Your Data in Danger: How Increasing Breach Risks Threaten Personal Information

2024 has been a record year for data breaches, in cost, number, and impact. The Verizon 2024 Data Breach Investigations Report analyzed a record high of 10,000-plus breaches, with victims in 94 countries. And the IBM Cost of a Data Breach 2024 found that breaches are costlier than ever: $4.88M global average cost—a 10% increase over last year.

IBM further reports that customer personally identifiable information (PII) was the most common type of data stolen or compromised, at 46%. PII includes sensitive data such as government ID numbers, email and home addresses, and financial data. Protected health information (PHI)—a patient’s confidential medical information—is also at risk for theft or compromise, as the infamous Change Healthcare breach shows.

At Pondurance, our purpose is to provide tools, technologies, and services that empower you to eliminate many of the risks that cause cybersecurity incidents and data breaches. 

Cyber threats are escalating breach risks

Cyber threats are a cost of doing business. No organization can successfully thwart every attack. Malicious actors are exceptionally skilled at adapting new technologies and exploiting human behavior to steal sensitive data or bring down a business’s systems.

Due to digital transformation, these threats are more widespread than ever before. A SecurityInfoWatch article noted that “…interconnectedness, ‘always on’ availability, and global reach have exposed…enterprises to a growing threat: cyber attacks. Driven by a desire for a quick payday from the theft or encryption of sensitive personal or corporate information, cybercriminals are constantly hunting for their next victim.”

Common cyber risks organizations face that can result in a data breach include:

• Third-party weaknesses. Fifteen percent of breaches covered in the Verizon report involved a third party or supplier, and IBM found that the average breach cost increased for third-party breaches. 

  
  

  Attacks originating up the supply chain and with ecosystem partners can be harder for organizations to detect. Threat actors deliberately infiltrate vendors or ancillary organizations of the real target business or institution. This risk is more difficult to mitigate because the target organization must do business with their vendors but don’t have any control over the vendors’ security programs.

• Shadow data: Palo Alto Networks defines shadow data as sensitive information that is created, shared or stored without being managed or governed by an organization’s IT team. There’s also shadow AI—the prohibited use of AI tools or apps by employees or end users. The IBM report found that one in three breaches involved shadow data.

• Exploitation of vulnerabilities as “an initial access step for a breach” almost tripled to 180%, according to Verizon. A vulnerability in Progress Software’s MOVEit managed file transfer app and other zero-day exploits that ransomware actors used contributed to this increase. The Verizon report further noted organizations can take approximately 55 days to remediate 50% of critical vulnerabilities after their patches are available.

• Social engineering of humans continue to top the list of risks—Verizon found 68% of all breaches involved a “non-malicious human element,” such as victims of a social engineering attack or a person who made an error. Similarly, IBM reported that phishing and stolen or compromised credentials were the top two initial attack vectors.

• Business email compromise (BEC) is a dominant threat that is outpacing ransomware. BECs occur because of a lack of technical controls and user awareness and training. In fact, Verizon reports that incidents involving pretexting—the majority of which resulted in BECs—accounted for one-fourth of financially motivated attacks over the past two years. 

Most organizations have shifted from on-premise email management to a cloud provider, such as Microsoft; however, conditional access policies are often configured improperly. Authentication may be rolled out, but not to the way users operate. Users also suffer from alert fatigue, especially after their account has been compromised.

Unlike the obvious sudden nature of a ransomware attack, a business email compromise is harder to detect. And even after remediation, the harm a BEC causes can be ongoing and difficult to detect. 

Are you ready for regulators?

Cybersecurity vulnerabilities and human error threaten an organization’s ability to minimize breach risk. Increased scrutiny from regulators puts additional pressure on organizations to toughen up their cybersecurity measures and have an incident response plan ready in the event of a breach. 

Yet not all members of the C-suite are equally confident about their regulatory compliance when it comes to cybersecurity and breach readiness. According to PwC’s 2025 Global Digital Trust Insights survey, CISOs and CSOs feel less certain than their CEOs about regulatory compliance in the areas of AI, resilience, critical infrastructure, data protection, cyber disclosure, consumer privacy, and network and information security.

“Regulatory frameworks are asking companies to swiftly comply with a growing array of requirements,” PwC noted. “A surge of new regulations…underscores the urgency for organizations to align their practices to these heightened expectations. Addressing these challenges is essential to building a resilient and compliant cybersecurity posture that can withstand both regulatory scrutiny and emerging threats.”

Regulations at every turn 

Regulations involving breach risk usually fall into one of three categories: cybersecurity, privacy, and breach notification. Often, these laws apply to the jurisdiction in which a consumer or patient resides—not the location of the business or institution. Therefore, a business based in New York with customers in Delaware or California would have to comply with the laws in those states, as well as applicable federal regulations.

It can be challenging for organizations to ensure their compliance with the mix of laws and regulations. in particular, it’s challenging for the cybersecurity team that must think not only about appropriate security protections, but also must maintain a broader perspective on obligations under privacy and breach laws as well. 

US regulations

Regulations in the United States are mostly a patchwork of state- or industry-specific laws. Without a cohesive national framework, midsize organizations face scrutiny from regulators in dozens of jurisdictions—adding to the cost, complexity, and stress of compliance. The most significant US regulations include:

• State breach notification. There is no national breach notification statute; instead, all 50 states have their own breach notification laws, each with their own timelines and requirements. For example, some states require notification within 30 days of discovering a breach, while others allow for up to 60 days.

