Kroll data pinpoints 140% uptick in data breach notification cases

Kroll attributes the rise in data breach notification cases to four trends: the shift to remote working (which has left employees and employers more vulnerable to cyber crime), the evolution of ransomware into data extortion schemes, the rising impact of supply chain attacks and the combination of stricter privacy regulations combined with an increased awareness of privacy rights. These drivers affect companies in all industry sectors, even the ones that haven’t historically been the target of cyber attacks.

Drilling down into the figures, Kroll has examined the drivers of cyber attacks in six of those industries: food and beverage, the utilities, construction, entertainment, agriculture and recreation. Importantly, the business has also described actions companies can take to mitigate the risk of data breaches and prepare for a notifiable data breach incident that might occur.

More industries vulnerable

In 2020, Kroll data shows an average 125% growth in breach notification cases for industries which experienced five or more breaches in 2019. The company continues to see a surge in the same, more traditional and regulated group of industries as we move through 2021.

In contrast, the six other industries (ie food and beverage, the utilities, construction, entertainment, agriculture and recreation) which experienced four or fewer breaches in 2019, according to Kroll data, experienced an average increase of 545% year-over-year in 2020. This increased volume of breaches in historically spared industries remains steady in Q1 2021.

Luke Dembosky, partner at Debevoise & Plimpton, explained: “The trend Kroll has identified towards a rise in attacks on previously less targeted industries means that stepping up incident detection and response capabilities for those companies within will be extremely important. This is an area where a modest amount of preparation often goes a very long way in terms of avoiding or otherwise reducing significant impacts on the business.”

Interestingly, some industries witnessed a massive increase in data breaches in 2020 when compared to 2019. The food and beverage industry, for example, experienced a 1,300% increase, while construction saw an 800% increase. These are eye-popping rises, but it’s important to keep them in context. The hardest hit industries experienced many more data breaches than the six industries under examination. In 2020, for example, the average number of breaches experienced in historically hard-hit industries was 104, whereas the average number for the group of six historically less-targeted industries was 12.

The hardest hit and most heavily-regulated industries – such as financial services and healthcare – are also some of the best prepared to handle data breaches. The historically less affected industries are also less prepared, so it’s perhaps not surprising that, during COVID-19, they would experience dramatic increases in data breaches year-over-year.

Drivers of data breaches

The shift to remote working has left employees and employers more vulnerable to cyber crime. In most industries, there was an uptick in COVID-related spear phishing e-mail messages, as well as an increase in malicious activity against platforms adopted for remote work, such as VPN software, remote access infrastructure and cloud solutions like Microsoft Office 365.

The economic downturn has also triggered an increase in ransomware attacks, which attempt to exfiltrate sensitive data for extortion attempts, with threat actors even taking steps to contact journalists, clients and vendors in a bid to pressure victims into paying up.

Further, cyber crime groups have demonstrated considerable operational maturity to not only develop a high rate of zero-day vulnerabilities, but also to rapidly exploit security vulnerabilities before patches can be applied. In the last few months, Kroll has seen a significant impact on large file transfer repositories, e-mail platforms and fundraising software providers that were exploited. Indeed, the impacts reverberated across thousands of organisations using their solutions.

Finally, companies are more likely to report breaches because they’ve learned – as a result of stricter privacy regulations and greater public awareness around privacy rights – that appropriate responses to data breaches can reduce fines and reputational damage.

Industry focus

Among the six industries under discussion that had the lowest number of data breach notifications in 2019 (ie the food and beverage sector, the utilities, construction, entertainment, agriculture and recreation), Kroll witnessed a 545% increase in notifications from 2019 through to 2020. What were the causes of the increases, though?

Food and beverage sector

The food and beverage industry saw a 1,300% increase in data breaches in 2020 when compared to 2019. As of April this year, the volume of breaches has increased slightly. For example, a large US restaurant chain experienced an unauthorised access episode involving its in-house devices and networks, requiring the company to notify tens of thousands of customers.

To meet increased demand due to the pandemic, many businesses in the food industry operated at full production and were often strained. More importantly, many companies moved to direct-to-consumer e-commerce, which meant collecting and using consumer and credit card data.

e-commerce sites are an obvious target for cyber attacks and, according to the International Lawyers Network, many operators in the food and beverage industry “are not sufficiently safeguarded”.

Utilities

The utilities industry saw a 400% increase in data breaches in 2020 when compared to 2019. As of April this year, the number of breaches has already surpassed 2020 by 25%. For example, a US electric utility company has to send notifications to thousands of customers due to an attack that exposed sensitive data in compromised systems.

Utility companies are vulnerable to cyber threats for three reasons (according to McKinsey): the rise in actors (including nation states, cyber criminals and hacktivists) targeting the utilities, the “expansive and increasing attack surface arising from their geographic and organisational complexity” and the “unique interdependencies between physical and cyber infrastructure which exposes companies to exploitation”.

Construction

The construction industry saw an 800% increase in data breaches in 2020 when compared to 2019. This increased volume has remained steady as of April 2021. In one instance, a large North American construction company had to notify hundreds of thousands of customers due to an incident involving a stolen laptop that resulted in unauthorised e-mail access.

Eoin Ó Murchú, associate director at Blackrock Expert Services Group (itself a Kroll business) observed: “Like many others, the construction sector prioritised business operations in the beginning of the pandemic. Some of my clients struggled to scale remote access for staff and contractors. In some cases, they even had to limit who was able to log into the system at certain times of the day.”  

