The ForgeRock Consumer Identity Breach Report: the Battle to Contain Unauthorized Access


U.S. organizations spent $1.2 trillion in recovery costs related to breaches  

The ForgeRock 2020 Consumer Identity Breach Report is here, providing insights into global threat activity and the impact felt by enterprises that have been attacked. This year’s report reveals that for the second year in a row identity remains a major weakness of the web and continues to drive skyhigh clean up costs for enterprises.

In looking at the year-over-year comparisons, it’s disheartening to see the bad guys continue to succeed. We saw increases in every category and across every region we inspected. Here are just a few of the major trends that emerged in the last year about data breaches:

  • Healthcare was once again the most frequently targeted industry (43% of all breaches). On the other hand, technology firms had the highest number of records compromised (over 1.37 billion served, er, exposed).
  • Unauthorized access, the nemesis of IAM professionals everywhere, was by far the most common attack vector, responsible for 40% of breaches, with ransomware/malware and phishing trailing distantly at 15% and 14%.
  • Breaches cost U.S. organizations over $1.2 trillion, nearly doubling the previous year’s cost, and the data was nearly all PII (98%).

The report is packed with data and insights, and we’ve expanded our focus beyond the U.S. to include perspectives from the U.K., Australia and Germany.

Here’s my take: When it comes to data breaches, security on the internet continues to be an identity problem. Poor access management is hurting consumers and enterprises the world over, so there’s no better time to implement a modern IAM platform that offers dynamic and adaptive solutions to today’s problems.

It's an exciting time for achieving cybersecurity and data privacy goals but what does success look like? To me, it's about democratizing data control, and here's what that means: This looks like putting your known users onto a passwordless express lane, and cybercriminals through extra authentication hoops. It's keeping personal data packets in the right jurisdictional boundaries for privacy compliance, and preparing for the regulatory future as well as the present. And it looks like empowering your applications to control their own boundaries to realize your Zero Trust strategy, and empowering your users to control their own permissions to foster mutual trust and confidence.

Click here to see the full report.