Identity thieves raked in billions with your data, even as breaches fell in 2020

On Data Privacy Day, here's a reminder that breaches can affect you long after your data is stolen.

Laura Hautala Former Senior Writer
Laura wrote about e-commerce and Amazon, and she occasionally covered cool science topics. Previously, she broke down cybersecurity and privacy issues for CNET readers. Laura is based in Tacoma, Washington, and was into sourdough before the pandemic.
Expertise E-commerce | Amazon | Earned wage access | Online marketplaces | Direct to consumer | Unions | Labor and employment | Supply chain | Cybersecurity | Privacy | Stalkerware | Hacking Credentials
  • 2022 Eddie Award for a single article in consumer technology
Laura Hautala
3 min read

The numbers show fewer people were caught up in data breaches in 2020. But it isn't time to rest easy.

James Martin/CNET

Based on what we know so far, hackers didn't steal as much personal data in 2020 as they did in previous years, but that doesn't mean they weren't able to make plenty of money. According to a report released Thursday by the Identity Theft Resource Center, hackers and identity thieves used stolen passwords and personal information to profit in new ways from your information.

The report, issued to coincide with Data Privacy Day, is a good reminder that stolen personal data has a long afterlife. After you file away a data breach notification, you'll remain at risk of becoming the victim of identity theft or a ransomware attack for a long time to come. Now is as good a time as ever to check your credit reports, health insurance records and bank accounts for anything suspicious. If you think you might be the victim of identity theft, you can contact the US Federal Trade Commission and the Identity Theft Resource Center for help.

These trends show that it's currently more lucrative for criminals to find new ways to make money off previously stolen data or to carry out ransomware attacks than it is to steal loads of consumer data and try to sell it on the black market, Eva Velasquez, president and CEO of the Identity Theft Resource Center. "This is not the time for complacency," she added.

About 1,100 data breaches were publicly disclosed in the US in 2020, according to the report. Those breaches affected about 300 million individuals, the lowest number since since 2015. The number of people caught up in data breaches dropped from more than 2 billion in 2018 to about 880,000 in 2019 before falling again last year.

There are some big caveats in the numbers, however. Breaches we haven't learned about yet may crop up if, for example, we learn the SolarWinds hacks that affected hundreds of companies and government agencies led to breaches of personal information. And 2020 was hardly a banner year for curbing cybercrime. Like many of us in the pandemic, criminals hunkered down and made the best of what they had on hand in 2020.

Last year, identity thieves used stolen personal information to loot unemployment benefits programs across the US, which were awarding higher payouts with federal pandemic relief funds. This led to the theft of more than $11 billion in California alone, and that number will likely go up. People with legitimate claims for unemployment discovered someone else was collecting the funds in their names. Victims who don't already know their identities were used to claim unemployment could face trouble with the IRS when they don't report the income on their 2020 taxes.

Ransomware attacks, often aided by stolen login credentials and super-charged phishing attacks, targeted businesses with deep pockets and caches of personal data in 2020. One such attack hit cloud hosting provider Blackbaud, which paid a ransom to recover the records containing Social Security numbers, financial information, usernames and passwords.

While the company didn't say how much the ransom was, it reported $3.6 million in expenses related to the incident. It also faced 23 proposed class-action lawsuits filed by customers or individuals affected by the ransomware attack.