Overview of Data Breaches in 1H 2024

The first half of 2024 saw a significant increase in the number and scale of data breaches, reflecting the growing sophistication and determination of cybercriminals worldwide. According to data from the Identity Theft Resource Center (ITRC),¹ the top 10 data breaches during this period compromised over a billion records across various sectors, including telecommunications, healthcare, finance, technology, and government agencies. These incidents range from ransomware attacks and supply chain vulnerabilities to accidental data leaks, highlighting the diverse tactics employed by cybercriminals and the widespread vulnerabilities across different industries. ITRC’s top 10 failed to include the National Public Data breach, which exposed as many as 2.9 billion data records associated with 1.3 million people. Thus, we added National Public Data to our report.

Findings in Kiteworks 2024 Sensitive Content Communications Privacy and Compliance Report further emphasize the critical nature of managing sensitive data across all sectors.² The report underscores the challenges organizations face in protecting sensitive content as they increasingly rely on multiple communication tools and third-party interactions, which can create numerous vulnerabilities. For example, the report found that those with 10 or more communication tools experienced 3.55x more data breaches than the average number reported by the entire respondent cohort.

Key Trends in Data Breaches

When one looks underneath the hood of the Top 11 Data Breaches in 1H 2024, several different takeaways emerge:

1. Ransomware Attacks: Ransomware continues to be a prevalent method of attack, targeting organizations across various sectors. High-profile breaches such as those involving Change Healthcare and MediSecure show the devastating impact ransomware can have, not only by disrupting operations but also by compromising sensitive data. These attacks have resulted in significant financial losses and operational disruptions, emphasizing the need for robust ransomware defense strategies.
2. Massive Scale of Data Exposure: The volume of data exposed in breaches has escalated, with incidents involving millions of records becoming more common. For instance, AT&T suffered two major breaches that together compromised over 180 million customer records, including personal information and call logs. Similarly, the breach at Snowflake affected multiple companies and exposed hundreds of millions of records, illustrating the far-reaching threat of supply chain attacks in today’s interconnected digital landscape (corroborated by the findings in Verizon’s 2024 Data Breach Investigations Report where 15% of all attacks in the past year were connected to the supply chain).³
3. Vulnerabilities Across Multiple Sectors: Data breaches are not confined to any one sector; instead, they impact a wide range of industries, each facing unique vulnerabilities. Sectors such as healthcare, finance, and technology are particularly at risk due to the sensitive nature of the data they handle and well represented in the top 10 data breaches in ITRC’s 1H 2024 report. The lack of governance tracking and controls as well as advanced security capabilities are key reasons. For example, the Kiteworks report highlights that 57% of organizations cannot track, control, and report on external content sends and shares.
4. Emerging Threats From Third-party Risks and Internal Errors: Beyond external attacks, third-party risks and internal errors have also emerged as significant threats. The breaches at Kaiser and USPS, where sensitive information was inadvertently shared with advertisers, highlight the growing concern over internal data governance and the risks associated with third-party interactions. Tracking and controlling the flow to and from all the third parties with which organizations exchange data is difficult, with two-thirds of organizations reporting they exchange sensitive content with over 1,000 third parties.⁴

Risk Factors Involved in Data Breaches

Volume and Type of Data Exposed

The risk factors associated with data breaches are significantly influenced by the volume and type of data exposed. In the first half of 2024, breaches varied widely in terms of the types of records compromised. Personal data is certainly a major target, with Verizon reporting that nearly 60% of data breaches involved personally identifiable information (PII), including names, addresses, social security numbers, and financial information such as credit card details.7 Health records, including sensitive patient information, were also highly targeted, particularly in breaches affecting healthcare organizations where the exposure of protected health information (PHI) added another layer of risk due to regulatory requirements like HIPAA.

Number of Victims

The scope of impact of a data breach is often determined by the number of affected individuals and entities. In the first half of 2024, several breaches affected millions of individuals across various sectors. For instance, breaches in the telecommunications and healthcare sectors had widespread effects, impacting tens of millions of customers and patients.

