Third-Party Breaches and the Rise of Imposter Scams in 2022
The Two-crime Crime is Now a Three-crime Crime
Analysis of 2022 data breaches has uncovered sobering news for consumers and businesses. The overall number of publicly reported data breaches remained high at 1,802 in 2022, with an increase in a specific type of breach known to cause scams — the third-party breach.
While there may have been slightly fewer data breaches in 2022 than in 2021, the number of third-party data breaches, also called supply chain breaches, increased by 45%. There was also a 10% increase in severity within those third-party breaches, compared to a mere 2% increase in severity within primary breaches.
Vendors attract unwanted criminal attention
The very nature of a breach changes once it involves a third party.
Third-party breaches generally refer to attacks perpetrated against information processing vendors with a wide range of clients, such as administrative, payroll and accounting firms. These vendors are attractive to criminals for two main reasons:
1. They usually have less sophisticated cyber protection than larger or highly regulated entities, and
2. they have access to customer data from multiple organizations instead of just one. For cybercriminals, it’s less risk and higher ROI, opening up new roads to financial fraud in new or existing deposit or credit accounts at credit unions in the member’s name
Criminals have figured out that the quickest path to identity credentials is through the networks of much softer targets. The softest targets for breaches are healthcare and educational institutions. Half of all breaches are occurring at the third-party firms these organizations rely on for billing and other client services.
For credit unions, which collectively spend millions on security measures, the skyrocketing numbers of third-party breaches should be of particular concern.
Emergence of the three-crime crime
In the classic “two-crime-crime” of identity theft, criminals:
1. breach the data, or
2. misuse that data to commit identity fraud.
The level of criminal gain depended on the level of personally identifiable information (PII) breached in the attack. For example, access to a victim’s birthdate and employer information does not necessarily result in access to financial accounts. Accessing the victim’s online banking username and password is another story.
With the explosion of supply chain breaches in 2022, the “two-crime crime” evolved into a “three-crime crime”:
1.