US Breach Volumes Fell 19% in 2020 as Ransomware Surges

The number of publicly reported US data breaches and leaks last year dropped 19% as attackers continued to move away from mass theft of customer data to more lucrative tactics like ransomware, according to a leading non-profit.

The Identity Theft Resource Center (ITRC) compiled its annual report from company announcements, mainstream news reports, government agencies, recognized security firms and researchers, and other non-profits.

In total, it recorded 1108 incidents, down by nearly a fifth on 2019’s figures, while nearly 301 million individuals were affected, a drop of 66% on the previous year.

Breaking it down further, there were 1001 actual breaches and 107 data exposures, which often result from misconfiguration of cloud servers. More people were affected by the latter (156 million) than the former (145 million).

The ITRC claimed the stats show that cyber-criminals are gravitating to ransomware and targeted email compromises, using previously stolen log-ins and phishing tactics, and away from bulk theft of personal data.

“Ransomware and phishing require less effort, are largely automated, and generate pay-outs that are much higher than taking over the accounts of individuals,” it continued. “One ransomware attack can generate as much revenue in minutes as hundreds of individual identity theft attempts over months or years.”

In fact, the average ransomware payment was $233,000 in Q4 2020, up from just $10,000 in Q3 2018, according to Coveware.

Phishing can also help attackers reap massive Business Email Compromise (BEC) profits. Total losses for BEC in 2019 reached $1.8bn, or half of all cybercrime losses reported to the FBI.

In terms of actual compromises, breach volumes ransomware surges