Data Breaches and Cyber Attacks Quarterly Review: Q1 2023

Welcome to our first quarterly review of security incidents for 2023, in which we take a closer look at the information gathered in our monthly list of data breaches and cyber attacks.

In this article, you’ll find an overview of the cyber security landscape from the past three months, including the latest statistics and our observations.

This includes year-on-year comparisons in the number of publicly disclosed data breaches, a review of the most breached sectors and a running total of incidents for the year.


IT Governance discovered 310 security incidents between January and March 2023, which accounted for 349,171,305 breached records.

This represents a 12.7% increase on the number of security incidents that we saw in Q4 2022, but the number of breached records has increased more than threefold.

How security incidents are occurring

In compiling our monthly lists, we distinguish between breaches caused by an organisation leaking data by mistake (‘data breaches’) and those that are the result of criminal hacking (‘cyber attacks’).

We also place ransomware in its own category, due in part to the frequency of attacks and in order to differentiate it from intrusions that may be harder to detect, such as password breaches.

Separating security incidents in this way reveals more about how security incidents happen and who is to blame, as you can see in this chart:

As has consistently been the case, cyber attacks were the most common type of security incident. In Q1 2023, we found 163 cyber attacks, which represents over half of the publicly disclosed incidents that we detected.

Phishing and malware are among the most common types of cyber attacks, but in many cases the breached organisation doesn’t disclose how it fell victim.

That’s often a deliberate strategy as it doesn’t want to publicise its vulnerability – particularly if it’s still working on a solution.

Elsewhere, we continue to see an increase in publicly reported ransomware attacks. There were 98 such instances in Q1 2023, which is almost double the number we saw at this point last year (50).

A contributing factor to this is the continued evolution of cyber criminals’ techniques. Ransomware soared in popularity at the end of the last decade, with a relatively simple method: attackers would infect organisations’ systems with malware that would worm through their systems encrypting data.

With the victims unable to access their files or systems, they felt compelled to meet the criminals’ ransom demands, paying huge sums of money in the hope that the attackers would keep their word and free their systems.

However, as this technique became well-known, experts urged organisations to prepare for attacks by creating regular offline backups of valuable data.

This meant that targeted organisations could wipe the infected files and rebuild their systems in a safe environment without having to interact with the criminals.

It resulted in a drop-off in publicly reported ransomware attacks, and it hit its nadir (or peak, depending on how you look at it) at the start of 2022.

But cyber criminals have responded with a new method of attacks that has come to be known as ‘double extortion’.

With these attacks, the criminal hackers don’t simply encrypt organisations’ systems and demand money for the safe return of the data. They also threaten to publish the information online if they don’t get their money.

This is intended to give the organisations an added motive to negotiate, but the reality is that criminal hackers were leaking the data in most cases even when ransom payments were consistently successful.

There is no way to prove that the criminal hackers are deleting the stolen information – or even that they haven’t already used that information for fraud by the time they contact the organisation in an extortion attempt.

It’s one of the reasons that cyber security experts warn against ransom payments. Another factor is that whatever a cyber criminal does with the data, the information is still considered to be compromised in a legal sense, and organisations must report the incident according to their regulatory requirements.

Paying the ransom is never a good idea, no matter what a cyber criminal threatens you with. By this point, the damage has been done and your resources should be focused on responding to the incident and public relations.

If you are facing a cyber security disaster, IT Governance is here to help. Our Cyber Incident Response service provides the help you need to deal with the threat, as our experts guide you through the recovery process.

They’ll review the breach, mitigate the damage and ensure that you are up and running again as soon as possible.

How many records have been compromised?

As we often note, it’s hard to know definitively how many records have been compromised, because few publicly disclosed breaches contain this information.

However, in the incidents where this information was revealed, there were 349,171,305 breached records in total.

Which sectors are most vulnerable?

The healthcare sector accounted for the most security incidents in Q1 (84). It was followed by the education sector (55) – and between them they accounted for 45% of all incidents that we identified.

The other big contributors were the technology sector (36 incidents), the public sector (35), and the retail and leisure sector (27).

Protect your organisation with IT Governance

IT Governance offers a range of resources to help you navigate the threat landscape, including cyber security software, training courses, books and toolkits.

Those looking for advice on where to get started may be interested in reading The Data Breach Survival Guide.

This free guide provides a six-step outline on how to respond to a security incident.

Whether you’re hit by a cyber criminal or you discover an internal error, we can show you how to respond effectively and mitigate the risk.