According to the Identity Theft Resource Center (ITRC) Annual Data Breach Report, the number of people whose data was exposed or stolen in data breaches quadrupled in 2024. Yes, you read that right – a total of approximately 1.7 billion people were affected by data breaches last year. (And that’s just what’s actually been reported on!)
What was the reason these breaches happened in the first place? Most of them stemmed from ignoring basic cybersecurity measures, such as simply enabling multifactor authentication (MFA), which – deja vu – was the same scenario in 2023. In addition, organizations fell victim to the same types of attacks as in previous years, namely ransomware, phishing, and social engineering. Because organizations continue to resist modernizing their security tools, processes, and policies to address the evolving threat landscape, breaches continue to happen.
Let’s look at the MFA situation specifically: Even though more secure technologies have become prevalent over the past few years, such as phishing-resistant MFA, many companies still use basic forms of authentication like storing usernames and passwords and basic MFA, which continues to leave them vulnerable. The federal government, including The Cybersecurity Infrastructure Security Agency (CISA), the National Institute of Standards and Technology (NIST), and the U.S. White House Office of Management and Budget (OMB), has given guidance about the need for implementing phishing-resistant MFA. And yet, even guidance at the highest levels isn’t inciting action within companies.
The question is: Will we ever learn and implement stronger authentication methods?
A Summary of the Top 2024 Data Breaches
The three largest breaches that occurred in 2024 by number of victims were Ticketmaster, followed by Advance Auto Parts, and Change Healthcare. Let’s take a look at these three examples, what went wrong, and what we can learn from them.
- Ticketmaster: When the breach became known in January, it was estimated that 560 million people had their data stolen. The breach occurred because threat actors exploited Snowflake customers through a phishing attack that targeted employees with fake emails that contained links or attachments that, when opened, allowed them to steal login credentials to gain access to sensitive data. The reason this was so easy was because MFA wasn’t even implemented – the most basic of security measures. The actors gained access to these customers’ data, including names, addresses, email addresses, and partial payment details. The extent of the breach is still being investigated, and we will likely not know the full effects for quite some time. Ticketmaster stated they’ve since implemented “enhanced security measures” to prevent similar attacks in the future.
- Advance Auto Parts: In May, Advance Auto Parts was breached, affecting 380 million people. The breach occurred when a single threat actor used stolen credentials obtained from multiple infostealer malware infections to access Snowflake customer database, much like the Ticketmaster breach. However, in this case, information was collected and stolen as part of the company’s job application process, including potential data like names, social security numbers, driver’s license or other government issued ID numbers, and dates of birth. As a result, Advance Auto parts offered victims 12 months of free identity theft protection and credit monitoring services through Experian.
- Change Healthcare: The February, the Change Healthcare cyberattack marked the largest breach of medical data in U.S. history and caused months of outages across the U.S. healthcare system. The breach was due to a ransomware attack, which ultimately affected 190 million people. Sensitive healthcare data, including patient information (names, addresses, dates of birth, insurance details), medical records, and billing details, were published before the company paid two different ransoms to have the information taken down. In addition, payment data like credit card numbers might also have been exposed. The cause of the breach was due to a server that was not protected by MFA, whereby the threat actors used a stolen credential to gain access.
The Desperate Need for a Modern Credential Management System
Stolen passwords were at the root of all three of the biggest breaches from 2024. It’s clear that passwords alone can no longer keep threat actors at bay. Stronger methods of authentication, such as passwordless, phishing-resistant MFA that rely on strong FIDO- or TLS-based digital credentials, are the only way organizations can protect themselves and avoid being breached.
We’ve known this for years. So why are organizations still resisting change? For some, it’s the fear of the unknown, and for others, it’s a lack of time and resources to make the leap from passwords to passwordless, phishing-resistant MFA.
Compounding the problem, there is widespread confusion in the industry about what phishing-resistant MFA actually is, so some organizations think they’re implementing it when they aren’t. Many vendors contribute to this problem, falsely claiming to have phishing-resistant capabilities. However, things like passwords, SMS and voice MFA, one-time passwords and token-based OTP, and mobile push with number matching are NOT phishing resistant.
There are only two approaches to phishing-resistant MFA, according to CISA, and they include certificate-based authentication (CBA) backed by public key infrastructure (PKI) and authentication technology complying with the Fast Identity Online (FIDO) standard (FIDO passkeys).
Axiad Conductor empowers hundreds of organizations to streamline their journey to passwordless, phishing-resistant MFA. It modernizes credential management with a robust authentication toolset that enables companies to consolidate and enhance existing identity systems. Specifically, it provides a consistent management layer to control all hardware devices, digital certificates, and FIDO passkeys in a single, integrated solution. It also seamlessly integrates with existing IAM infrastructures, so there’s no need to rip and replace existing technologies.
Implementing MFA can be daunting, but it doesn’t have to be. Want to learn more about how you can implement phishing-resistant MFA methods to better protect your organization from identity security risks? Don’t wait for your passwordless future. Contact us for a demo today.