Data breaches: Surprisingly, smaller ones can be the most harmful

When it comes to data breaches, one might assume that the bigger the attack, the worse the damage. But it turns out the opposite may be true, according to identity security firm Sontiq’s 2021 Mid-Year 2021 Cybercrime Report.

Based on an analysis of data breaches using its BreachIQ product, which looks at the types of data exposed in a breach and assigns it a risk-level score of one to 10, Sontiq said the nine highest-risk breaches of 2021 so far have targeted small- and medium-sized businesses (SMBs).

Cyber-criminals, which are targeting SMBs 69% of the time, are then using the data stolen during these lesser-known breaches to commit more cyber fraud, according to the report.

The 2021 data breaches receiving the highest risk-level score of 10 targeted the following:

• Colorado Retina Associates, P.C. in Denver (email compromise)
• JLA Professional Services, LLC in Aurora, Colo. (email compromise)
• Light Tower Financial Strategies in Marblehead, Mass. (undisclosed attack method)
• Maine Drilling & Blasting in Suwanee, Ga. (ransomware)
• Personal Touch Holding Corp. in Lake Success, N.Y. (ransomware in a compromised email cloud).

Breaches receiving a score of nine took place at the following:

• Phillip Galyen P.C. in Bedford, Texas (undisclosed attack method),
• Astoria Company LLC in Wilmington, Del. (exposed database)
• Overseas Services Corporation in West Palm Beach, Fla. (email compromise)
• Rehoboth McKinley Christian Health Care Services in Gallup, N.M. (ransomware)

Sontiq’s analysis also revealed that the theft of two types of personal data in particular increased significantly year-over-year from the first half of 2020 to the first half of 2021: Dates of birth (up 11 percentage points, now being exposed during 60% of data breaches) and medical history (up 26 percentage points, now being exposed in 48% of data breaches).

Names, which are obtained in 96% of breaches, are the most commonly-stolen type of personal information.

“Cybercriminals seized on new vulnerabilities created by remote work and the general chaos of the pandemic. Small businesses, in particular, were not as well-equipped to fend off cyberattacks,” Jim Van Dyke, SVP of financial wellness for Sontiq, stated. “Most people do not realize how dangerous these small-scale data breaches can be.”

BreachIQ scores are determined using a proprietary, AI-powered algorithm, and in addition to evaluating the types of data exposed in a breach, it assesses how the exposed data types are used in 12 different identity crimes.

The more sensitive the data exposed, and the more often it’s used to commit subsequent crimes, the higher the score.

Other findings from the report included the following:

• Credit card fraud was the leading type of identity theft reported in the first half of 2021.
• At least two out of every 10 calls to the Sontiq Identity & Fraud Restoration Team during the same time period were from a senior citizen.
• Children were also at high risk, with Sontiq reporting them as being 51 times more likely to be victims of identity theft than adults. Due to the increased risk of fraud targeting seniors and children, interest in family identity theft protection plans has increased.
• Social scraping, in which perpetrators collect data from social media sites and often sell them to bad actors, was identified as a trending cybercrime along with email compromise. In April 2021, over one billion Facebook, LinkedIn and Clubhouse accounts were discovered on the Dark Web, Sontiq said.

The report also emphasized three key recommendations for consumers looking to keep their personal information out of criminals’ hands:

1. Setting up two-factor authentication for online interactions where personally identifiable data (PII) is exchanged.
2. Freezing their credit if a significant amount of PII was compromised in a previous breach.
3. Monitoring medical records for suspicious activity.