Ep. 31 | Analyzing the 2026 Data Breach Industry Forecast

Show Notes

As the cost of a data breach in the U.S. rose to more than 10 billion, and with 60 billion records having been compromised since 2024, the impact of online exposure continues to be a vulnerability that high-profile individuals must address. Join industry experts Michael Bruemmer, Head of Global Breach Resolution at Experian, and Dr. Chris Pierson, Founder & CEO of BlackCloak, as they discuss the findings of Experian's 2026 Data Breach Industry Forecast.

If you're interested in learning more, you can request a demo with BlackCloak here, or visit the BlackCloak website. 

Transcript

0:10

Welcome to Uncloaked, the Cybersecurity Podcast, brought to you by Black Cloak, the pioneer in digital executive protection and leader in personal concierge cybersecurity. I'm Dan Basco, and today we're talking about the 2026 Data Breach Industry Forecast with a couple special guests here with me today. No stranger to the show, Dr. Chris Pearson, founder and CEO of Black Cloak. Thanks so much for being here. Yeah, great to be here. And then we have Michael Brummer, Vice President of Global Breach Data Resolution over at Xperian, and also member of the Black Cloak Advisory Board. Thank you so much for being here. Thanks, Dan. Thanks for having me. You were a key contributor to this research and this big annual report that goes out at Experian. So I'm really interested to dive into some of the data there. You all found that there were over 12,000 breaches in 2025 alone, and that was, of course, worldwide. The global cost of a data breach went down, yet for the US, we saw an increase to 10.2 million. Why are we seeing such a disparity between the cost for the US breach versus global? Well, generally, Dan, the global data breaches aren't as severe as US breaches. One, because there's not as much of a proliferation of PII, but also the tracking on with some of the countries, especially outside of the EU, is not as strong as in the United States. Having said that, there's still a great under-reporting of breaches because of the state requirement. Only 500 or 1,000 people and over get reported. And then even with HIPAA and high tech for healthcare breaches, smaller breaches get reported during the year following the reporting period. Large breaches get reported and those make headlines. But the real difference in cost is supply chain versus non-supply chain. And more breaches are happening further down, third, fourth, and fifth parties, which causes increased forensics, increased analytics, and then to coordinate all the parties because you have maybe hundreds of companies that are impacted in the fifth party, then tens of thousands of other businesses and millions of consumers, so it just makes it all that more costly to get the breach notified and out the door. Well, yeah, extremely costly. And Chris, I'd love to get your thoughts on that data as well as the fact that you all also pointed out in the industry forecast 60 billion records have been compromised just since 2024, and that's just from the mother of all breaches. Um obviously this drives home the reality, right, of exposure and the cost of exposure. It does. I mean, uh look, the Experian uh uh report is it's cutting edge. It continues to be cutting edge in terms of what we're actually seeing in terms of real risk, real harm to consumers here in the US and globally. The fact of the matter is that companies are losing control of their information, whether it's through a nation-state attack, a cyber criminal attack, or an insider risk. They're losing control of data, and the data that they have in hold continues to increase in terms of its severity. So it's no longer just a name, address, phone number, the social security number is attached to a lot of these different records, but also other sensitive information and other sensitive relationships are also attached. And so the data that we are seeing that is out there becomes a lot more worthwhile to cyber criminals, a lot more harmful to the actual consumer in terms of the risks that it may pose. It goes beyond medical information and financial information, but what you're doing, where you are, your location, the geo of your different family members and location of your home or homes, all of that information together presents a really, really juicy target for cybercriminals. It presents an issue in an area in which cybercriminals are moving into from further perpetrating identity theft or just being more convincing on different types of attacks, especially social engineering. They literally know each and everything about you. They know where you live, they know what you do, they know what you frequent, they're able to take that information from breaches, mix it together with data broker information, and create a threat picture that really means that they can social engineer you, your mom, your dad, your other family members, or go ahead and impersonate you in a relationship with somebody else as a trusted party, like a financial institution. And at the end of the day, if the MO is money, then they're able to get a hold of that much more easily. And of course, AI is playing a huge role in that, making it more sophisticated, more realistic, and more efficient. And Michael, you all point out in the report that you know, human error between 68% and 95% for all breaches leads back to human error. You all are predicting that this year in 2026, AI will officially overtake as the uh as the number one factor there. Can you expand a little bit about uh on that? Sure. So this is our 13th annual year doing the predictions, and we've gone back and we've covered a lot of things that have happened very early in the year we predicted it. So far, five out of our six predictions, which are AI-based, have all come true. The one that is still not quite there yet is that AI will replace human error, but because there are so many deep fakes, there's so many automated ransomware attacks, phishing