Data Breaches and Cyber Attacks in the USA in November 2023 – 30,879,890 Records Breached

IT Governance USA’s research has discovered the following for the USA in November 2023:

  • 185 publicly disclosed security incidents (39% of all incidents globally)
  • 30,879,890 records known to be breached

How does this compare to last month?

In October 2023, we found 57 publicly disclosed incidents – accounting for 50% of all incidents globally – and 17,527,078 records known to be breached.

So, while the proportion of incidents that occurred in the USA is lower in November, the absolute number of incidents is significantly higher – a 325% increase on last month.

This is partly caused by us improving our incident-finding processes, so that we can find more publicly disclosed incidents each month, improving the accuracy and reliability of our data. However, this also means we’re likely to see an increase in the number of incidents we can report on that’s not solely down to more organizations suffering a breach or attack.

That said, we are seeing early signs of an increase in supply chain attacks – a trend we can hopefully confirm or refute in due course – which may well lead to more incidents being reported irrespective of our changed processes.


Free download: Data Breach Dashboard

For a one-page overview of this blog’s key findings that you can download for free, check out our Data Breach Dashboard:

This blog provides analysis of the same data that we’ve collected. You can also download that data (and our sources) from our Dashboard page soon – we’ll add it to this page, so be sure to bookmark it.


High-level overview

Of the 185 incidents in the USA (and 470 incidents globally), we know the following:

Data exfiltration

 Data exfiltration?
YesUnknownNo
USA78%22%
Global54%45%1%

Note: ‘No’ means that either no records were breached, or that the breach didn’t involve a criminal.

Like last month, our findings show that the USA was again disproportionately targeted with data exfiltration attacks in November. However, it’s still too early to tell whether this is a longer-term pattern, so we’ll continue to monitor this.

Records breached

 Specific number of breached records reportedData exfiltrated, but no specific numbers
USA63%19%
Global44%14%

Note: ‘Specific number reported’ includes security incidents that specifically reported that zero records were breached. It also includes incidents where records were exposed, but where it’s unknown whether the data was also exfiltrated (for instance, emailing data to the wrong recipient, or security researchers discovering an unsecured/misconfigured database, without any evidence of a malicious actor accessing it). This is why each row in this table adds up to more than the percentages under ‘Yes’ in the data exfiltration table above.

Unlike last month, where we saw little difference between the USA and the global benchmark, U.S. organizations are noticeably more transparent on this data point.

In October’s report, we mentioned that “considering the various breach notification laws at state level, under which organizations are expected to report the number of individuals affected, we’d been expecting better performance from the USA.”

This month, that’s exactly what we’ve seen. Whether this will turn out to be the norm or a one-off remains to be seen. We’ll continue to monitor this data.

Remediation

84% of breached U.S. organizations reported taking remedial action this month – a significantly higher figure than we found globally over the same period: 48%. Last month, the figures for the USA and globally were much closer, at 58% and 61% respectively.

Remediation typically included conducting a forensic analysis to establish exactly what happened (often by engaging a third-party specialist). It usually also involved temporarily taking down systems to limit the impact of the security breach.

Notification

 Notified regulatorNotified affected individuals
USA72%68%
Global32%31%

Like last month, U.S. organizations appear more likely to notify both a regulator and affected individuals of data breaches and cyber attacks. At the very least, they appear to be quicker about it – it’s possible that with the large number of incidents towards the end of the month, organizations simply haven’t got round to reporting them yet.

Do note, however, that our research is based on the information we can find in the public domain. It’s possible that due to U.S. breach notification laws, it’s more likely that incidents are reported – particularly to regulators, but also to affected individuals – than in other countries. Equally, this could be the product of the type of information our sources tend to provide.

Again, this is something we’ll continue to monitor. We’ll also provide a future breakdown of this data by organization location once we’ve collected more data.


Top 5 biggest breaches

#Organization nameKnown number of records breached
1Perry Johnson & Associates8,952,212
2Welltok8,493,379
3Zeroed-In Technologies1,977,486
4Stanford Health Care1,648,848
5PruittHealth1,500,001

Note: Where ‘around,’ ‘about,’ etc. is reported, we record the rounded number. Where ‘more than,’ ‘at least,’ etc. is reported, we record the rounded number plus one. Where ‘up to,’ etc. is reported, we record the rounded number minus one.

The two largest breaches in the USA by far this month are those suffered by Perry Johnson & Associates, and Welltok. These are both in the technology sector, combined accounting for 17,445,591 records known to be breached – 56% of this month’s total (for the USA). The other three names in the top five are in the technology and health care (x2) sectors respectively.

However, note that this list excludes Henry Schein’s data breach of 35 TB of sensitive data, which we convert to 35 million records.* This figure was only released this month, but as the initial report on this ransomware attack came out in October, we added this breach to last month’s data. This will be accounted for in our interim and annual reports, but not in our monthly analysis due to the timing of this update.

