Data Breaches and Cyber Attacks in the USA in December 2023 – 1,613,496,782 Records Breached

IT Governance USA’s research found the following for December 2023:

  • 443 publicly disclosed security incidents (33% of all incidents globally)
  • 1,613,496,782 records known to be breached

How does this compare to last month?

In November 2023, we found 185 publicly disclosed incidents in the USA – accounting for 39% of all incidents globally – and 30,879,890 records known to be breached.

Publicly disclosed incidents

In percentage terms, it appears that there was a drop in incidents this month. However, the true figures are higher due to a Europol action in 17 countries, including the USA, which uncovered 443 organizations that suffered a data breach. Because we don’t know how many of the 443 are in the USA, we haven’t attributed them to a specific country. We’ll update this if more information on the Europol action is released.

When taking the above into account, the percentages – in terms of incidents – are likely to be similar for this and last month. In absolute terms, however, there was an alarming 139% increase – if not more, due to the Europol action.

Known records breached

The jump in the absolute number of records breached was even more shocking: a 5,162% increase.

Admittedly, this is largely down to one major outlier – the Real Estate Wealth Network breach of more than 1.5 billion records (more on this below) – but it’s still an incredible figure.

Our USA reports may be new, but we’ve been collecting the global figures since 2014, and 2023 was the first time that we’ve recorded breaches in excess of a billion records in more than five years.

2023 was also the first year that saw more than one billion-record breach: the Real Estate Wealth Network and DarkBeam.



Free PDF download: Data Breach Dashboard

For a quick, one-page overview of this month’s findings, please use our Data Breach Dashboard:

You can also download this and previous months’ Dashboards as free PDFs here.

This blog provides analysis of the data we’ve collected.


High-level overview

Of the 443 incidents in the USA (and 1,351 incidents globally) this month, we know the following:

Data breached

 Data breached?
YesUnknownNo
USA71%28%2%
Global75%24%1%

Note: The percentages for the USA add up to 101% due to rounding.

Data exfiltration

 Data exfiltration?
YesUnknownNo
USA69%29%2%
Global73%25%1%

Note: The global percentages add up to 99% due to rounding.

For the past two months, we’ve found that the USA was disproportionately targeted with data exfiltration attacks. This month, however, we’re seeing very little difference between the USA and the global benchmark. The same is true for data breached in any way, as the earlier table showed: the USA performed slightly better than the global benchmark, but the difference is very small.


Remediation

71% of breached U.S. organizations reported taking remedial action this month – a significantly higher figure than we found globally over the same period: 37%. This fits the pattern we saw last month, at 84% and 48% for the USA and globally respectively, but it’s interesting that both regions have seen a drop this month.

Note 1: Reported remediation typically includes conducting a forensic analysis to establish exactly what happened (often by engaging a third-party specialist). It often also involves temporarily taking down systems to limit the impact of the security breach.

Note 2: In the case of DoS (denial-of-service) attacks, where a website had been taken down by a threat actor and is live again at the time of writing, we assume that the attacked organization has taken remedial action, even if that organization hasn’t acknowledged the attack, or the remediation, in public.

Notification

 Notified regulatorNotified affected individuals
USA59%42%
Global57%18%

This month, the USA was roughly on a par with the global benchmark in terms of notifying or involving a regulator. This is very different to the past two months, when U.S. organizations appeared much more likely to notify the regulator than organizations generally (72% and 32% respectively in November; 77% and 49% in October).

However, in terms of notifying affected individuals, the USA – once again – performed better than the global benchmark: 42% vs 18%. That said, 42% is a significant drop on last month’s 68%.


Top 5 biggest breaches

#Organization nameKnown number of records breached
1Real Estate Wealth Network1,523,776,691
2Comcast Cable Communications, LLC (Xfinity)35,879,455
3Delta Dental of California6,928,932
4Akumin Inc.5 TB
5INTEGRIS Health4,674,000

Note 1: For incidents where we only know the file size of the data breached, we use the formula 1 MB = 1 record. Given that we can’t know the exact numbers, as it depends on the types of records included (for instance, pictures and medical histories are considerably larger files than just names and addresses), we err on the side of caution by using this formula. We believe that this underestimates the records breached in most cases, but it is more accurate than not providing a number at all.

Note 2: Where ‘around,’ ‘about,’ etc. is reported, we record the rounded number.

Most, if not all, of these names may seem familiar to you, as they’ve been featured in the headlines heavily over the past month. Let’s go through them all.

