2022 data breach report: fewer incidents, more victims
Twitter doesn't agreeBy Rob Thubron
In brief: It feels like a week rarely goes by where we don't hear about a new data breach. There were plenty of high-profile incidents in 2022, almost reaching the all-time high seen in 2021, and the number of impacted users last year increased by 128 million.
The 17th annual Data Breach Report from the Identity Theft Resource Council (ITRC), a nationally recognized nonprofit organization established to support victims of identity crime, shows that there were 1,802 data compromises in the US last year, just 60 short of the record 1,862 seen in 2021.
It seems that 2022 could have seen even more data breach incidents were it not for Russia's invasion of Ukraine, which distracted Russian-based hackers, and volatility in the cryptocurrency market. ITRC notes that the number of breaches steadily increased in the second half of the year.
While there were fewer incidents, the number of breach victims increased by 41.5% YoY in 2022, jumping from 294 million to 422 million. Twitter was responsible for much of that uplift. Elon Musk's company saw the largest breach (221.5 million victims) and the sixth largest (5.48 million). However, Twitter insists that the data from the larger of the two incidents did not originate from its systems. If that's true, 2022's victim count would be lower than 2021's.
We were recently made aware of reports that Twitter user data was being sold online. After a comprehensive investigation, we found no evidence that this data originated from the exploitation of our systems. Read more here: https://t.co/4LnVG6gzae— Twitter Support (@TwitterSupport) January 11, 2023
Other significant breaches in the top ten include those targeting Neopets, AT&T, and Cash App Investing. No mention of the recent LastPass incident, though the company still hasn't revealed how many customers were impacted by the hack. ITRC notes that 66% of public data breach notices did not include victim and attack details.
While cyberattacks remained the primary method of carrying out data breaches, supply chain attacks increased last year, exceeding the number of compromises linked to malware by almost 40%. More than ten million people were impacted by supply chain attacks targeting 1,743 entities.
Names and social security numbers were the two pieces of personally identifiable information most frequently stolen in breaches, which hackers can use to perform ID fraud.
Some brighter points to take from last year include a fall in the number of breaches and exposures related to unprotected cloud databases (down -75%), while physical attacks (i.e., stealing devices) made up just 46 of the 1,802 compromises.