Sensitivity of Exposed Data

The sensitivity level of the data exposed is a critical factor in determining the severity and impact of a data breach. High-sensitivity data, such as social security numbers, health records, and financial information, poses a greater risk than low-sensitivity data like email addresses or general business information. Breaches involving high-sensitivity data are more likely to result in severe consequences, such as identity theft, financial fraud, and other malicious activities. In instances where sensitive financial information or health records are involved, resulting regulatory action and higher remediation costs due to the stringent requirements around data protection for these types of data is much greater.

Methods of Breach

Methods used in data breaches have evolved, reflecting the increasing sophistication of cybercriminal tactics. Common methods include ransomware attacks, phishing campaigns, insider threats, and exploiting vulnerabilities in third-party services or software. Ransomware remains a prevalent attack vector, where attackers encrypt data and demand a ransom for its release, often causing significant operational disruptions and financial losses.

Phishing attacks also continue to be a leading cause of breaches, leveraging social engineering techniques to deceive employees into disclosing sensitive information or granting unauthorized access. Exploiting vulnerabilities in third-party services or supply chain attacks is a growing trend. Specifically, breaches originating from third-party vulnerabilities can have extensive impacts, as they often involve multiple organizations and affect entire networks of business partners and customers. This trend underscores the need for robust third-party risk management practices and regular vulnerability assessments.

Development of the Risk Exposure Index

Introducing the Risk Exposure Index

The Risk Exposure Index is a strategic tool developed to evaluate and prioritize data breaches based on their severity and potential impact. In an era where data breaches are becoming increasingly frequent and complex, organizations face significant challenges in assessing the risk each breach poses to their operations, reputation, and regulatory compliance. The Risk Exposure Index aims to provide a standardized framework for quantifying and comparing the risks associated with different data breaches. By utilizing this index, organizations can prioritize their cybersecurity measures, allocate resources more effectively, and enhance their overall security posture by focusing on the most critical threats.

How the Risk Exposure Index Works

The Risk Exposure Index goes beyond traditional metrics such as the number of records exposed, or the financial cost incurred. Instead, it incorporates a range of factors to provide a more nuanced understanding of breach severity. These factors may include the type of data compromised, the extent of exposure, the potential for regulatory penalties, and the long-term impact on brand reputation. By aggregating these elements into a single, comprehensive score, the index allows organizations to objectively assess the severity of each breach and make informed decisions on where to focus their mitigation efforts.

Methodology for the Risk Exposure Index

The methodology for calculating the Risk Exposure Index involves several criteria, each contributing to the overall risk score of a breach. These criteria are carefully selected to provide a holistic view of the risks associated with a breach and include the following:

1. Number of Records Exposed: This criterion assesses the volume of data compromised during a breach. The greater the number of records exposed, the higher the risk score, as larger breaches typically have more severe consequences, including increased potential for identity theft, fraud, and reputational damage.
2. Estimated Financial Impact: This criterion evaluates the potential financial losses resulting from a breach, including direct costs such as fines, legal fees, and remediation expenses, as well as indirect costs like loss of business and reputational harm. Breaches with a higher estimated financial impact receive a higher score, reflecting the significant economic burden they impose on organizations.
3. Ransomware Involvement: Given the rising threat of ransomware attacks, this criterion specifically accounts for breaches involving ransomware. Ransomware attacks are particularly disruptive, often causing significant operational downtime and requiring substantial recovery efforts. Breaches involving ransomware receive a higher score due to the complexity and severity of the response required.
4. Data Sensitivity: The sensitivity of the data exposed during a breach is a critical factor in determining its risk level. Breaches involving highly sensitive data, such as protected health information (PHI) or financial records, are assigned higher scores. This reflects the increased risk of regulatory penalties, legal actions, and the need for comprehensive remediation efforts to protect affected individuals.
5. Severity of the Breach: This criterion considers the overall impact of the breach on the affected organization, including operational disruption, customer trust, and long-term reputational damage. The severity is assessed based on the extent of the breach, the data involved, and the effectiveness of the organization’s response. More severe breaches are assigned higher scores to reflect their broader implications.
6. Number of Regulations Impacted: This criterion evaluates the regulatory landscape affected by the breach. Breaches that violate multiple regulations, such as GDPR, HIPAA, or CCPA, receive higher scores. This reflects the complexity of managing compliance across different jurisdictions and the potential for multiple fines and legal actions.