• Industry-specific breach notification:

  • Healthcare entities: Any organization that holds sensitive patient data—protected health information (PHI)—has additional reporting obligations under HIPAA and the Federal Trade Commission’s Health Breach Notification Rule. These laws apply to not only healthcare providers, but business associates, third-party vendors, educational institutions, and others tasked with safeguarding PHI.  

  • Financial institutions: The Securities and Exchange Commission (SEC) requires public companies to disclose any “material cybersecurity events.” The SEC also requires broker-dealers, registered investment advisers, and transfer agents to establish, implement, and maintain an incident response program, with procedures for providing notice to affected customers. Under its Safeguards Rule, the FTC requires financial institutions to report security events affecting 500 or more people to the FTC.

• Consumer privacy. No national privacy law exists, leaving states to enact their own legislation. Perhaps the most famous of these laws is the California Consumer Privacy Act (CCPA). Among other rights, the CCPA allows California consumers to limit the use and disclosure of their sensitive personal information.

• Cybersecurity. The financial sector has well-defined cybersecurity requirements for safeguarding consumer information. The FTC’s Safeguards Rule requires institutions to develop, implement, and maintain a documented information security program. The SEC has rules for public companies to describe how they assess, identify, and manage “material risks” from cybersecurity threats.  

Without a national consumer privacy law, individual states have enacted their own legislation. This patchwork of laws adds to the cost and complexity of compliance for organizations with sensitive customer information.

On the state level, the New York State Department of Financial Services amended its cybersecurity regulations mandating new access controls, more regular risk assessments, and updated notification requirements. Of note is the new requirement to report ransomware payments.

For healthcare, the HIPAA Security Rule establishes national standards for protecting electronic PHI. Healthcare organizations are required to implement administrative, physical, and technical safeguards, ensuring the confidentiality, integrity, and security of this information. 

European Union regulations

US-based organizations that hold the sensitive data of EU citizens must comply with the General Data Protection Regulation (GDPR). The GDPR covers breach notification and data privacy rights. The GDPR’s notification timeline is much shorter—72 hours to the supervisory authority.

Businesses located outside the EU may also be subject to other regulations, such as The Digital Operational Resilience Act (DORA), a cybersecurity statute requiring financial institutions to safeguard against incidents relating to information and communication technology providers. In addition, the EU AI Act categorizes and regulates AI applications and systems by risk level. 

Cost of noncompliance

Failure to follow any of these can significantly harm an organization, especially a midsize business or institution with few resources to pay fines, offer restitution to breach victims, or update their cybersecurity systems. Other, less tangible costs, such as brand damage or customer churn, can linger long after the incident is resolved.Ironically, an attacker can use regulatory obligations as a weapon against an organization. They may coerce the business into doing what the attacker wants, threatening to report the breach or to access the data if the business doesn’t follow through. 

Anatomy of a breach

In February 2024, Change Healthcare suffered a ransomware attack that forced the payment solutions company to take more than 100 systems and services offline and stay offline for several weeks. Patients were unable to obtain their medications and had difficulty receiving needed care. Change Healthcare notified the US Department of Health and Human Services in July 2024, reporting that 100 million individuals had been affected—the largest healthcare breach ever reported in the United States.

The organization paid a reported $22 million to the Blackcat ransomware group, who was behind the attack. However, the data was not deleted, enabling another ransomware group to seize the stolen data and also demand ransom. Blackcat used compromised credentials to remotely access a Citrix portal, enabling remote desktop access. The portal did not require multi-factor authentication, a standard cybersecurity practice.

When all is said and done, the ransomware attack could cost $2.87B in 2024. As of September 30, 2024, UnitedHealth Group reported paying $1.52M in direct response costs and $2.457B in total cyberattack impacts.

The Change Healthcare breach highlights third-party vulnerability and the unforeseen impact these vulnerabilities have on their customers. The ease with which the Blackcat ransom group infiltrated Change Healthcare’s systems caused significant harm to healthcare providers—doctors, dentists, pharmacies, hospitals, and laboratories.

Breach risks to anticipate in 2025

Heading into 2025, we can expect to see the cyber threats that plagued organizations this year: ransomware, social engineering, exploitation of vulnerabilities, third-party weakness, business email compromise, and beyond. 

As AI is more widely adopted and evolves at an unprecedented rate, it will be easier for threat actors to launch new and more sophisticated attacks on organizations—even those with a strong cybersecurity program. Attackers will manipulate AI to launch sophisticated phishing, vishing, and social engineering attacks. They’ll also use AI for deepfakes to steal identities, allowing unauthorized access to systems and data without raising red flags.

These attacks will deepen third-party risk. The migration to the cloud presents a similar vulnerability—wherever there’s external connectivity, an organization’s data is at risk for a breach.

And as always, attackers will use the path of least resistance to get inside an organization’s systems and access sensitive data. That path is usually us—humans. 

Organizations can reduce their exposure to attacks with a risk-based approach to cybersecurity, which focuses on the organization’s specific cyber risks, their objectives, and what they want to protect. 

Additionally, you can eliminate breach risks by using a specifically engineered risk-based managed detection and response (MDR) service such as the one we’ve built at Pondurance.

In future articles, we’ll take a deep dive into specific threats, including AI, and discuss how a risk-based approach can help you minimize your breach risks now and in the future.