1. Real Estate Wealth Network: 1,523,776,691 records exposed

Security researcher Jeremiah Fowler discovered an unprotected database exposing more than 1.5 billion records containing property ownership data related to millions of people. The logging records indicated that the files belonged to New York-based Real Estate Wealth Network. Fowler contacted the company, which secured the database.

According to Fowler, the exposed data included information on property owners, sellers, investors, internal user logging data, and more. The property owners allegedly included numerous celebrities, whose street address; purchase price and date; mortgage company; mortgage loan amount; tax ID numbers; taxes owed, paid or due; and other information was available.

2. Xfinity: 35,879,455 individuals affected by data breach

Telecoms company Xfinity discovered that despite patching a vulnerability in third-party software it uses, that vulnerability had been exploited. Consequently, user names and hashed passwords of nearly 36 million people had been breached. For some of these individuals, names, contact details, dates of birth, partial Social Security numbers, and/or secret questions and answers had also been compromised.

Note: The number of records breached is likely far higher than 35,879,455, as it appears that multiple data types had been breached for each affected individual, but we can only record the numbers publicly disclosed – in this case, via a data breach notification to the Office of the Maine Attorney General.

3. Delta Dental of California: 6,928,932 individuals affected

Delta Dental of California, yet another MOVEit Transfer victim, notified nearly 7 million people that their data had been breached. The information compromised includes financial and health information, as well as addresses, Social Security numbers, driver’s license numbers, passport numbers, and more.

Note: Again, the number of records breached is likely far higher than 6,928,932, but we can only report the numbers publicly disclosed.

4. Akumin: 5 TB “highly sensitive” data allegedly exfiltrated

Akumin Inc. – which describes itself as “a trusted partner for hospitals, health systems, and physician groups all over the U.S.” – has suffered yet another data breach, this time by ransomware gang BianLian. The group claims to have exfiltrated 5 TB of highly sensitive documents, including financial and health information.

The company suffered a different cyber attack in October 2023.

5. INTEGRIS Health: data exfiltrated of allegedly 4,674,000 people

INTEGRIS Health, the largest Oklahoma-owned health care system, provided notice of a security breach on December 24, 2023. Subsequently, the attackers sent extortion emails to victims directly – a trend that appears to be on the rise. According to the Tor extortion website that the email linked to, data of around 4,674,000 people had been stolen.

INTEGRIS Health itself stated that breached information may include names, dates of birth, contact information, demographic information, and Social Security numbers. The Tor extortion website also included information about patients’ hospital visits.


Sector overview

For our monthly analyses, we look at the top 3 most breached sectors in the USA by number of incidents and by known number of records breached.

We provide a full sector breakdown in our interim and annual reports.

Top 3 most breached sectors (by number of incidents)

#SectorIncidents
1Finance9221%
2Healthcare7316%
3Manufacturing6314%

Finance was this month’s most breached sector at 92 incidents – more than a fifth of this month’s total for the USA. However, this was largely due to a supply chain attack on Ongoing Operations, a Cloud service provider, that affected 60 U.S. credit unions.

Top 3 most breached sectors (by number of records)

#Sector  Known number of records breached
1Construction/real estate1,524,045,184
2Telecoms36,713,108
3Healthcare28,249,136

In terms of records breached, construction and real estate are the clear outlier at more than 1.5 billion records known to be breached. These mostly came from just one breach, suffered by Real Estate Wealth Network.


Other noteworthy findings

More than half of all incidents were ransomware attacks

The global figures this month were bad enough at 29%. However, the U.S. numbers are much worse at 51%, accounting for 36,554,231 records known to be breached this month due to ransomware attacks.

Zero-day vulnerabilities were a much bigger issue in the USA than globally

7% of all incidents in the USA this month originated from a zero-day vulnerability – a much higher figure than the 3% global benchmark over the same period. In the USA, all but one of those incidents originated from the MOVEit Transfer vulnerability. Those MOVEit breaches led to 10,468,289 records known to be breached this month.

More than one in four incidents originated from the supply chain

Globally, we’ve seen 12% of all incidents originate from the supply chain (i.e. a third party) this month. For the USA, this figure was much higher, at 26%.

It’s also worth noting that although far more U.S. incidents originated externally this month (72%), the supply-chain incidents still led to more records known to be breached: 44,942,844 externally vs 47,477,784 via a third party.