At least the hackers are happy: Last year was another bumper year for data breaches in the United States.
In 2022, U.S. organizations issued 1,802 data breach notifications, reporting the exposure of records or personal information affecting more than 400 million individuals, the Identity Theft Resource Center reports.
That figure is just 60 breaches shy of the 1,862 breaches in the U.S. that ITRC counted in 2021.
“While we did not set a record for the number of data compromises in the U.S. last year, we came close,” says Eva Velasquez, president and CEO of the ITRC.
That near miss occurred despite a notable dip in data breach volumes during the first half of 2022. Velasquez says Russia-based criminals likely were too distracted or preoccupied back then by their country’s invasion of Ukraine as well as the volatility in the cryptocurrency market. In the second half of the year, breach volume once again began to surge.
The organizations sporting the biggest known 2022 breaches included Twitter, with 222 million records exposed; Neopets, with 69 million victims; AT&T Data, with 23 million victims; and Cash App Investing, with 8.2 million victims.
Based on breach reports, the attributes most often exposed were victims’ names, followed by Social Security numbers, birthdates, current home addresses, driver’s license or state identification numbers, medical details, and bank account numbers.
Leading Breach Vector: Online Attacks
Breached organizations reported that the catch-all category of “online attack” was the leading culprit for data breaches in 2022, followed by phishing or business email compromise and then ransomware and malware. All of that is a far cry from 2005, when ITRC reported that lost paper records or backup tapes and lost or stolen laptops were the chief culprits.
Transparency and underreporting continue to be serious problems for gauging the true extent of the data breach epidemic. Last year, organizations collectively tallied 422 million individuals as having been affected by a breach. But 68% of all breach notifications didn’t include a count of how many individuals had been affected or how they were affected. In addition, 42% didn’t include attack details.
“You combine those two statistics together, and we only had 34% of the data breach notices include actionable information,” says James Lee, ITRC’s chief operating officer.
“This has resulted in less reliable data that impairs consumers, businesses and government entities from making informed decisions about the risk of a data compromise and the actions to take if impacted by one,” Velasquez says.
Other organizations – especially in similar sectors to a victim organization or with a similar IT infrastructure – often use breach reports to glean the latest intelligence into threats, to better protect themselves.
The paucity of information also makes it difficult for consumer victims to know what risk they face. This is one intent of states’ data breach notification laws: to give consumers actionable information they can use to protect themselves, after organizations holding their personal details end up exposing their personal information (see: Data Breach Notifications: What’s Optimal Timing?).
Especially in an age in which data breach fatigue is now commonplace, Lee says failing to empower consumers puts them at greater risk.
Giving them such details enables them to understand “if it’s something they need to take immediately to protect themselves, or it’s something that can wait a day or two, or maybe they don’t need to do much at all,” he says. “Without that kind of information being shared in these data breach notices, no one knows what to do, and that increases risk, and that’s a very, very troubling trend.”