Record-Breaking Cybercrime Losses and Data Breaches in 2024 - Cybersecurity Today

Summary4 min read

Cybersecurity Today: Record-Breaking Cybercrime Losses and Data Breaches in 2024

Host: David Shipley (filling in for Jim Love)
Release Date: April 25, 2025

Introduction

In the April 25, 2025 episode of Cybersecurity Today, host David Shipley delves into the alarming surge in cybercrime activities during 2024. Focusing on record-breaking financial losses, significant data breaches, and the evolving tactics of cybercriminals, Shipley provides listeners with a comprehensive overview of the current cybersecurity landscape and offers actionable insights for businesses striving to protect themselves in an increasingly perilous digital environment.

Record Cybercrime Losses in 2024

David Shipley opens the episode with a stark revelation from the FBI:

"The FBI says cybercriminals stole a record $16.6 billion in 2024." [00:00]

This figure marks a 33% increase in losses compared to 2023, underscoring the escalating threat posed by cybercriminals to both individuals and businesses in the United States.

Key Statistics:

Total Losses: $16.6 billion in 2024.
Complaints Received: 859,000 suspected internet crime reports.
Financial Losses Reported: Over 250,000 cases involving actual financial detriment.

Top Cybercrimes Reported:

Phishing and Spoofing
Extortion
Personal Data Breaches

Investment Fraud Dominance:

Total Losses: Over $6.5 billion, primarily from cryptocurrency-related scams.

Geographical Impact:

Highest Number of Complaints: California, Texas, and Florida.

Demographic Vulnerability:

Age Group Most Affected: Individuals over 60, suffering losses nearing $5 billion.

Shipley emphasizes that cyber-enabled fraud constitutes nearly 83% of all reported losses, amounting to a staggering $13.7 billion out of the total losses. Within this category, investment fraud leads with $6.57 billion, followed by business email compromise (BEC) scams at $2.77 billion, and tech support fraud at $1.46 billion.

Major Data Breach: Blue Shield of California

A significant highlight of the episode is the extensive data breach experienced by Blue Shield of California:

"Blue Shield of California leaked health data of 4.7 million members to Google." [00:00]

Details of the Breach:

Duration of Exposure: April 2021 to January 2024.
Cause: Misconfiguration of Google Analytics on certain Blue Shield websites.
Data Exposed: Included sensitive information such as insurance plan details, member identifiers, medical claims, patient names, and search criteria used in finding doctors.

Importantly, Shipley notes that no highly sensitive personal information like Social Security numbers, driver's licenses, or financial data such as banking and credit card information was compromised.

Compliance Issues: Google explicitly states that its Google Analytics platform is not HIPAA-compliant and should not be used on websites handling personal health information. This incident is part of a broader trend where numerous U.S. healthcare websites have violated HIPAA regulations by utilizing non-compliant tracking technologies, leading to multiple class-action lawsuits against hospitals and health organizations.

Prior Incidents: Blue Shield of California has faced previous cyber incidents, including a ransomware attack last year that compromised nearly 1 million health plan members' data.

Ransomware Trends and Recovery Challenges

Shipley shifts focus to the persistent threat of ransomware:

"Enterprises continue to pay ransom demands due to compromised recovery systems and growing data extortion threats." [00:00]

Key findings from recent reports include:

Rubrik Zero Labs’ 2025 Report: "The State of Data Security: A Distributed Crisis"

Ransom Payment Rate: 86% of organizations globally paid ransom demands in the past year.
Survey Scope: Over 1,600 IT and security leaders from 10 countries participated.

Challenges Highlighted:

Backup and Recovery Compromise:
- 74% reported partial compromise.
- 35% faced complete compromise of their recovery infrastructure.
Tactics of Cybercriminals: Modern ransomware campaigns often target and disable backup systems, crippling organizations' ability to recover without paying the ransom.

Verizon’s 2025 Data Breach Investigation Report:

Ransomware Involvement: Nearly 50% of all cyber incidents reviewed involved ransomware.

