Old Data Breaches Pose Present Threat

The list of current cyber threats to your business grows by the day. Threat actors and criminals develop new tactics to trend with the times, infiltrating companies large and small alike. Instances of ransomware and malware, alongside recent breaches to some government and business sectors at the highest levels, demonstrate that no organization is immune to the current cybercrime environment.

While these developments are certainly worth keeping a steady eye on, monitoring newly emerging threats is only one facet of effective cybersecurity. Equally important is the realization that old data breaches can be exploited for years by the thieves and hackers who retain access to precious personal information associated with the data breach event. Trends and news in the industry demonstrate how security breaches from years past are still being leveraged to commit massive fraud against both businesses and consumers.

Old data breaches your company may have experienced in the past pose a present threat. Even if steps have been taken to improve security and rectify a breach, menacing issues can persist far into the future. It’s worth examining this stark reality to safeguard your business and its customers from these unending data dangers.

Data Breaches Decline in 2020

The number of data breaches declined in 2020 compared to the previous year by nearly 20% (ITRC, 2021). Over 300 million individuals were affected by data breaches that were publicly reported last year, and while that is a massive number, it is actually down 66% from 2019 (ITRC, 2021). This seems like good news and might lead to the thinking that these downward trending statistics indicate security measures are improving and threats are being mitigated. 2020 may be an anomaly of a year for a variety of reasons, but these numbers don’t quite represent the far-reaching threat of older data breaches.

In reality, cybercriminals can still profit off of the data stolen during previous breaches. This is a more than plausible reason for the figures listed above. Why take the risk and effort to pursue new attacks when the information needed to commit cyber fraud is already accessible? 

New Fraud, Old Data

Cybercriminals don’t need to constantly steal personal information from large companies to commit nefarious actions. They can simply look for new ways to benefit from the data they already have access to through previous thefts. Fewer data breaches occurring does not mean that fewer instances of fraud are following suit. Threat actors are constantly uncovering new ways to commit identity theft, and they don’t need to acquire new data to do so.

New methods to utilize personal information to commit identity fraud were on full display during 2020. Opportunities created by the pandemic, such as the PPP loan program and a massive rise in unemployment, gave criminals easy angles to exploit. They didn’t need to steal new data to seize on these fruitful fraud schemes. Instead, they simply used the PII already gleaned from previous breaches to take advantage of a developing situation.

Once a data breach occurs and stolen information is acquired, it can have a nearly endless shelf life. This means criminals can apply a number of different tactics to squeeze the stolen data for all it is worth. They don’t always use stolen information immediately, and they don’t need to.

Data Breach Requirements Cause Complications

The process for dealing with a data breach is complex, as any business who has pushed through the experience can attest to. It can result in a loss of consumer trust, legal ramifications, and ongoing financial issues. There are also a number of complications that result from varying reporting requirements which can delay informing the individuals who have had their personal information compromised. This gives data thieves even more time to explore fraud options through use of stolen data.

Reporting requirements imposed by state and federal agencies vary drastically. And for the many companies with customers in multiple states, following all of the differing regulations can be time and resource consuming. Some requirements dictate that organizations need to publicly report a breach only after confirming consumer data is at risk. This can keep consumers unaware of potential breaches while a company sorts through an assessment, leaving nothing but time for any compromised data to be funneled around criminal networks. 

More standardized requirements could be looming as regulators see the problems that this patchwork creates. For now, it’s an ongoing issue that helps cybercriminals capitalize at the expense of businesses dealing with a data breach and consumers who have had their personal information compromised.

Awareness is Key

Any data breach opens the doors for potential identity theft – in the immediate aftermath of the event and for years down the road. Proper and timely notification to victims is essential to inform consumers of the security threat as soon as possible to limit its effects and monitor for fraud.

No organization wants to experience a breach, but informing customers is key to maintaining credibility and trust. As the public learns more about how common these threats are and the dangers they present, they will be far less likely to tolerate delayed knowledge of a breach that affects their personal information.

Companies and victims often forget about a data breach after the alarm has sounded and first steps towards restoration are taken. Reporting a breach is an essential step but it does not eliminate the potential for future threats. Awareness is key in this regard.

Letting your guard down is natural but having a plan in place to deal with the present threat of old data breaches is critical.  If your organization has experienced a data breach, make sure to inform your customers and employees so they can limit the scope of continued threats.

LibertyID is the leader in identity theft restoration, having restored the identities of tens of thousands of individuals without fail. If you retain personal information on your customers, now is the time to get data breach planning and a response program in place with our LibertyID for Small Business data breach preparation program. With LibertyID Enterprise you can now add value to existing products, services, or relationships by covering your customers, employees, or members with LibertyID’s fully managed identity theft restoration service – at a fraction of our retail price – with no enrollment and no file sharing. We have no direct communication with your group members – until they need us.

Call us now for a now obligation proposal at 844-44-LIBERTY (844) 445-4237


Identity Theft Resource Center. 2020 in review: Data Breach Report. Jan. 28, 2021.