ITC’s 2022 Annual Data Breach Report Reveals Near-Record Number of Compromises

Source: ITC | Published on February 1, 2023

Cyber attack against LinkedIn, Snapchat, X, Venmo

Identity Theft Resource Center® (ITRC), a nationally recognized nonprofit organization established to support victims of identity crime, will release its 17th Annual Data Breach Report at the Identity, Authentication, and the Road Ahead Cybersecurity Policy Forum hosted by the Better Identity Coalition (BIC), FIDO Alliance and the ITRC.

According to the 2022 Annual Data Breach Report, the number of data compromises in 2022 (1,802) was only 60 events short of the previous all-time high set in 2021 (1,862 compromises). The first half of 2022 saw fewer compromises reported due in part to Russia-based cybercriminals distracted by the war in Ukraine and volatility in the cryptocurrency markets. However, the number of data compromises steadily increased in the second half of 2022.

The number of victims impacted (422.1 million) increased by almost 41.5 percent from 2021. For 11 of the 12 months in 2022, the estimated number of data compromise victims was trending downward for the sixth consecutive year. However, that trend reversed with news that personal information of 221 million Twitter users was available in illicit identity marketplaces.

Other findings in the 2022 Annual Data Breach Report include:

Data breach notices suddenly lacked details, resulting in increased risk for individuals and businesses, as well as uncertainty about the number of data breaches and victims. “Not specified” was the largest category of cyberattacks leading to a data breach in 2022, ahead of Phishing and Ransomware. Only 34 percent of data breach notices included victim and attack vector details.

Cyberattacks remain the primary source of data breaches; the number of data breaches resulting from supply chain attacks exceeded compromises linked to malware in 2022. Malware is often viewed as the core of most cyberattacks. However, in 2022, supply chain attacks surpassed the number of malware-based attacks by nearly 40 percent. According to the 2022 Annual Data Breach Report, more than ten (10) million people were impacted by supply chain attacks targeting 1,743 entities. By comparison, 70 malware-based cyberattacks affected 3 million people.

There is some good news in the 2022 statistics. The number of data breaches and exposures linked to unprotected cloud databases dropped 75 percent in 2022 compared to the previous high point in 2020. Also, physical attacks continued a multi-year downward trend, dropping to 46 out of 1,802 compromises.

“While we did not set a record for the number of data compromises in the U.S. last year, we came close,” said Eva Velasquez, President and CEO of the Identity Theft Resource Center. “These compromises impacted at least 422 million people. These numbers are only estimates because data breach notices are increasingly issued with less information. This has resulted in less reliable data that impairs consumers, businesses and government entities from making informed decisions about the risk of a data compromise and the actions to take if impacted by one. People are largely unable to protect themselves from the harmful effects of data compromises, fueling an epidemic – a “scamdemic” of identity fraud committed with compromised or stolen information.”