Every IT professional dreads their company suffering a data breach. However, in today’s volatile cybercrime landscape, many companies find themselves in that unenviable position every year. Plus, the cost of a data breach rises every year as well, reaching a record $4.35 million in 2021. In 2022, supply chain attacks grew in prominence, opening businesses up to new avenues of danger. But there was some good news: while more people than ever before were impacted by a data breach in 2022, the total number of recorded data breaches dipped slightly.

Data breach numbers are down but the victim count is up:

According to the 2022 Data Breach Report by the Identity Theft Resource Center, there were 1802 data compromise incidents in 2022, 60 less than the previous all-time high of 1862 set in 2021. But fewer breaches don’t translate into fewer data breach victims. The estimated number of people who became victims of a data breach in 2022 has increased sharply compared to 2021, up more than 40% to 422.1 million people. Here are some notable stats in the report.

Key Findings Indicate Some Breach Risks Are Growing:

• Data breaches surged during the second half of 2022:

According to ITRC, the first half of 2022 was relatively quiet on the data breach front for organizations compared to the latter half of the year. The analysts in this report attribute this decline in data compromise numbers to the conflict in Eastern Europe between Russia and Ukraine. As Russia-based cybercriminal groups were distracted or disbanded due to the war, there was an overall drop in ransomware and other data compromise incidents.

However, the second half of 2022 witnessed a 21% increase in security incidents, spoiling what would have been an excellent year for organizations in terms of cyber incidents. The cyberattack on Twitter, where information of 221 million Twitter users was made available in dark web markets, was the most significant contributor to this rise. During the same period, identity impersonation scams also surged remarkably, contributing to the increase in cyberattack figures.

• Lack of transparency in information sharing:

In 2003, the Breach Notification Law was enacted to help individuals and businesses understand the relative risk of a security breach and the required steps to protect themselves against similar attacks. However, in the last few years, companies have grown apathetic toward sharing comprehensive data breach information on public forums. From conglomerates like Samsung to SMBs like LastPass, many businesses have decided to include little or no detail about what happened and who was impacted in their mandated breach notices. According to the ITRC report, 66% of companies that disclosed a data breach in 2022 shared very little information on the data breach. Experts point at a desire to protect their company against lawsuits as a likely factor.

• A rise in supply chain attacks:

Malware-related cyberattacks have typically topped the charts due to a high degree of popularity among cybercriminals thanks to their generally high success rate when compared to other cyberattack methods. However, that’s not the avenue of attack that is growing the most. Instead, supply chain attacks surpassed the number of malware-based attacks by almost 40% in 2022. While malware-related attacks impacted 4.3 million people, more than 10 million were impacted by supply chain attacks targeting 1,743 entities.

Large data breaches show the rising tide of breaches in the second half of 2022:

These data breach incidents were cited in the ITRC reports as particularly impactful in 2022:

• Twitter

In December 2022, many hackers and cybersecurity researchers announced more than 400 million accounts attached to an estimated 221 million users of Twitter were on sale on various dark web forums. It is believed that cybercriminals exploited a software vulnerability, which Twitter allegedly fixed earlier. Twitter did not confirm the attack that impacted more than 221 million people around the globe.

• AT&T

In August 2022, cybersecurity experts found 22.8 million unique email addresses and 23 million unique Social Security numbers on a popular dark web site that was believed to be related to customers of AT&T. The breach allegedly exposed the data of more than 22 million people. Although AT&T acknowledged that the stolen data “may be tied to a previous data incident at another company,” it denied the information was stolen from its systems.

• LastPass

In August 2022, LastPass announced that cybercriminals gained access to their source code and software development information but reported that they failed to access customer information. However, in December the company retracted its earlier announcement and said that cybercriminals had indeed gained access to customer information using the information stolen in August. The exact scope of this data breach is still unknown.

Source: ID Agent