attacks right now, AI is taking the human air actually out of the equation because it's making more decisions than humans are humans are. One thing I can say is humans are still responsible, but AI is pervasive regardless of threat vector. Yeah, that's it's fascinating. And you know, Chris, you you mentioned how they can mimic an executive, a high-profile individual with almost uh you know near perfection. Um how can companies tackle this very real problem of AI? Yeah. It's interesting. When you talk about artificial intelligence being used for deep fakes, especially deepfakes on an executive, I mean the attackers certainly have an advantage. The About Us or leadership page to every single company that's out there has the 10 board of directors pictures on there, the 10 C-suite individuals on there, maybe the 10 executive leadership team members on there. Has nice little bios and blurbs on hey, Jennifer's the CEO, married to Larry, they have great kids, Luke and Leia. They're over at the United Way doing volunteer work every Saturday at this location, and they have their dog Muffs, their dogs Muffy and Buffy. Great, wonderful. Tell us a little bit about them. I know. We laugh, but I mean, and the website goes further, right? It's got the for the media PR pack, it's got the low res, medium res, high res image to download. If it's a publicly traded company, then for sure during the earnings call reports, you know you have crystal clear audio of the key executives, especially the CFO there. And look, these executives are always on TV, always behind the camera. And so they're always out there in terms of the video input and audio input for a deep fake. So, first of all, the amount of OSINT somebody has to do to figure out who should they target, why should they target them, do you get the audio, the video, the images, is is child's play. It's all right there. So we've made it really, really easy. There's nothing we can do to really take that back. Solutions that are a let's go watermark, let's go this. I mean, this is this is uh I'm a I'm a cyber criminal. I don't have to play by your rules. I'm not gonna go get the official watermarked image and go use that for deep, the it the stuff is out there. Second, we have to stop with this notion that I, as a chief information security officer, can go ahead and force somebody to come through the Zoom or the team's link. Because of the breaches that Michael and Experian, right, so pointing out point out, because of the breach is the amount of data out there, I know what the phone number is of their home phone, I know what their cell phone numbers are, I know what their personal email addresses are, I have all this information. I can WhatsApp at them, I can signal them, I can hook up with them on LinkedIn, I can call their cell phone, I can call their office line, I can call their home phone. I can actually go target the husband of the CEO. They're not off limit. No way. I'm gonna go target them or the kids, and I'm gonna bring about some type of financial risk there that causes a risk to the individual, a reputational risk to the company, and therefore I can potentially get in. So we have to stop with this notion that we can force people through some official means. What we have to do is take a step back and just have a means and a mechanism by which we can actually allow for two people that are executives or two family members within a closed circle to be able to verify that someone is who they say they are because they are part of that kind of uh because they are part of that membership, this special membership where they actually have different tools available to them to verify once again their identity. That's where we need to go. We have to stop playing this game of uh whack-a-mole of let's go force people in through different areas. I think this area is exciting. I think it's fast changing. I think the cyber criminals know that they can actually achieve success here, and at this point in time, it's child's play. Yeah, addressing the root cause versus putting band-aids on everything. Yeah, no, that's uh that's very true. And you know, switching gears a little bit because there's a lot in this uh industry forecast and really insightful stuff. You all talk about the evolution of metamorphic malware or mutating code, and obviously that just prolongs the wait period, the dwell time, everything. This can obviously affect organizations, but it can also affect individuals as well. In your experience, Michael, dealing with 70,000 plus breaches, um, how often does a personal account compromise end up serving as a lateral attack into the enterprise itself? Um well, first of all, Dan, the polymorphic malware, for people that may not understand, the easiest way to describe it is think of it as SARS COVID, but an electronic version. So it's mutating and it's different than what has been out there. In fact, even most recently I saw in Texas there's a new variant of COVID that's coming out, so it hasn't gone away. The thing that is important is most attacks in a corporate environment actually come from a third-party or fourth party supply chain or even a personal account. It may be someone that's saying, Hey, I want to send some information from work to my Gmail account, or I want to go ahead and log in through my cloud account to get to my kids stuff. Oops, I actually logged into my business account and they connected the two inadvertently. And because the hackers are following the chain of people visiting different sites or using their personal account, it's easy to track it back, easy to link in. People don't even know they're compromised, and all of a sudden a corporate breach happens in an environment, and people are saying, How did that happen? We didn't have any attackers that came in through the front door, but it was the backdoor employees or C-suite or even in the supply chain. Yeah, it's really the path of least resistance a lot of times. And Chris, that that was what you were