The volume of publicly reported data breaches and leaks remained at a near-record level in 2022, although consumers and businesses are being let down by the paucity of information provided by breached companies, according to the Identity Theft Resource Center (ITRC).
The non-profit’s 2022 Data Breach Report is compiled from company announcements, mainstream news media, government agencies, recognized security research firms and researchers, and other non-profit organizations.
The overall volume of “data compromises” for the year stood at 1802, the vast majority of which (1774) were traditional breaches. The ITRC also recorded 18 data “exposures,” which are usually brought about by cloud misconfigurations, and 10 incidents where the details are still unknown.
While total breach volumes have plateaued somewhat after last year’s record high of 1862 incidents, the number of impacted victims surged by over 40% year-on-year to 422 million.
However, this is largely down to a major Twitter incident, which affected over 200 million individuals. Without this, the figure was on track to have declined by 33% over the period.
The next biggest breaches of the year were at Neopets (69 million) and AT&T Data (23 million).
Phishing and exploits remained the number one vector for breach actors, followed by ransomware.
The ITRC also flagged a concerning rise in supply chain attacks.
More than 10 million people were impacted by attacks targeting 1743 organizations with access to multiple companies’ data, while 4.3 million people were affected by 70 malware-based cyber-attacks, the report revealed.
However, the ITRC’s job is getting harder due to the increasingly opaque nature of public data breach notices.
Just a third (34%) of these notices included both victim and attack details in 2022, the lowest figure in five years and a 50% decline from 2019.
“In other words, the information individuals and businesses needed to determine the risk to their identity information after a compromise was not included in approximately two-thirds of all public breach notices,” wrote ITRC CEO, Eva Velasquez in her opening remarks.
“The result of these trends is less reliable data that impairs the ability of individuals, businesses and government officials to make informed decisions about the risk of a data compromise and the actions to take in the aftermath of one.”
This can partly be explained by the lack of a current federal breach notification law fit for the digital age, she continued.
Most states still put the burden of determining the risk of a data breach to those impacted on the organization that was compromised, which needlessly exposes consumers to a “scamdemic” of follow-on identity fraud, Velasquez argued.