Small Breaches Leading to Big Consequences: Sontiq Report

The breaches causing the most harm to victims are taking place at smaller, lesser-known enterprises.

Image: Shutterstock

When it comes to data breaches, one might assume that the bigger the attack, the worse the damage. But it turns out the opposite may be true, according to identity security firm Sontiq’s 2021 Mid-Year 2021 Cybercrime Report.

Based on an analysis of data breaches using its BreachIQ product, which looks at the types of data exposed in a breach and assigns it a risk-level score of one to 10, Sontiq said the nine highest-risk breaches of 2021 so far have targeted small- and medium-sized businesses (SMBs). Cyber-criminals, which are targeting SMBs 69% of the time, are then using the data stolen during these lesser-known breaches to commit more cyber fraud, according to the report.

The 2021 data breaches receiving the highest risk-level score of 10 targeted Colorado Retina Associates, P.C. in Denver (email compromise), JLA Professional Services, LLC in Aurora, Colo. (email compromise), Light Tower Financial Strategies in Marblehead, Mass. (undisclosed attack method), Maine Drilling & Blasting in Suwanee, Ga. (ransomware) and Personal Touch Holding Corp. in Lake Success, N.Y. (ransomware in a compromised email cloud). Breaches receiving a score of nine took place at Phillip Galyen P.C. in Bedford, Texas (undisclosed attack method), Astoria Company LLC in Wilmington, Del. (exposed database), Overseas Services Corporation in West Palm Beach, Fla. (email compromise) and Rehoboth McKinley Christian Health Care Services in Gallup, N.M. (ransomware).

Sontiq’s analysis also revealed that the theft of two types of personal data in particular increased significantly year-over-year from the first half of 2020 to the first half of 2021: Dates of birth (up 11 percentage points, now being exposed during 60% of data breaches) and medical history (up 26 percentage points, now being exposed in 48% of data breaches). Names, which are obtained in 96% of breaches, are the most commonly-stolen type of personal information.

“Cybercriminals seized on new vulnerabilities created by remote work and the general chaos of the pandemic. Small businesses, in particular, were not as well-equipped to fend off cyberattacks,” Jim Van Dyke, SVP of financial wellness for Sontiq, stated. “Most people do not realize how dangerous these small-scale data breaches can be.”

BreachIQ scores are determined using a proprietary, AI-powered algorithm, and in addition to evaluating the types of data exposed in a breach, it assesses how the exposed data types are used in 12 different identity crimes. The more sensitive the data exposed, and the more often it’s used to commit subsequent crimes, the higher the score.

Other findings from the report included the following:

The report also emphasized three key recommendations for consumers looking to keep their personal information out of criminals’ hands: Setting up two-factor authentication for online interactions where personally identifiable data (PII) is exchanged, freezing their credit if a significant amount of PII was compromised in a previous breach, and monitoring medical records for suspicious activity.