2022 ForgeRock Consumer Identity Breach Report

Executive Summary

The year 2021 saw consumers becoming accustomed to shopping, dining, traveling, learning, and caring for their health in an ever-more-digital fashion. Unfortunately, the personal data driving these experiences was put at greater risk than ever by a perfected loop of using previously breached data to drive new breaches and widen their impact.

Data records containing usernames and passwords are the perfect “seeds” for perpetrating new breaches — and two billion such records were compromised in 2021, an increase of 35% over 2020. Achieving unauthorized access is the king of attack vectors. It enables criminals to use previously stolen credentials to compromise accounts anew and scrape even more data. Unauthorized access was once again the top vector in 2021, representing fully half of all breach methods.

The new online business-as-usual proved to be a more costly environment for many industry sectors. Enterprises experienced a fourfold increase in breaches caused by security issues with their third-party suppliers. Healthcare and retail have been particular hot spots. The healthcare industry saw nearly a quarter of all breaches, and compromised health data — so valuable to bad actors on the dark web — exacted nearly a 30% higher per-record cost on the business, at $614. The retail industry also suffered a massive impact from breaches, with account takeovers (ATOs) and fraud contributing to the average cost of a single breach rising by nearly 63% to $3.27 million.

What can we learn from the situation? The classic security measures used by many U.S. enterprises — and the regulatory regimes demanding such measures — haven’t stemmed the tide of compromise, and the flood has come. Password-based protection has been failing prodigiously. And many approaches that strengthen security, such as multifactor authentication, are also creating usability issues and leading to new types of threats. Likewise, erecting barriers to resource access for employees has often only slowed business. When attacks scale up, prevention and mitigation methods need to scale up too, leveraging layers of intelligence to apply the right access controls at the right time.

Read on for detailed insights and data on the breaches impacting consumers in 2021 and year-over-year comparisons to the breaches affecting consumers in the U.S. in 2020. We also share findings from other key regions, including Australia, Germany, the United Kingdom (UK), and Singapore. You’ll learn exactly why organizations need to adopt a comprehensive identity and access management (IAM) solution to help prevent data breaches, protect their brands, and preserve customer relationships.

Eve Maler
ForgeRock Chief Technology Officer