Nearly 2 000 breaches reported in H1 2022

Kirsten Doyle
By Kirsten Doyle, ITWeb contributor.
Johannesburg, 16 Aug 2022

Some 1 980 breaches were reported globally in the first six months of 2022, approximately 15% below 2021's final first-half total.

This was revealed by Flashpoint’s State of Data Breach Intelligence: 2022 Midyear Edition, which covers publicly disclosed compromise events first reported between 1 January 2022 and 30 June 2022.

In addition, the number of records exposed also dropped significantly in the first six months of 2022 compared to the first six months of 2021, falling from 27.3 billion records to 1.4 billion records.


This is the lowest level since 2015, and, according to Flashpoint, is due in a major way to an overall decline in the number of very large, open misconfigured services and databases, which have been the driving force behind the astronomical number of records exposed in recent years.

These misconfigurations are classified as breach type "Web" and while this allows for a variety of online oversharing activities, reviewing the combination of this breach type and breaches exposing over one million records shows the impact of misconfigured services on total exposed records, the company says

According to the security giant, the decline in records exposed can also be attributed to a decline in the number of breaches impacting 100 million or more records. In H1 2021, there were 13 such incidents, while in H1 2022, only three such incidents were reported.

The growing ‘unknown’

The most prolific breach type remains consistent with prior years, with unauthorised access to systems, or hacking, which accounted for approximately 60% of breaches reported during the timeframe.

However, a more interesting trend is the growing presence of breach type 'unknown'. The language in breach notifications and other disclosure reports is increasingly opaque, Flashpoint says.

“Phrases such as 'cyber attack' and 'security incident' are commonplace, with woefully little else provided in the way of explanation. The effect of this shift in language is a key contributor to the steady increase in the number of breaches classified as “unknown.""

Insiders vs outsiders

Insider risk is an ongoing topic of discussion. “Is the insider threat fact or fiction? The answer is not a simple yes or no. Of the breaches with a confirmed origin, only 23% of incidents originated from within the victim organisation and of that 23%, the majority, (61%), were attributable to data handling mistakes.

Phrases such as 'cyber attack' and 'security incident' are commonplace, with woefully little else provided in the way of explanation.

Flashpoint report

In addition, of the 54 breaches confirmed to have originated with a malicious insider, the incidents range from the banal, such as small-scale theft of credit card data from customers at the point of sale, to the potentially catastrophic such as theft of investment intensive technological innovations and proprietary source code.

The combined healthcare and social service economic sector reported the most breaches in H1 2022. However, on a business group level, financial services, and software and data services, both reported more breaches than hospitals, the leading reporter of breaches within the healthcare sector.

The CIA triad

The CIA triad, or confidentiality, integrity, and availability, is at the heart of information security and of the three, none is more central to data compromise events than confidentiality, says Flashpoint.

“Even a casual reader of breach notifications will quickly notice distinctions are being made between confirmed data theft and the inability to confirm whether data was accessed or exfiltrated.”

The report said, that even after investigation, it could not be determined whether data was compromised in approximately 44% of incidents.

Whether or not this should be interpreted as a positive statistic, is questionable, but the likely answer is no, as the high percentage of potential exposure indicates a lack of visibility into activity taking place on systems or within services, the company explains.

Interrupting operations

When it came to breaches that interrupted operations, Flashpoint says it would be a gross understatement to say ransomware operators have altered the breach landscape.

“The threat of impaired operations coupled with data theft has made ransomware into one of the most discussed issues in security today.”

Beginning in early 2020, the research team began tracking breaches that also resulted in an interruption to business operations.

While breaches coupled with downtime is a relatively small percentage of reported breaches, these are potentially one of the most damaging types of incidents an organisation can experience.

Adapting to the threat landscape

In ending, Flashpoint says that over the decade of producing this report, it has seen dramatic shifts in the type of data that has been exposed and the attack methods that were employed to gain access to it.

“Slowly but steadily, lawmakers have expanded the boundaries of what constitutes sensitive data. Changes aside, one observation has remained consistent over the years. It is the organisations that can adapt to the threat landscape and have learned how to bend their processes, to address the most relevant risks that often fare the best when it comes to defending against and recovering from a data breach.”