Security breaches from issues associated with supply chain and third-party suppliers have recorded an unprecedented jump of 297%, representing about a fourth of all the security breaches in 2021 in the US, according to a study by digital identity and access management platform ForgeRock.
The 2022 Consumer Identity and Breach Report found unauthorized access to be the leading infection vector for the breaches, accounting for 50% of all records compromised in 2021.
The average cost of a breach in the US, according to the report, was $9.5 million, which is the highest in the world and up 16% from $8.2 million in 2020.
For the study, ForgeRock gathered data from several sources including the Identity Theft Resource Centre, Forrester Research, and the Ponemon Institute, between January 1, 2021 and December 1, 2021.
Unauthorized access, supply chain attacks led the offensive
The report underlined that unauthorized access remained the greatest concern, as it continued to account for the bulk of infections. In 2021, the vulnerability recorded a 50% contribution to all attacks, up from 45% the previous year.
Unauthorized access includes access to data, networks, applications, or devices due to weak passwords, shared credentials, or compromised accounts.
The report recommends implementing AI and machine learning techniques into identity and access management (IAM) to quickly identify and contain unauthorized access and prevent data exfiltration. It further emphasizes the layering of multi-factor authentication (MFA) with passwordless authentication, machine learning, and advanced pattern recognition to protect against “MFA prompt bombing” which refers to attackers exploiting consumers’ MFA fatigue to gain access.
“Unauthorized access will always be a vector for infection, and using machine learning to augment defending that avenue of attack should be a benefit,” said Chris Steffen, research director at consulting firm Enterprise Management Associates. “The gold standard for authentication continues to be some kind of multi-factor authentication, and adding heuristics to determine authenticity and integrity will be of interest to many security professionals.”
Third-party and supply chain attacks, which often involve the compromise of outdated supplier systems, accounted for 25% of all the records breached.
According to Steffen, vendor due diligence and regulatory compliance controls were mostly relaxed during the height of the pandemic and that led to attackers taking advantage of the open supply chain environments.
Healthcare, data-rich records are the most targeted
The report added that healthcare was the most affected industry, contributing to 24% of breaches. It also noted that the segment continues to be the biggest target for the fourth year in a row, recording 467 breaches in 2021.
Steffen considers healthcare to be a data goldmine and reasons that the segment’s critical nature makes it an attractive target for the attackers hoping to recieve a ransom.
Another key finding included a seeming shift of focus from critical passwords and banking details, to more data-rich records like name, address, social security number (SSN), and date of birth (DOB). The report revealed that of the total number of records compromised in 2021, 99% contained name and address, 59% had SSN, and 53% had date of birth information in them.
“A financial institution has safeguards in place to update a stolen credit card number or bank account number if they suspect a breach has occurred, or if an individual has had some sort of lost card,” said Steffen. “But a person cannot change their date of birth and changing an address or social security number is a herculean task, and those pieces of information are used for authentication and confirmation for every type of financial account there might be.”
Despite a hefty contribution, healthcare only accounted for 1% of all the records breached in 2021. However, these breaches contained valuable information including name, address, SSN, date of birth, and, in two-thirds of the breaches, actual medical history information.
Copyright © 2022 IDG Communications, Inc.