talking about moments ago. How can leadership move from like this reactive posture to being more proactive? And in this area, obviously they don't have um you know insight into the private digital lives of their executives and leadership teams. I mean, look, when you think about protecting the company, you have to think about how do you extend this cloak of protection over the company. Yeah, you can go ahead and protect the four walls, what's on the inside, the network, the computers, the email, all the rest of these types of things. But look, attackers are gonna go ahead and focus what's on the outside four walls of the company. They go through the path of least resistance. We know and have known for a vast number of years, through a lot of the work we've done in relationship with Experian, that look, it's it's it's never-ending. The consumers and attacking consumers is always gonna happen, and it's where the defenses are the lowest. And as a result, cybercriminals have now really put two and two together. And what they're actually saying is if we can attack X, Y, and Z company, and we can attack them through going through $5 or $10 of cybersecurity as opposed to $200 million, $500 million of cybersecurity, we're gonna do so because we can still net the same advantage of getting back into the company. And we've seen this in a large number of attacks. As early as 2012, the LinkedIn breach was attacking a key engineer at home, and that engineer had their system at home directly connected into the mothership. I mean, it's just one plus one equals, in that case, a hundred. Uh, right? That was the reason for that large breach. So what we see is that chief information security officers, chief security officers, even chief privacy officers, they are continuing to look at ways that they can go ahead and protect their executives. We Black Cloak do digital executive protection, protecting executives, the board, the C-suite, the executive leadership team, plus their family members in their personal lives. So that a financial attack, a reputational attack, even an informational attack as to where are they, what are they doing in their personal life, doesn't cause a risk back into the company. But at the end of the day, all of these executives, all of these leaders are absolutely within the crosshairs of cybercriminals and nation states. They're gonna keep on coming after them there. It's just a path of least resistance. We've talked a lot about the risks that are being posed to high-profile individuals, executives today, and then we get to quantum where obviously uh this this could be a very lengthy discussion that could really go into the weeds, but as we kind of look at this from a high-level view, um hackers are are now collecting and and decrypting data and sitting on it. Uh, is this threat of quantum, Michael, a five-year problem, or is it more of a a today problem for data retention? The short answer, and you're probably not going to like it, it's both. Okay. So according, according to the CISOs that we surveyed, two-thirds of them see that quantum computing is their biggest threat over the next five years. And then that same group of people also said that agentic AI is 99% faster than traditional methods. So you have the combination of something that is not only going to be explosive in terms of capability, but faster as well. And the thing that I worry about is if we get to the point where not only 256-bit encryption is broken, but we get to 512, then all the algorithm algorithms for the protectors are thrown out the window, and it's sort of like opening your windows in a in a tornado, the wind's coming in. It's like the Wild West at that point. Chris, would love your reaction to that. I mean, look, the the fact of the matter is that encryption and the levels of encryption that we use in terms of banking, healthcare, finance, in terms of the just communications that are going across the wire right now, live real time, where you know you're accessing your Amazon account and all the rest, all of that would be visible to and reachable to attackers. That's really horrendously scary. Second, the encryption that is used on the inside of companies between different sets of infrastructure would once again be visible to an attacker that got in. And third, the different data stores that we have, whether it's in the cloud, whether it's in government systems, whether it's in actual physical data centers, or stuff that we actually have today, right? Our encrypted password vaults. All of that would be rendered useless to an adversary as long as they have access to these items. Now, the real scary thing about that is that in many cases, they already do. Right? The LastPass breach, once again, large breach, the LastPass encrypted password vaults all sitting there, even if they are encrypted at the right levels. You now with quantum have the ability to actually reach into those. And how many people changed all 187, 200, 500 encrypted passwords that were in those vaults from that breach? It then allows for an attacker to come in and study that information and make use of things that were stolen 5, 10, 15, even 20 years ago. And that is really, really scary in terms of uh what we'll be facing. But I mean, look, we gotta get with the community, we gotta go ahead and try to change things, and we have to try to stay ahead of this threat. Amazing insights from both of you. Really appreciate uh the time here today. You can check out the 2026 Data Breach Industry forecast over at Experian. Uh, a wealth of information there uh to stew on it, and really appreciate both of you being here to discuss this one today. Pleasure. Thanks, Dan. Appreciate it. You can listen to all episodes of Uncloaked at blackcloak.io slash podcasts or on your platform of choice. And if you're interested in becoming a member or want to learn more about how to protect your digital life, visit us at blackcloak.io. Thank you for tuning in, and we'll see you next time on Uncloaked.