issued in each event. Mega-breach victim notices totaled more than 1.4 billion of the more than 1.7 billion victim notices issued in 2024. If the six mega-breaches are excluded, the ~266 million other victim notices issued in 2024 decreased by 36 percent compared to 2023.

Or is it bad news? These numbers could reflect the rise in the importance of incident response eDiscovery workflows, which would mean that organizations are getting better at notifying individuals affected by a breach. One can hope!

Regardless, according to the 2024 Annual Data Breach Report, approximately 70 percent of cyberattack-related breach notices did not include attack information, compared to 58 percent in 2023. In 2019 and previous years, ~100 percent of breach notices included attack vector information. Sigh.

Other findings in the 2024 Annual Data Breach Report include:

• Better cyber practices and requirements could have prevented at least 196 compromises and more than 1.2 billion victim notices. Attacks using stolen credentials against Ticketmaster, Advanced Auto Parts, AT&T, Change Healthcare and other organizations could have been blocked with the addition of multi-factor authentication (MFA) or passkeys.
• There were fewer Zero Day and Supply Chain attacks. However, they had more significant impacts. Supply Chain attacks directly impacted 134 organizations and indirectly impacted 657 entities, resulting in 203 million victim notices. At least 190 million notices were related to the Change Healthcare breach.
• Publicly traded companies represented only seven (7) percent (221 companies) of all compromised organizations. However, they issued 76 percent of victim notices in 2024.
• Of the 133 cyberattacks against publicly traded companies resulting in a data breach notice, a stolen credential was the leading attack vector. Seventy-four (74) percent of the breach organizations did not list an attack vector in a breach notice.

The 40-page PDF 2024 Annual Data Breach Report is chock-full of graphics, statistics, term definitions and more which makes it a very easy read. Check it out here!

So, what do you think? Are you surprised that ITRC is reporting a near-record number of compromises, as in not a record? 😉 Please share any comments you might have or if you’d like to know more about a particular topic.

Image created using GPT-4’s Image Creator Powered by DALL-E, using the term “robots finding out their data has been breached”.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by my employer, my partners or my clients. eDiscovery Today is made available solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Today should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.