Data breaches remained at near record levels in 2022, according to the Identity Theft Resource Center’s annual data breach report. The number of breaches totaled 1,802 last year, just 60 short of the all-time high recorded in 2021, making the total number of breaches in 2022 the second-highest on record.
This is despite a slowdown in the first half of the year, brought on by the fact that Russia-based cybercriminals were distracted by the war in Ukraine and volatility in the cryptocurrency markets, according to the Identity Theft Resource Center (ITRC). That trend reversed during the second half of the year as the number of data compromises steadily increased.
While slightly fewer breaches occurred in 2022 compared to 2021, the estimated number of consumers affected totaled 422.1 million, a more than 41% increase. Helping fuel the rise in victims was the revelation in late 2022 that the personal information of 221 million Twitter users was available in illicit identity marketplaces. Prior to that news, the estimated number of victims was trending downward for the sixth consecutive year for the first 11 months of 2022.
The ITRC notes that the reason the number of victims is an estimate is that data-breach notices are increasingly being issued with less information. Just 34% of these notices included victim and attack-vector details last year, compared to 58% in 2021 and 60% in 2020. The percentage of notices that included information about just attack vectors, such as malware, also declined significantly, totaling 58%, compared to 93% in 2021 and approximately 100% in 2020. “Not specified” was the largest category of cyberattacks leading to a data breach in 2022, ahead of phishing and ransomware, according to the report.
The leading reason for the decline in specificity appears to be federal-court decisions requiring proof of actual harm before victims of breach can file a lawsuit against the company whose data was hacked. Other reasons include companies that suffer a breach choosing for non-legal reasons to share only the bare minimum of information required by state law, and the underreporting of breaches in general, James E. Lee, chief operating officer for the Identity Theft resources Center, says by email.
According to Lee, court rulings requiring proof of actual harm before filing a lawsuit has led companies to withhold information that could help support a suit unless they are required by a state law to disclose details of the event.
“Most state laws allow the organization that lost control of data to determine if there is a risk of harm. If there is no risk, no notice is required,” Lee says. “There were only seven breach notices on average issued each business day in the United States in 2022 compared to [more than] 350 per day in the European Union. It’s reasonable to believe organizations are making a determination there is no risk, so there is no notice.”
Another reason for the lack of transparency in data-breach notices is a patchwork of state laws, many of which will soon be 20 years old and are not suited for the volume and velocity of data breaches occurring today.
“Most data-breach laws were written at a time when most breaches involved the loss of devices, physical storage media, or paper records,” Lee says. “It is often viewed as not in an organization’s best interest to reveal details unless required. Absent a national standard or updated state laws that provide an incentive or a requirement to provide details, we are likely to see this trend continue.”