Even though the number of data breach notices in 2022 in the US declined slightly from 2021, researchers say the pool of potential victims has expanded significantly. Besides, more organizations choose not to report specific details of the disclosed incidents.
According to an annual data breach report published by the Identity Theft Resource Center (ITRC), a US-based organization seeking to minimize risk and mitigate the impact of identity compromise, data breach notices with attack and victim details comprised 72% of all filings in 2019, but slid to 34% last year. That’s a five-year low.
“In other words, the information individuals and businesses needed to determine the risk to their identity information after a compromise was not included in approximately two-thirds of all public breach notices,” the report said.
LastPass singled out
This is important, the ITRC notes – if only the 1802 data compromises reported through 2022 impacted around 422 million individuals, which the researchers call potential victims. The number of them jumped 41% year over year.
Besides, the trend is simply worrying, and the result is “less reliable data that impairs the ability of individuals, businesses, and government officials to make informed decisions about the risk of a data compromise and the actions to take in the aftermath of one,” ITRC Chief Executive Eva Velasquez said in the report.
The consequence of not being forthright, in other words, leads to individuals or businesses being largely unable to protect themselves from the harmful effects of data compromises. Thus, a “scamdemic” of identity fraud continues.
The ITRC specifically called out DoorDash, LastPass, and Samsung for issuing breach notices with “limited or no detail about what happened and who was impacted in their state-mandated breach notice.”
In August 2022, attackers accessed LastPass’ development environment, source code, and technical information through an internal account. Only three months later, the company revealed that the threat actors succeeded in exploiting the information obtained in August to access a third-party cloud-based storage service and “copy a backup of customer vault data.”
LastPass was sued in early 2023 – the lawsuit alleges that the firm mishandled the August data breach, understating the attack’s impact.
Twitter is mentioned twice in the ITRC’s list of top 10 data compromises in 2022 – the two incidents (here and here) impacted more than half of potential victims throughout the year. The social media quite typically only reacted to the reports of the breaches a few weeks later.
“Data breach notices suddenly lacked detail, resulting in increased risk for individuals and businesses as well as uncertainty about the true number of data breaches and victims,” the ITRC said.
The laws aren’t helping
Velasquez thinks that data breach notices are lacking detail because the notification laws are inadequate in most US states: “Most of them put the burden of determining the risk of a data breach to individuals or business partners on the organization that was compromised.”
It might not surprise that many companies are making a conscious decision to withhold information. LastPass was among the firms that issued data breach notices but decided to include limited or no detail about what exactly happened.
However, other possible causes are mentioned, too. For example, US federal courts in different parts of the country have recently issued rulings saying that actual harm, not potential harm, is required for an individual to file a damage claim linked to a data breach.
“Absent a requirement to include details of the attack leading to a data breach and the number of victims, which most state laws do not include, businesses may no longer be inclined to include detailed information for fear of revealing facts that can be used in a lawsuit against the company,” the ITRC said.
The numbers for the US are especially bad when compared to the state of play in the European Union. While in the US, there was an average of seven breach notices issued each business day in 2022, 356 breach notices were announced each day in the EU during 2021, the last year for which data is available.
In the EU, data protection, law enforcement officials, and the compromised organization make the determination – together – that individuals or businesses are at risk, requiring a
full notice to the impacted parties, the ITRC report said.
The only US state choosing the European way is Oregon. But the states of Maryland and Pennsylvania have also updated their data breach laws in the past year.
For instance, Maryland now requires organizations to report the details surrounding a data breach, including the number of victims, within 10 days of learning of a data breach – down from 45 days. Pennsylvania has updated its law to expand the definition of personally
identifiable information to include health-related information as well as usernames and email credentials.
Your email address will not be published. Required fields are markedmarked