Data Security, Privacy, Compliance Management

US data breaches in 2022 just shy of all-time high set in 2021

A hard drive is seen in the light of a projection of a thumbprint.

A national nonprofit organization that supports victims of identity crime reported that the number of data compromises in the U.S. in 2022 fell just 60 events short of the all-time high set in 2021.

The Identity Theft Resource Center’s annual data breach report, released Jan. 25, shows 1,802 data compromises last year that affected about 422 million people, primarily due to cyberattacks.

However, as the ITRC’s CEO Eva Velasquez noted in the report’s opening, the number of public data breach notices that include victim and attack details is at its lowest in five years, dropping by more than 50% since 2019.

“The result of these trends is less reliable data that impairs the ability of individuals, businesses, and government officials to make informed decisions about the risk of a data compromise and the actions to take in the aftermath of one,” Velasquez wrote.

The report showed that data compromises overall were flat compared with 2021, but the annual estimated victim count exceeded the previous year by almost 41.5% due to two breaches at Twitter

The report also stated there were fewer data compromises in the first half of 2022 as the cybercriminals were distracted by the Russia-Ukraine war, but that trend reversed in the latter half of the year.

Another trend highlighted in the report was the number of data breaches resulting from supply chain attacks now exceeding those linked to malware by about 40%. The ITRC’s data showed that 1,743 entities were impacted by supply chain attacks, while only 70 entities were hit with malware-based attacks in 2022. 

Phishing remained the No. 1 attack vector that led to data breaches in 2022, followed by ransomware.

The ITRC also noted some good news in its annual data breach report, highlighting updated laws in Maryland that reduced the number of days after a breach to inform victims from 45 days to 10 days, and Pennsylvania, which expanded its definition of personally identifiable information to include health-related information, as well as usernames and email credentials.

Also of note is the number of data breaches and exposures to unprotected cloud databases dropped a whopping 75% in 2022 compared with 2020. There were 107 cloud databases that exposed PII of 155 million people in 2020, while only 27 unsecured cloud databases were the cause of a data breach or exposure in 2022, impacting about 7 million people.

Top 10 compromises of 2022, by number of victims:

  1. Twitter: 221,524,284
  2. Neopets: 69,000,000
  3. AT&T Data: 22,786,997
  4. Cash App Investing, LLC: 8,200,000
  5. Beetle Eye: 7,000,000
  6. Twitter: 5,485,636
  7. Receiveables Performance Management, LLC: 3,766,573
  8. Flexbooker: 3,756,794
  9. Eye Care Leaders: 3,372,880
  10. Advocate Aurora Health: 3,000,000
Stephen Weigand

Stephen Weigand is managing editor and production manager for SC Media. He has worked for news media in Washington, D.C., covering military and defense issues, as well as federal IT. He is based in the Seattle area.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.