Construction and design firms have been innovators around the remote working piece because of the geographical distribution of construction projects. However, when office staff started working mainly from home, security protocols lagged. Every device, as well as Wi-Fi connections at field offices, home offices or in coffee shops, was an entry point to company data. Construction also calls for a high level of collaboration between firms, so businesses are dependent on encryption and other protocols for all participants.

In addition, construction projects are vulnerable to Internet of Things-specific threats. For example, hackers can gain access from wireless sensors deployed in remote locations or through third party vendors.

Entertainment

The entertainment industry witnessed a 33% increase in data breaches in 2020 when compared to 2019 and, as of April this year, the number of breaches has already equalled 2020. One example of this is from a global entertainment company that had to notify thousands of employees after a data security incident disrupted access to its corporate network and exposed personally identifiable information.

High-value targets in the industry are small speciality post-production companies and visual effects houses which handle extremely valuable content. These “rarely have full-time IT staff, let alone in-house content security experts” (according to M&E Journal), whereas big motion picture studios are typically “well-funded and highly resourced”. Targeted attacks are being aimed at these more vulnerable yet highly valuable companies in the production chain.

Agriculture

The agriculture industry saw a 600% increase in data breaches in 2020 compared to 2019. This increased volume has remained steady up to April 2021. Kroll saw a significant example of this when a large US agricultural equipment distributor became aware of potential unauthorised access to its network and had to notify tens of thousands of customers.

Like most other industries, agriculture has gone through digital transformations only to find itself constantly on the defence. Technology such as mobile apps, smart sensors, cloud computing and drones all rely on the Internet, potentially exposing them to myriad complex risks connected to APIs.

Leisure and recreation

The leisure and recreation industry saw a 200% increase in data breaches in 2020 when compared to 2019. This increased volume has remained steady as of April 2021. An example of this growth came from a US country club that had to notify thousands of members after its PII was exposed following a series of fraudulent attacks.

According to Villanova’s Centre for the Study of Sports Law, there are three types of cyber attack typically focused on sports organisations: business e-mail compromise, cyber-enabled fraud and ransomware. 70% of British sports organisations have experienced at least one of these kinds of attacks.

Highlighting the facts

Kroll sees a correlation between the growth in breaches impacting less typical industry targets and a key finding of its State of Incident Response 2021 report that, despite an understanding data breaches happen and everyone is now a target, 43% of the organisations interviewed – and more than half of the corporate counsel stakeholders specifically – still felt their organisation lacked the readiness to notify in the event of a breach.

Kroll’s hope is that, by highlighting these facts, organisations may more acutely see the importance of solving that problem and having a plan. Given the significant growth in data breach notifications seen in 2020, it’s strongly recommended that organisations take proactive steps to prepare for a notifiable data breach incident. In the long run, that’s likely to minimise regulatory and reputational impact and may even reduce the impact of class actions.

Five recommendations for businesses are as follows:

*Negotiate and retain key vendors to assist during incident response

Avoid negotiating under the stress of a crisis. Find digital forensics, incident response, breach notification, crisis communication and outside counsel ahead of an incident. Make sure vendors are approved by your cyber insurance policy and, what’s more, are able to cover all the regions globally where you have either customers, employees or other critical stakeholder data (it might be worth finding global partners).

*Conduct tabletop exercises with your leadership and incident response vendors

Most organisations now have an Incident Response Plan in place, but when there’s a compromise, that document can be dismissed, forgotten about or otherwise not adequately followed. It’s imperative to conduct regular tabletop exercises with legal and security leadership as well as third party vendors to build your incident response ‘muscle’ and increase response speed. Tabletop exercises also help to ensure that your vendors are really your partners, you know each other and can then work together easily.

*Provide education, training and technical support to employees 

Ensure that the same standards for data security are applied, regardless of location, by providing mobile workers with straightforward policies and procedures, ensuring security and authentication software is installed on mobile devices and kept up-to-date and offering adequate training and technical support for mobile workers.

Educate employees about the appropriate handling and protection of sensitive data. The continuing saga of lost and stolen laptops containing critical information illustrates that corporate policy designed to safeguard portable data only works when employees follow the rules. 

*Understand where data lives in your organisation so that you’re prepared to not only secure and defend it, but can access it quickly in case it’s compromised to help expedite regulatory notice

Several regulations, like the General Data Protection Regulation in Europe, require organisations to conduct data mapping exercises. This will also help your organisation to better assess a ‘data diet plan’, reducing the number of places where you retain data and the amount of information collected.

*Don’t rely on encryption as your only method of defence

Encrypting data in transit and at rest is Best Practice, but when used alone it can give businesses a false sense of security. Although most state statutes require notification only if a breach compromises unencrypted personal information, hackers can – and do – break encryption codes.

Volume and sophistication

The volume and sophistication of cyber attacks continues to increase, regardless of the regulatory scrutiny placed in any one industry. Given that most organisations receive more than 100 threat alerts every day and that there has been a reduction in endpoint visibility due to the shift to remote working, the ability to quickly detect and confidently respond to cyber threats has become a difficult challenge for organisations to undertake on their own.

Organisations are strongly encouraged to assess their incident response and breach notification capabilities and consider a 24x7 managed detection and response solution that can augment security capabilities ahead of an incident.

Investments in detection and response capability deliver the biggest Return on Investment in security as organisations can halt larger attacks before they ‘fully detonate’ and also minimise business interruption.