*For incidents where we only know the file size of the data breached, we use the formula 1 MB = 1 record. Given that we can’t know the exact numbers, as it depends on the types of records included (for instance, pictures and medical histories are considerably larger files than just names and addresses), we err on the side of caution by using this formula. We believe that this underestimates the records breached in most cases, but it is more accurate than not providing a number at all.


Sector overview

We’ve now expanded our sector categories, thereby decreasing the size of the ‘other’ category. Including ‘other’ and ‘unknown,’ we now have 16 sector categories. We’ll provide a full breakdown of these in our interim and annual reports.

For our monthly analyses, both for the USA and globally, we’ll just look at the top 3.

Top 3 most-breached sectors (by number of incidents)

#SectorIncidents
1Health care5027%
2Finance and insurance2413%
3Education2212%

Like last month, health care continues to take the top spot in terms of the most-breached sector by number of incidents in the USA (though it has dropped to second place in terms of the known number of records breached – see the table below).

However, the fact that U.S. health care organizations must report breaches under HIPAA (Health Insurance Portability and Accountability Act) may be a partial factor here, given that the nature of our research makes us dependent on information available in the public domain.

Either way, the absolute numbers have increased significantly: from 20 to 50 incidents – a 250% increase.

Finance and insurance in the USA only suffered 3 incidents last month. At 24 incidents in November, it has seen an 8-fold increase, putting it in second place.

Top 3 most-breached sectors (by number of records)

#SectorKnown number of records breached
1Technology19,713,318
2Health care5,363,485
3Public1,333,207

We weren’t recording the technology sector as its own category last month, but it suffered the highest number of records known to be breached in the USA in November, largely from the Perry Johnson & Associates and Welltok breaches. In terms of the number of incidents this sector suffered this month, it ranked fourth with 19 incidents (10%).

It’s unsurprising that health care is featured in the top 3 here, considering that it suffered significantly more incidents this month than any other sector in the USA, but it’s worth noting that at 5,363,485 records known to be breached, it accounts for 49% of the global total in health care.


Other noteworthy findings

More than one in four incidents were ransomware attacks

 Ransomware – all sectorsRansomware – all sectors
(excluding unknown attack types/root causes)
USA26%33%
Global17%24%

Like last month, ransomware was the most common attack vector, both for U.S. organizations and globally. However, for the USA, the figure is much lower than last month: just 26% rather than 40%.

Even if we exclude incidents for which we don’t know the attack type or root cause, the percentage of ransomware attacks on U.S. organizations remains lower in November than in October, at 33%. (If we exclude unknown causes for October, the percentage of ransomware attacks on U.S. organizations rose to 52%.)

Ransomware attacks on U.S. health care are declining

 Ransomware – health careRansomware – health care
(excluding unknown attack types/root causes)
USA18%25%
Global21%29%

Another interesting change is that the health care sector was targeted by fewer ransomware attacks, despite suffering 50 incidents this month – 27% of the total (for the USA).

This is a stark change to October’s figures, when we found that 55% of incidents in U.S. health care organizations were ransomware attacks, in line with reports that ransomware gangs were targeting the U.S. health sector more.

Perhaps they were giving U.S. health care a break in November, and this trend will resume in December or in the new year, or perhaps ransomware gangs are changing their focus. We’ll continue to monitor this data to find out which it is.

U.S. organizations perform better on misconfigurations and missing patches

 MisconfiguredUnpatchedZero-day exploit
USA2%5%9%
Global16%9%8%

Note: From this month, zero-day vulnerabilities are excluded from the ‘unpatched or misconfigured’ category. We’ve also split misconfigurations from missing patches.

Last month, the USA performed significantly better than the global benchmark over the same period in terms of patching and secure configuration. We’re happy to report that we see the same pattern this month, though we need to collect and analyze this data for longer before we can be confident that this is a typical pattern.

It’s also interesting to note that although the USA performs better on these two clearly preventable attack types, its performance is roughly on a par with that of the rest of the world on zero-day vulnerabilities.

Of course, zero-day vulnerabilities are extremely difficult to defend against, as they don’t yet have a patch available, and the victims may not be aware that the vulnerability exists. This is a key reason we’ve decided to track this as a separate category, rather than group it under ‘unpatched’ in general.

Supply chain attacks are rising – though not as strongly in the USA as the rest of the world

 InternalExternalThird party (supply chain)
USA6%76%18%
Global4%48%48%

At a global level, a staggering 48% of publicly disclosed incidents originated from a third party this month – a huge increase on last month’s 18%. Or if we just isolate the absolute numbers, we’re looking at more than a 10-fold increase: from 21 incidents in October to 227 incidents in November.

There is also a noticeable increase in third-party attacks in the USA: from 10% in October (6 incidents) to 18% in November (33 incidents). That’s a 550% increase in absolute numbers.

Those numbers aren’t as extreme as at a global level, and while it’s too early to be able to tell whether this is the start of a trend, we’ll continue to monitor this data to determine whether it’ll turn out to be one.