The era of the mega-breach may be coming to an end as cyber-criminals eschew consumers’ personal data and focus on phishing and ransomware, according to the Identity Theft Resource Center (ITRC).
The US-based non-profit, which provides support to breach victims and regular updates on the scale of the challenge for businesses, made the remarks in its predictions for 2021.
It argued that cyber-criminals are relying less on stolen personal information and more on “poor consumer behaviors” such as password reuse to monetize attacks.
“Cyber-criminals are focusing on cyber-attacks that require logins and passwords to get access to corporate networks for ransomware or Business Email Compromise (BEC) scams. These attacks require less effort, are largely automated, the risk of getting caught is less, and the payouts are much higher than taking over an individuals’ account,” it said.
“The average ransomware pay-outs for all businesses have grown from less than $10,000 in Q3 2018 to more than $178,000 per event by the end of Q2 2020. Large enterprises are making average ransomware payments of over $1m. BEC scams cost businesses more than $1.8bn in 2019.”
The ITRC is already seeing a drop-off in data breach activity as a result. In October it claimed that the number of reported breaches up to Q3 was 30% lower than the same period in 2019, with 60% fewer individual victims.
It claimed that 2020 is on track to record the lowest number of breaches in the US in five years.
However, that doesn’t mean consumers are off the hook. Apart from individual phishing attacks, the ITRC warned that pandemic-related identity crimes will continue well in 2021, as stolen identities are used to fraudulently claim unemployment benefit.
“The ITRC’s Aftermath survey data shows an increase in identity crime re-victimization (28% in 2019 versus 21% in 2018) occurring before the massive increase in fraud/scams and identity crimes in 2020,” it continued. “The post-pandemic analysis should show an even greater rise.”