Data breaches on track for record this year as Ohio bill hopes to create ‘data rights’

Credit: DaytonDailyNews

Caption
Identity Theft Resource Center data shows data compromises are on the rise

Credit: DaytonDailyNews

A new proposal from state lawmakers and Lt. Gov. Jon Husted on Tuesday would create “data rights” for Ohioans, a hot issue as data breaches are on track to break a previous record set in 2017.

On Tuesday, Husted joined two Republican state legislators in announcing the data privacy legislation.

Known as the Ohio Personal Privacy Act, it would establish data rights for Ohioans, including the ability to have personal data deleted and request that it not be sold, according to a news release from Husted’s office.

It would require businesses to “adhere to specified data standards” and give the Ohio Attorney General exclusive authority to enforce it. No “private right of action would exist” under the law, the news release said.

“More and more online purchasers of goods and services are concerned about the security of the personal information they provide and how that information may be shared. This bill gives consumers nationwide the confidence that when they do business in Ohio, their personal data is better protected than in states we compete with for customers and commerce,” said J.P. Nauseef, JobsOhio president and CEO, in a statement.

Data breaches, exposures and leaks in the U.S. are increasing, according to new data released by the Identity Theft Resource Center. Cybercriminals are accelerating their attacks, said James E. Lee, chief operating officer for the nonprofit that collects information on publicly reported data breaches.

“Consumers are caught in the cross-fire between the identity thieves and businesses and government agencies trying to fight off these increasingly sophisticated, frequent assaults,” Lee said.

Paul Hansford, associate professor Computer Science and Information Technology, teaches at Sinclair Community College. The college's programs include training in cybersecurity.
Caption
Paul Hansford, associate professor Computer Science and Information Technology, teaches at Sinclair Community College. The college's programs include training in cybersecurity.

Credit: Contributed

Credit: Contributed

In the past three years, breaches and exposures declined from the 1,632 record number of data compromises in 2017. But cybercriminals came back with a vengeance in 2021, notably using ransomware attacks and hitting third-party vendors supplying services to hundreds or thousands of companies, organizations and government offices.

ExploreCompanies skimp on cybersecurity defense at their own peril

“We’ve always known that the downward trend in data compromises we’d seen for the past few years would stop,” Lee said. “What we didn’t really expect to see was such as dramatic reversal that will take us from a five-year low to what looks to be an all-time high by the end of the year in just a matter of months.”

James E. Lee, chief operating officer at the Identity Theft Resource Center
Caption
James E. Lee, chief operating officer at the Identity Theft Resource Center

Credit: Contributed

Credit: Contributed

In the first half of this year, 846 data breaches were publicly reported in the U.S., affecting nearly 119 million individuals, according to the report. Second-quarter breaches increased by 38 percent compared to the first quarter, and if they continue at that rate they will exceed the 2017 total.

The numbers do not include data leak incidents involving Facebook and LinkedIn, which together exposed more than 1 billion individuals’ information this year.

Facebook said in an April blog that the data posted online was scraped from profiles in 2019 using a now-defunct Facebook feature. LinkedIn said information posted for sale online was not a breach of “private” data but was “scraped from LinkedIn and other various websites,” according to a June 29 news release from the company.

A Dayton Daily News investigation in June found that inadequate cybersecurity measures are common and experts say that the lack of mandatory reporting of cyber-intrusions hinders the ability to fight them. The investigation also found that new hacking opportunities opened during the COVID-19 pandemic as many employees worked from home, sometimes on computers that were not secure, and those workers were particularly vulnerable to hacks via email attacks known as phishing.

“More than a few people’s home machines aren’t quite up to snuff, as you may imagine,” said David Salisbury, director of the University of Dayton Center for Cybersecurity and Data Intelligence. “The threat surface just keeps growing. All the devices that attach to the internet, they create new threat surfaces.”

Explore5 experts: Cybercriminals want your data and ransom money

A July 2 supply chain ransomware attack on Ireland-based security software provider Kaseya followed multimillion-dollar ransomware attacks on meatpacking company JBS and Colonial Pipeline Co. All are believed to be launched by criminals based in or near Russia. Last year a supply chain attack on SolarWinds, a Texas technology firm, led to breached data at multiple companies and government offices but no ransom demands and is believed to be the work of Russian spies.

ExploreCybercriminals make eye-popping ransom demands

“We are seeing a shift with the increase in data breaches in 2021 compared to 2020, primarily because of the growing number of phishing attacks, ransomware attacks and supply chain attacks,” said Eva Velasquez, president and CEO of the resource center.

Compromised data - 2021  
Publicly reported data breaches, exposures and leaks are on the rise in the U.S.  
MonthData compromise incidentIndividuals impacted
January100 7,214,985
February111 35,313,405
March144 23,309,513
April151 25,443,298
May137 20,657,152
June203 6,750,974
Total846 118,689,327
Note: Does not include Facebook and LinkedIn incidents involving "scraped" data posted online that impacted more than 1 billion individuals.  
Source: Identity Theft Resource Center 

Data compromises in the professional services and the manufacturing and utilities sectors increased significantly this year while health care and retail data compromises declined, the report said.

“This dynamic reflects the broader trend of cybercriminals shifting their attacks to critical infrastructure entities that are too important to remain idle, and targets with less robust cybersecurity protections in hopes of securing larger ransomware payments,” according to the resource center news release.

Eva Velasquez, president & CEO of the Identify Theft Resource Center
Caption
Eva Velasquez, president & CEO of the Identify Theft Resource Center

Credit: RENEE MILLS

Credit: RENEE MILLS

Velasquez said there continues to be a decline in the number of individuals impacted. With so much individual data already compromised over the years, there is a shift away from mass intrusions seeking consumer information and toward attacks targeting businesses using individuals’ stolen logins and passwords.

ExploreThieves stealing passwords can get ‘keys to the kingdom’

There are more than 15 billion credentials are available for sale in underground markets, according to the center’s 2020 Data Breach Report.

“While it is discouraging to see the number of compromises up, it is encouraging that we could see the fewest number of people impacted in seven years,” Velasquez said. “Criminals continue to exploit organizations of all sizes through single points-of-attack, making good cyber-hygiene practices more important than ever.”

Cybersecurity best practices
Employee cybersecurity awareness training
Install firewall and anti-virus software
Replace equipment and software that is out-of-date
Install security patches and updates immediately
Do frequent and duplicative backups
Have a written cyberattack response plan
Install virtual private network
Scan emails before they go to employees
Change passwords frequently
Use multi-factor authentication

Follow @LynnHulseyDDN on Facebook and Twitter

ExploreSee more stories by Lynn Hulsey
ExplorePodcast: Will your employer require the coronavirus vaccine?
ExplorePandemic proved Dayton’s key role in logistics industry
ExploreTrucking industry wants to lower age to drive big rigs. Safety advocates call it risky
ExploreOhio jobs: Those with the most openings pay the least
ExploreThe office v. home: Local companies defining right now what work will look in 2021 -- and beyond