Kiteworks has released a comprehensive report detailing the eleven most significant data breaches of 2024, evaluated through the company’s proprietary Risk Exposure Index (REI). This index employs a multi-faceted approach to accurately assess the impact of these breaches, moving beyond mere statistics of exposed records to focus on critical elements such as data sensitivity, financial repercussions, regulatory effects, and the sophistication of the attacks.
The REI, newly introduced in 2024, aims to provide a refined perspective on breach severity by emphasizing the specific characteristics of the compromised data alongside other essential metrics. Notably, data sensitivity has been identified as the most impactful criterion, accounting for 24% of the total risk score, thereby surpassing other evaluated factors in relevance.
According to Tim Freestone, Chief Marketing Officer at Kiteworks, this assessment underscores the inadequacies of traditional breach reporting methods. Freestone emphasized, “When we shift our focus from headline numbers to a nuanced analysis, it is clear that the sensitivity of the data compromised plays a pivotal role in determining the breach’s severity. This understanding enables organizations to strategically allocate their security resources.”
The report indicates that breaches in the healthcare and financial sectors—domains characterized by particularly sensitive data—achieved some of the highest risk scores, regardless of the total count of exposed records. In fact, the correlation between data sensitivity and risk score was exceptionally robust in these industries, with a correlation coefficient of 0.78.
Among the breaches cataloged, the Change Healthcare incident received a perfect 10.0 score for Supply Chain Impact, reflecting what Kiteworks described as “catastrophic downstream effects” on numerous healthcare providers. Conversely, the National Public Data breach, although impacting fewer records, still garnered a significant Supply Chain Impact score of 8.5, indicating that the methodology captures broader consequences within affected ecosystems.
The assessment also evaluated the Attack Vector Sophistication, showcasing substantial variability among the breaches. The DemandScience breach recorded a relatively low score of 5.4 in this category, whereas the National Public Data breach achieved a score of 8.4, indicative of advanced exploitation techniques. This disparity highlights the diverse strategies employed by threat actors, ranging from basic system misconfigurations to sophisticated cyber attacks.
The overall rankings positioned the National Public Data breach at the forefront with a risk score of 8.93, followed closely by Change Healthcare (8.7), Ticketmaster Entertainment (8.7), and AT&T (8.5). Additional breaches such as those involving Hot Topic, LoanDepot, and Kaiser Foundation Health Plan received lower scores, with the least impactful incidents being DemandScience and the U.S. Environmental Protection Agency.
In a broader analysis of all breaches surveyed, data sensitivity was closely followed by financial impact, which contributed 22% to the overall risk assessment. The financial ramifications, consisting of direct losses and disruptions across ecosystems, proved to be particularly severe, while regulatory implications played a significant role in heavily regulated sectors. The report underscores the heightened vulnerability of industries lacking robust supply chain and third-party risk management frameworks.
Patrick Spencer, Vice President of Corporate Marketing and Research at Kiteworks, reinforced the value of their Risk Exposure Index in illuminating factors that are typically challenging to quantify. Spencer noted that data sensitivity remains the paramount contributor to breach severity, indicating that the nature of the stolen data is far more critical than the volume. This perspective urges organizations to focus on safeguarding their most sensitive information throughout its lifecycle, particularly as third-party risk management continues to lag behind in maturity, thus creating vulnerabilities that are increasingly targeted by cyber adversaries.
As highlighted in the report, the most significant breaches of 2024 exhibited varying scores across Supply Chain Impact and Attack Vector Sophistication, while nevertheless yielding comparably high overall risk scores. This framework aims to furnish organizations with a clearer understanding of their exposure, thus streamlining their risk management priorities in an evolving threat landscape. Utilizing the MITRE ATT&CK Matrix, it remains pertinent for organizations to consider potential adversary tactics, such as initial access through phishing, persistence via backdoors, and privilege escalation techniques, that may have been employed in these incidents. Understanding these tactics can greatly enhance an organization’s defensive strategies, ensuring more effective preparation against future cyber threats.