Shipley underscores the distressing trend that ransomware remains a lucrative venture for cybercriminals, as evidenced by high payment rates and the significant financial impact on organizations worldwide.

Phishing and Training Insights

Addressing another critical area of cyber threats, Shipley discusses advancements and ongoing challenges in phishing prevention:

"There is a compounding improvement when it comes to training in reporting of suspicious emails by users." [00:00]

Key Points:

Effectiveness of Training: There has been a noticeable increase in the reporting of phishing attempts due to enhanced simulation training programs.
Persistent Challenges: Despite improvements, achieving a zero-click rate remains elusive. Shipley hints at forthcoming discussions on psychological factors influencing why users still fall prey to phishing attempts.

He mentions upcoming insights from Boseron's research on user behavior related to phishing, promising valuable information on mitigating click-through rates.

Conclusion and Host Sign-Off

As the episode wraps up, David Shipley shares his plans to attend cybersecurity events and engage with listeners:

"If you'd like to meet, drop me a note@david.shipleyceronsecurity.com and I'd love to chat about cybersecurity or what you might like to see on the podcast." [End of Transcript]

He teases more in-depth analysis and discussions for future episodes, aiming to provide listeners with the latest data and strategies to combat evolving cyber threats.

Final Thoughts

This episode of Cybersecurity Today offers a comprehensive examination of the escalating cyber threats faced by individuals and organizations in 2024. From record financial losses and significant data breaches to the persistent menace of ransomware and the ongoing battle against phishing, David Shipley equips listeners with essential knowledge and insights to navigate the complex cybersecurity landscape. As cybercriminals become more sophisticated, staying informed and proactive remains crucial for safeguarding sensitive information and maintaining organizational resilience.

