New Analysis Reveals Number and Severity of Known Data Breaches in 2022 is Nearly Double What’s Been Reported

Jim Van Dyke

Last month, the Identity Theft Resource Center (ITRC) reported that the overall number of publicly reported data breaches in 2022 remained at a steady high (1,802 incidents), coming up just shy of the record-high of 1,862 incidents reported in 2021. Further analysis of the ITRC data by Sontiq, a TransUnion company, reveals the number of entities compromised by those 2022 breaches reached 3,495* — nearly twice the number of publicly reported breaches.

Jim Van Dyke, senior vice president of innovation at Sontiq, explains that Sontiq’s calculation is based on how the company’s proprietary algorithm accounts for breaches at third-party vendors, also known as supply-chain attacks. Of the publicly reported incidents, half were third-party breaches that gave attackers access to the data of companies served by the breached vendor.

Sontiq’s analysis shows 3,495 compromised entities in 2022, of which 1,745 originated from a third-party data breach. This is a nearly 45% increase over the 2,417 compromised entities Sontiq analyzed in 2021 and a year-over-year increase in third-party breaches of more than 220%.

Van Dyke, who has served as an expert harms witness in some of the country’s largest data breach litigations, noted that cybercriminals are pursuing supply chain attacks for a higher return on effort.

“By focusing attacks on the accounting, payroll or administrative firms that serve multiple clients, a single breach can give an attacker access to the data of multiple organizations at once, including customer and employee records,” he said.
Third-Party Breaches Getting More Severe

Van Dyke noted that the severity of third-party data breaches, as measured by Sontiq’s BreachIQ AI algorithm, is also trending higher. BreachIQ analyzes more than 1,300 factors to assess the severity of a data breach and assigns a unique Breach Risk Score on a scale of 1 to 10 for each incident. The algorithm also identifies the primary risks associated with a breach, as well as recommended protective action steps specific to that breach.

In examining the average Breach Risk Score year over year, the severity of third-party breaches increased 10% in 2022. Meanwhile, the severity of primary breaches increased a mere 2%.

Higher-Risk Data Breaches Warrant Quicker Action by Consumers

According to Van Dyke, individual data breaches that score higher than 4 warrant stronger action from those affected due to the potential risks. (Consumers can check on the severity of any publicly reported breach on the Sontiq website.)

“When a data breach reaches a score greater than 4, typically several pieces of sensitive personal information have been compromised,” said Van Dyke. “This greatly increases the odds of serious identity theft and fraud scams, which give criminals direct access to a victim’s workplace or personal financial, medical and social accounts.”

That said, Van Dyke added that even low-scoring breaches can be dangerous because cyber thieves are willing to work harder to access a victim’s financial accounts. When criminals obtain less-sensitive information in a data breach, they often use social engineering techniques to extract more personal information to gain direct account access or commit payments card and peer-to-peer (P2P) payment fraud.

A free online tool is available at www.sontiq.com/breachiq/#search-breached-organizations for anyone who wants a risk score and recommended actions for a particular data breach.

* The ITRC’s figure is based on the number of initially breached organizations, while Sontiq includes entities whose data was exposed by the initial breach. Both are considered valid breach counts by the industry. Sontiq believes its approach provides more value to protecting organizations and consumers from potential data compromise.

---