Most data breach notices lacked detail in 2022
Organizations are tightening up what they share with customers in government-mandated breach notifications.
In 2022, two-thirds of data breach notices did not include enough details to help individuals and businesses determine potential risk, according to an annual data breach report published Wednesday by the Identity Theft Resource Center.
Data breach notices with attack and victim details comprised 72% of all filings in 2019, but slid to a five-year low of 34% last year.
“The result of these trends is less reliable data that impairs the ability of individuals, businesses and government officials to make informed decisions about the risk of a data compromise and the actions to take in the aftermath of one,” ITRC CEO Eva Velasquez said in the report.
The group identified 1,802 data breach notices in the U.S. last year, a slight decline from 2021. The number of potential victims, however, jumped 41% year over year to 422 million.
The lack of detail in data breach notices underscores the inadequacy of state data breach notification laws, Velasquez said. “Most states put the burden of determining the risk of a data breach to individuals or business partners on the organization that was compromised.”
The ITRC, a non-profit organization focused on identity crime, contends compromised businesses are making a conscious decision to withhold information.
The group specifically called out DoorDash, LastPass and Samsung for issuing breach notices with “limited or no detail about what happened and who was impacted in their state-mandated breach notice.”
The potential damage caused by the breach at LastPass, which also impacted its parent company GoTo, escalated to alarming levels as the password manager informed customers everything but their master passwords were compromised in the attack.
Organizations and professionals that assist data breach victims often don’t have access to enough information to recommend a proper response.
“Increasingly,” Velasquez said, “it is not so much what we know, but what we do not know that is the most troubling and compelling.”
Gloss