Loading summary

Transcript1 lines

[00:00]
David Shipley
The FBI says cybercriminals stole a record $16.6 billion in 2024. Blue Shield of California leaks health data of 4.7 million members to Google. A new report says 86% of global firms hit by ransomware pay up despite having backups. And Verizon's 2025 data breach investigation report says ransomware is now a factor in nearly half of all cyber incidents. This is Cybersecurity Today and I'm your host David Shipley. The FBI is reporting that losses by American individuals and businesses increased a staggering 33% in 2024 from 2023 and hit a record $16.6 billion. The FBI's Internet Crime Coordination center, or IC3, says it has received 859,000 complaints of suspected Internet crime. Just over a quarter million of those reports involved actual financial losses. The top three reported cybercrimes by number of complaints from victims in 2024 were phishing, spoofing, extortion and personal data breaches. Victims of investment fraud, specifically those involving cryptocurrency, reported the most losses, totaling over $6.5 billion. According to the 2024 report. The most complaints were received from California, Texas and Florida. As a group, people over the age of 60 suffered the most from cybercrime, with losses of nearly $5 billion, and they submitted the greatest number of complaints. Cyber enabled fraud accounted for nearly 83% of all losses reported to the IC3 in 2024, with 330,981 complaints and a staggering 13.7 billion. Of the 16.6 billion in losses coming from cyber enabled fraud. Investment fraud led in total dollars lost at 6.57 billion, followed by business email compromise or Beck scams at 2.77 billion and tech support fraud at 1.46 billion. Sextortion and other forms of extortion experienced a notable surge in 2024, resulting in 54,936 complaints and $33.5 million in losses, a 59% increase in complaints from the previous year. Other significant scams included emergency scams targeting seniors, such as grandparent scams, which resulted in 357 complaints and $2.7 million in losses gold courier scams, which involve 525 complaints and $219 million in losses and toll highway scams, including text message scams about unpaid road tolls that accounted for 59,271 complaints and over $129,624 in losses. Last but certainly not least, in 2024, more than 4,800 organizations that are deemed critical infrastructure in the United States reported being affected by cyber threats. The most common problems reported by these organizations were data breaches and ransomware attacks. The losses in this report are likely, though only a fraction of the total actual financial losses by Americans to cybercriminals, as typically only 1 in 10 victims report crimes to police on average, meaning the total losses to cybercriminals from victims in the United States in 2024 could be as high as $166 billion. Blue Shield of California disclosed it suffered a data breach after exposing protected health information of 4.7 million members to Google's analytics and advertising platforms. The nonprofit health plan, which serves nearly 6 million members across California, published a data breach notification on its website stating that member data was exposed between April 2021 and January 2024. The nonprofit health plan, which serves nearly 6 million members across California, published a data breach notification on its website stating that member data was exposed between April 2021 and January 2024. According to a breach disclosure notice on the U.S. health and Human Services Department website, the exposure was caused by a misconfiguration of Google Analytics on certain Blue Shield websites. This resulted in the sensitive data potentially being shared with Google advertising platforms and other advertisers. The types of data exposed as a result of the misconfiguration include insurance plan names, types and group numbers of plans, city and zip codes, gender, family size Blue Shield assigned identifiers from members, online accounts, medical claims service date and service provider, patient name and patient financial responsibility and the quote find a doctor search criteria and results including location, plan name and type, provider name and type. Blue Shield noted that other personal information such as Social Security numbers, driver's license numbers, banking and credit card information were not exposed as a result of the incident. Now, interestingly enough, Google is quite clear in its Google Analytics technology platform that that technology is not compliant with the United States Health Insur Portability and Accountability act or HIPAA and states very clearly the technology must not be used on websites or pages that involve the collection or disclosure of personal health information. But this has been a long standing problem. In 2023, a cybersecurity firm raised the alarm that many US healthcare websites were violating HIPAA by using Google Analytics or similar tracking technologies from Meta, Adobe or others. 22 different US hospitals were caught up in class action lawsuits in 2022 and 2023 over the use of these kinds of trackers. Bleeping Computer noted that this is the second major cyber incident in the last year for Blue Shield of California. Last year, nearly 1 million health plan members had their data stolen by the black suit ransomware actors who breached the organization's software solutions provider Connecture, formerly Young Consulting. Speaking of ransomware, there's more bad news piling up this week. CSO Online is reporting that enterprises continue to pay ransom demands due to compromised recovery systems and growing data extortion threats. Despite seemingly more cybersecurity tools today than stars in the sky, organizations around the world are still surrendering to ransomware attackers at a startling rate. According to new research from Rubrik Zero Labs, 86% of organizations globally admitted to paying ransom demands following a cyber attack in the past year. And it seems recovery is still where most organizations plans are failing. This finding comes from Rubrik's 2025 report, quote, the State of Data Security a Distributed Crisis, end quote, which surveyed more than 1,600 IT and security leaders across 10 countries, including the United States, the United Kingdom, France, Germany, India and Singapore. In the study, 74% of organizations said their backup and recovery infrastructure was partially compromised, while 35% reported a complete compromise. This targeting of recovery systems has become a hallmark of modern ransomware campaigns. Also on the ransomware roundup, the Verizon data breach report dropped Wednesday with the not so fun fact that almost half of all incidents they reviewed in 2024 involved ransomware. Given the previous story on the high number of enterprises paying, it seems that crime, particularly ransomware crime, continues to pay online. Now my favorite section of the Verizon breach report is always on phishing and phishing simulation training and the data there this year shows that there is a compounding improvement when it comes to training in reporting of suspicious emails by users. I'll save the rest of my thoughts for the month end review when Jim's back, but I have more thoughts on why phishing simulation training doesn't get Click rates to 0, which is a question the Verizon data breach report talks about. And I'll have some new fresh data from Boseron's work on why people click. I'll be on the road this week in San Francisco attending BSides in RSA. If you'd like to meet, drop me a note@david.shipleyceronsecurity.com and I'd love to chat about cybersecurity or what you might like to see on the podcast. I've been your host David Shipley, sitting in for Jim Love who will be back on Wednesday. Thanks for listening.