Normalization Process and Score Adjustment

To ensure that the Risk Exposure Index provides a fair and consistent measure of breach severity, a normalization process is applied to adjust scores to a standardized 1-10 scale. This process involves several steps:

1. Data Collection and Initial Scoring: Each breach is assessed against the six criteria outlined above, and an initial score is assigned for each criterion based on predefined ranges. For example, breaches exposing more than 10 million records may receive a maximum score for the “Number of Records Exposed” criterion.
2. Weight Assignment: Each criterion is assigned a weight based on its relative importance in determining the overall risk level. For instance, “Data Sensitivity” and “Estimated Financial Impact” may be weighted more heavily than “Number of Records Exposed” to reflect their critical impact on the organization’s security posture and compliance requirements.
3. Score Aggregation: The weighted scores for each criterion are aggregated to calculate a total risk score for each breach. This total score represents the overall severity of the breach based on the combination of all risk factors.
4. Normalization: The total scores are then normalized to fit within a standardized 1-10 scale. This is achieved by applying a mathematical formula that adjusts the scores based on the maximum and minimum scores observed across all breaches. The normalization process ensures that the index provides a consistent and comparable measure of breach severity, regardless of the underlying data.
5. Final Score Assignment: The normalized scores are reviewed and validated to ensure accuracy and consistency. Each breach is then assigned a final Risk Exposure Index on the 1-10 scale, with higher scores indicating more severe breaches that require immediate attention and action.

By employing this rigorous methodology, the Risk Exposure Index offers a reliable and actionable framework for assessing and managing data breach risks, enabling organizations to enhance their cybersecurity strategies and better protect their sensitive data from evolving threats.

Analysis of the Top 11 Data Breaches Based on the Risk Exposure Index

Following is the corrected ranking of the top 10 data breaches in the first half of 2024, based on their Risk Exposure Index

Using the Risk Exposure Index

Our Risk Exposure Index takes into account more than just the number of records exposed or the number of victims impacted. This comprehensive approach provides a clearer understanding of the true severity and potential impact of each breach. While a larger number of exposed records can indicate a significant breach, it does not necessarily mean that the risk exposure is higher. Several factors contribute to a breach’s risk score, which can sometimes result in a breach with fewer records having a higher risk score than one with more records.

1. Nature and Sensitivity of the Data Involved

The type of data compromised is a critical factor influencing the Risk Exposure Index. For example, the breach at Change Healthcare, which involved 100 million records, primarily affected personal, medical, and billing information. This type of data is highly sensitive, leading to severe implications, such as the irreversible loss of health data, which elevates the risk exposure despite a smaller number of records compared to other breaches. Similarly, the Cencora breach, with only 1 million records exposed, also scored high on the risk scale due to the sensitivity of the health data involved, demonstrating that the nature of the data is often more crucial than the volume of data.

2. Regulatory and Compliance Implications

Regulatory implications can significantly impact the overall risk exposure of a breach. For instance, the AT&T breach, which involved 110 million records, had a substantial risk exposure not only because of the number of records but also due to the potential violations of multiple regulations, including the FCC Regulations, FTC Act, and CCPA. These regulatory violations can lead to significant fines and penalties, increasing the breach’s overall risk score. In contrast, a breach involving a larger number of records, such as Ticketmaster with 560 million records, might have a lower risk exposure if the compromised data does not invoke as severe regulatory consequences.

