2022 didn’t let up on the security incidents — according to Forrester’s Security Survey, 2022, 74% of security decision-makers experienced at least one data breach at their firm in the previous 12 months. As we looked at the top breaches and privacy violations of 2022 — and there was activity right up to the end of the year — we noted that:

  • Three industries accounted for over 75% of the top 35 data breaches. Of the 35 largest breaches (based on number of stolen records), public sector and healthcare appeared 12 times on the list and yielded the largest number of stolen records. Media, entertainment, and leisure accounted for three of the top five breaches. Financial services and insurance rounded out the most victimized industries, with 17% of the top 35 breaches coming from both traditional financial firms and fintech.
  • Google, Meta, and Twitter dominated the top privacy violations. These three firms shelled out a combined $1.3 billion in payments in 2022 alone, representing just under 50% of the top fines. The fines may be a drop in the bucket when you consider these companies’ revenues, but consumers are starting to lose trust in these behemoths. In fact, Forrester’s Media And Marketing Benchmark Recontact Survey, 2022, found that 63% of online adults in the US don’t trust social media companies to protect users’ information.

So what can security professionals learn from these trends? Here’s a preview from our report, Lessons Learned From The World’s Biggest Data Breaches And Privacy Abuses, 2022:

  • Cryptocurrency exchanges and bridges are juicy targets, so conduct due diligence before partnering. We can’t not mention the FTX collapse. A November filing by the new CEO of FTX calls out multiple examples of mismanagement and a stunning lack of governance at the company — lapses that should have been apparent to any partner that had conducted a modicum of due diligence. Unfortunately, it seems like several partners skipped the due-diligence step and are now stuck cleaning up the mess. As a result of the FTX collapse, Coachella — which partnered with FTX on an NFT project — has found that $1.5 million in NFTs are now inaccessible. Given the level of risk of these exchanges and bridges, push for a more-rigorous-than-usual assessment of potential partners before striking a deal.
  • Ransomware still wreaks havoc, but be ready for extra scrutiny if you pay. Expectations of ransomware payment, especially for large global organizations, have changed over the past year as cyber insurance requirements forced increased maturity in ransomware preparedness and response. As the war between Russia and Ukraine drags on and ransomware gangs reshuffle, the likelihood of any ransom payment being scrutinized by a carrier — and relevant governments — is highly likely. Additionally, the court of public opinion may also be a factor in terms of media coverage, social media mentions, and shareholder questions, as paying a ransom calls into question your security practices and resilience.
  • True nation-state behavior looks different from the headlines. Traditional nation-state attacks damage government equipment or steal data. Modern nation-state behavior, however, runs the gamut based on the nation’s geopolitical influence. Nation-state activity is a key part of governments’ geopolitical strategy, and that includes targeting firms in the private sector to access government resources or as retribution for geopolitical activity. Security teams must recognize the adapting geopolitical landscape and include attacks by nation states and affiliated actors as part of their threat model.

For more highlights (and lowlights) of the year in breaches and fines, and to see our thoughts on what else security leaders can learn from these incidents, check out our report, Lessons Learned From The World’s Biggest Data Breaches And Privacy Abuses, 2022.