According to science, my “halfway” speak is a couple weeks late. July 2, when 2022 would’ve still afforded a full second half, has passed. My mere estimation was meant to align with a recently published report that examined the first six months of 2022’s cybersecurity landscape.
There are many regular reports about information security and privacy issues. Many tech firms—Cisco, Verizon, Hewlett Packard, et al—publish annual reports that summarize the state of cybersecurity. Of course, the federal government publicly shares reliable, useful data. Myriad media and website outlets prepare digests of all things security. Like medical opinions, each one of these outlets lays claim to being founded upon objectively obtained and described information. They’ll espouse repeatable, valid analyses. And, to no surprise, they oftentimes disagree with each other or rarely perfectly reflect their competitors’ positions. Is coffee good or bad for the vascular system? It depends on which medical journal and in which edition you seek the answer.
There are a few of these security trackers who post half-year reviews, one of which I’d been perusing during the past week when I realized, presuming its data to be bona fide, an interesting twist on the forever trend that security breaches, hacks, and other incidents are perennially on the rise.
The Identity Theft Resource Center is an American not-for-profit that, since 1999, has been intent on a mission to “empower and guide consumers, victims, business and government to minimize risk and mitigate the impact of identity compromise and crime.” According to the ITRC’s “First Half 2022 Data Breach Analysis,” 2021 presented another record-high count of publicly reported data breaches. As I’m prone to emphasize, reported data breaches and security incidents account for a rather small percentage of actual carnage.
So many companies, especially private firms not compelled to report breaches by law, keep their hacking damages close to the vest. They want to maintain an air of security with their clients and partners. They realize that by being a victim their target grows in the scopes of opportunistic cyber-criminals. Their pride is damaged alongside their books.
Knowing that the ITRC’s report therefore can only reflect a portion of cybersecurity activities, the data is always impressive nonetheless. During just the first half of 2022, over 53 million people were victimized by data compromises. Based on that pace, the time it took you to read the prior sentence added another 18-20 cybercrime victims; it’s around three people per second that fall prey.
Those 53 million people, around one-sixth the U.S. population meaning you may be included in that first-half tally, succumbed to various forms of attacks and losses, nearly all digital in nature. By far, the least likely means to those ends in terms of how the crime was committed skirted the model of being wholly digital. In 13 instances, accounting for around 115,000 victims, the crime began as IRL: in real life. Hard copy documents were stolen, such as in the age-old ploy of dumpster-diving. How quaint. In some cases, portable devices were stolen, or were improperly discarded and then nicked by an observant criminal. The uncommon, but still effective, data skimmer was levied to nab personal and financial data. That’s where a bad guy installs a payment card reader on top of an existing one, typically at gas stations. When you run your card, it both initiates a legitimate payment process, but also sends the card’s information to the scofflaw via Bluetooth. These IRL attacks are rare, but with hundreds of thousands feeling their bite, they’re still important and we all need to be wary.
The rest of the H1 security instances can be mainly split between criminal attacks and less malicious causes. I’m pointing at you, careless, lazy users and lax systems administrators.
The majority of losses were intentional, criminal endeavors. Over 17 million victims were compromised through rote hacking. Many criminal cyberattacks, though documented, still want for more information. Again, reluctant victims may be understood to keep the details mum, though transparency sure would help us in the security field. No matter, plenty of data was gathered in 2022’s first six months. Of 367 reported criminal cyberattacks, one-third relied on good ol’ phishing expeditions.
When you get phished, an email appears to be from someone you know, or should know. It includes a link to something you likely would want to click into. Like the Trojan Horse, though, once your guard is down and the “gift” is received with welcome, the troops are unleashed and havoc results. Phishing sometimes leads to automatic installation of ransomware or another malicious pieces of software. Those tactics and a smattering of more arcane crimes make up the bulk of 2022’s incidents.
Another 10 million victims found themselves in trouble due to less reasonable means. No one is giving cybercriminals a pass, but at least when their victims get stung, you can point to extra-normative societal causes—i.e., crimes. These fewer, poor folks, on the other hand, are victims of human error. Failed security protocols, firewalls that never would have worked according to hindsight, and loosey-goosey cloud security passwords are the types of negligence that harmed those tens of millions so far in 2022.
All told, and despite one-sixth of America falling prey, 2022 has actually been successful … so far. In fact, with almost 300 million victims in H1 of 2021, and our year having passed its halfway point, we’re doing relatively well. As compared with 851 compromises halfway through 2021, there were only 817 during H1 of 2022.
That’s not to say that the ugliness won’t catch up during H2. Also, there’s something none too settling about fewer incidents having been reported. Perhaps, criminals are becoming more efficient: fewer banks, but bigger takes. Proverbially, it’s akin to “Half full, or half empty?”
Ed Zuger is a professor of cybersecurity, an attorney, and a trained ethicist. Reach him at firstname.lastname@example.org.