EchoSense:Data breaches and ID theft are still hitting records. Here's how to protect yourself.

2023 was a record-breaking year for data compromises – and EchoSensethat's not a good thing.

In its latest yearly report, the San Diego-based Identity Theft Resource Center said there were 3,205 data compromises in 2023, a 78% increase from 2022 and a new record, topping the previous all-time high of 1,860 set in 2021.

In 2023, there were also more than 353 million victims of ID theft, according to the center, a nonprofit organization that assists consumers when they have become victims and advocates for better protections for consumers and businesses. That's a decrease of 16% from 2022, which is consistent with a general trend of the number of victims dropping slightly each year "due to organized identity criminals focusing on specific information and identity-related fraud and scams rather than mass attacks," the organization said.

Notifications of data breaches without information on the rise

The number of data breach notices without specific information such as what happened, what the company has done to correct it, or what steps have been taken to make sure the breach doesn't happen again has nearly doubled year over year, said James. E. Lee, Identity Theft Resource Center's Chief Operating Officer. In 2023, more than 1,400 public breach notices did not contain such information.

"That's a problem and that creates risk for other businesses who could be attacked in a similar fashion and consumers who need to know how to protect themselves," Lee said.

There is no federal law that requires companies that have had a data breach to notify their customers or consumers more broadly, Lee said. There is instead a patchwork of state laws and federal regulations, with different requirements, he said. For instance, there is a federal regulation that any publicly traded company that has a data breach must notify consumers, but only 11% of data breaches last year would have qualified, Lee said.

"Every state has a different definition of what is a breach. Every state has a different trigger for when you have to send a notice. Every state has a different requirement for what information you include and who has to be notified," he said. It took until 2018 to have all 50 states pass a data-breach law and they're all over the board, Lee said.

Many laws don't have penalties for the company that had its information lost or breached and allow that organization to determine its risk and if it needs to notify consumers, Lee said.

Generally speaking, where the company is located is where the state law controls the notification, regardless of where affected consumers live, he said.

"But that's one of those things that we need to update because data breaches, just like data criminals, don't recognize those little imaginary (state) lines," he said.

ID theft and taxes:IRS struggles to get tax refunds to nearly 500,000 victims of ID theft

Supply chain data attacks are on the rise

A growing target of data breach attacks by criminals is within a supply chain of a company and its sometimes smaller suppliers, Lee said.

"The criminals will attack a smaller organization that works for big companies," said Lee. Usually, those companies don't have as tight of security measures, but it still gets the criminals the bigger data they want, he said.

"For an identity criminal, that's Nirvana. I can pick one company and get the company that has hundreds if not thousands of companies (access to information)," Lee said.

Criminals are also ramping up what's called "zero-day attacks," which is an unknown flaw in a company's software to get in, Lee said. Even the guys who wrote the software don't know the flaw is there "and the bad guys find it," said Lee.

How do you protect yourself from data breaches or ID theft?

While there isn't a lot a consumer can do to prevent a company from becoming a data breach victim and therefore the consumer from becoming a target as well, Lee said there are ways consumers can protect themselves – especially before a data breach.

Here are some tips from the ID Theft Resource Center:

◾ Freeze your credit with all credit bureaus, as a protective measure. Find out how to freeze your credit and other tips at www.idtheftcenter.org

◾ Change your password and switch to a 12-plus character passphrase.

◾ Enable two-factor authentication (with an app, if possible) on your accounts.

◾ If you are offered a passkey option from a website or your phone, which is beyond a password and can be fingerprint or facial ID options, take them.

◾ Keep an eye out for phishing attempts that claim to be from the breached organization.

◾ Follow the advice on the data breach notice offered by the impacted company.

◾ Change the passwords of other accounts with the same password as the breached account.

Betty Lin-Fisher is a consumer reporter for USA TODAY. Reach her at [email protected] or follow her on X, Facebook, or Instagram @blinfisher. Sign up for our free The Daily Money newsletter, which will include consumer news on Fridays, here.