3. Potential Impact Beyond Immediate Losses

The long-term consequences of a data breach, such as identity theft, financial fraud, or reputational damage, are also considered in the Risk Exposure Index. The Synnovis breach, which involved 300 million records of patient interaction data, is an example where the long-lasting impact on patient services and trust resulted in a high risk score. Even though the number of records was lower than the Ticketmaster breach, the potential for sustained harm to patients and healthcare services significantly heightened the risk exposure. This example shows that the index accounts for the broader implications of a breach beyond the immediate loss of data.

4. Ransomware and Extortion Factors

The presence of ransomware demands can also elevate a breach’s risk score, regardless of the number of records exposed. The Synnovis breach, for example, faced a $50 million ransomware demand, which contributed to its high risk score. Even with fewer records involved than the Ticketmaster breach, the additional costs and risks associated with ransom demands, including potential double extortion and recovery expenses, increase the breach’s overall risk exposure.

5. The Impact of Data Sensitivity and Potential for Identity Theft

The impact of data sensitivity is evident in breaches such as those experienced by companies like Change Healthcare and Synnovis, where data types involved included highly sensitive medical and personal information. The potential for misuse, such as identity theft and financial fraud, significantly contributes to the higher risk exposure of these breaches, even when compared to breaches involving a greater volume of less sensitive data, such as the one experienced by Ticketmaster.

Concluding Thoughts

Our analysis of the top 11 data breaches in the first half of 2024 reveals several critical insights into the evolving landscape of cybersecurity threats:

1. Diverse Attack Vectors and Rising Sophistication: Cybercriminals continue to employ a variety of attack methods, from ransomware and unauthorized access to inadvertent data sharing, each with unique implications for security strategies. This diversity in attack vectors underscores the importance for organizations to adopt a multi-layered security approach that addresses a wide range of potential threats.
2. Significant Impact of Ransomware: Ransomware attacks, particularly those targeting high-value sectors like healthcare and finance, have proven to be both disruptive and costly. Breaches such as those involving Change Healthcare and Synnovis have demonstrated the severe operational, financial, and reputational damages that can result. Organizations must prioritize robust ransomware defenses, including advanced threat detection, rapid response capabilities, and comprehensive data backup strategies.
3. High Sensitivity and Volume of Exposed Data: Data breaches involving large volumes of sensitive information, especially personal and financial data, have consistently resulted in higher risk scores due to their potential for identity theft, financial fraud, and regulatory penalties. This highlights the need for enhanced data protection measures, particularly for organizations, such as National Public Data, that handle sensitive data across multiple communication tools and platforms.
4. Third-party and Supply Chain Vulnerabilities: Several breaches, such as those affecting AT&T and Ticketmaster, have highlighted the vulnerabilities associated with third-party vendors and supply chain partners. This emphasizes the critical need for continuous monitoring and robust management of third-party relationships to mitigate risks associated with extended networks.
5. Regulatory Compliance and Legal Repercussions: The analysis shows that data breaches often result in violations of multiple regulations, leading to substantial fines and legal consequences. Organizations must strengthen their compliance frameworks and data governance practices to avoid regulatory infractions and associated financial penalties.
6. Holistic Risk Assessment: The report findings underscore the importance of considering multiple factors when assessing the risk exposure of a data breach. It is not solely about the number of records breached or the immediate financial cost; the true risk is often shaped by a combination of elements, including the sensitivity of the compromised data, the potential for regulatory violations, and the broader implications for long-term reputational damage.
7. Contextual Impact of Breach Type and Data Sensitivity: Findings highlight that the type of breach and the sensitivity of the data involved are critical factors influencing the overall risk exposure. For instance, a breach involving a small number of highly sensitive records, such as social security numbers or medical records, can have more severe consequences than a breach involving a large volume of less sensitive data. This demonstrates that organizations must assess the context and content of the data breached, not just the quantity, to understand the potential impacts fully.