The 10 Biggest Data Breaches Of 2022

According to the newest breach statistics from the Identity Theft Research Center, the number of victims jumped dramatically in the third quarter—a ‘staggering 210 percent over Q2 2022.’

The data breach picture for 2022 isn’t pretty.

At the start of the year, the number of victims per data breach incident was actually falling across the country, suggesting that companies with lots of customers might be doing a better job of protecting their data than in years past.

But that was then and this is now.

According to the most recent breach statistics provided by the Identity Theft Research Center, the number of victims jumped dramatically in the third quarter—a “staggering 210 percent over Q2 2022.”

Meanwhile, the actual number of data compromise incidents also increased by 15 percent in the third quarter to 474 incidents compared with the second quarter of 2022, according to the center.

But there is good news: The number of data compromise incidents is still down from 2021, the center said. And the number of overall data breach victims in 2022 is nevertheless expected to be below 2021 numbers.

Some other key takeaways from the Identity Theft Research Center’s thrid-quarter report:

• Supply chain attacks “made a comeback” in the third quarter, with the number of impacted entities increasing by 250 percent compared with earlier quarters.

• Phishing attacks remained the top attack vector for the 15th consecutive quarter.

• And, discouragingly, more than 45 percent of data breach notices related to cyberattacks “did not contain information about the attack that could assist other businesses or individuals take actions to prevent or recover from a similar attack,” the center reported.

The Identity Theft Research Center does not report fourth-quarter and final-year breach statistics until late January.

But it did say in its third-quarter report that “absent a dramatic increase in data compromises in Q4 2022, it is unlikely the total number of data breaches will set a record this year.”

The report added: “Despite a triple-digit increase in victims during Q3, the number of data compromise victims is likely to show a year-over-year decline for the fourth year in a row.”

Following are the 10 largest data breached recorded by the Identity Theft Research Center through the third quarter.

10. Nelnet Servicing

Number of individuals impacted: 2.5 million

Earlier this year, student loan technology service provider Nelnet notified officials that its system had been breached, potentially exposing the personal data of about 2.5 million student loan borrowers. The unidentified intruders hacked into the system some time in June and stayed until late July.

Technology services from Lincoln, Neb.-based Nelnet are used by the Oklahoma Student Loan Authority and EdFinancial to provide borrowers with online access to their loan accounts.

9. Lakeview Loan Servicing

Number of individuals impacted: 2.53 million

This is yet another breach involving a loan servicing firm.

In March, Lakeview Loan Servicing, the fourth largest loan servicing company in the nation, disclosed that it suffered a data breach in late 2021 that appears to have impacted about 2.53 million individuals.

8. OneTouchPointNumber of individuals impacted: 2.65 million
Mailing and printing services vendor OneTouchPoint was the victim of a ransomware attack this past year that reportedly compromised information of about 2.65 million people.

A preliminary review of accessed files confirmed that they contained sensitive information of current and former employees as well as customers. Among Hartland, Wis.-based OneTouchPoint’s customers was Common Ground Healthcare Cooperative and dozens of other health-care entities, according to a published report.

7. Elephant Insurance Services

Number of individuals impacted: 2.76 million

Financial companies are a favorite target of cyberattackers, as Henrico, Va.-based Elephant Insurance Services learned the hard way this past year.

Elephant Insurance Services disclosed in May that it had experienced a security incident that began in late March and may have impacted information related to millions of customers seeking insurance policies. Specifically, the company’s early investigation found that an “intruder may have had access to information that included names, driver‘s license numbers and dates of birth of people,” potentially exposing those individuals to identity theft and fraud risks.

6. Eye Care Leaders
Number of individual impacted: 3.37 million

Another favorite target of attackers: health-care companies—or those who do business with health-care companies. And in this case the target was Durham, N.C.-based Eye Care Leaders, which sells eye care management software solutions.

Eye Care Leaders first disclosed earlier this year that it took down compromised systems within 24 hours after a breach by an unknown intruder was discovered in late 2021. But hackers had already accessed files with sensitive information on millions of patients, as officials disclosed earlier this year.

5. FlexBooker
Number of individuals impacted: 3.75 million

In January, FlexBooker, which sells online appointment booking tools that businesses embed in their websites, disclosed that it had discovered a data breach impacting millions of people.

The Columbus, Ohio-based company said in January 2022 that some of its customer database had been breached after its Amazon Web Services servers were compromised in late 2021. The company added its “system data storage was also accessed and downloaded” as part of the attack. The information obtained included partial credit card data.

4. Beetle Eye
Number of individuals impacted: 7 million

Beetle Eye, which is an online tool that helps marketers with their email marketing campaigns, experienced a major breach apparently caused by a misconfigured AWS S3 Bucket that was left without any encryption, according to a report at Data Breach Today.

Researchers at Website Planet first discovered the breach at Sarasota, Fla.-based Beetle Eye, which reportedly left its Amazon S3 bucket open, exposing sensitive data belonging to an estimated 7 million people.

3. Cash App Investing
Number of individuals impacted: 8.2 million

Organizations usually build their security systems to prevent outside hackers from getting inside. But what happens when the attack comes from the inside? In the case of Cash App Investing, it was a former employee who wreaked digital havoc.

As CNN reported in April: “More than 8 million Cash App Investing customers may have had personal data compromised after a former employee downloaded internal reports without permission, parent company Block Inc. revealed. … Information in the reports accessed by the former employee included customers’ full names and brokerage account number, which is the personal identification number associated with a customers’ stock activity on the platform.”

2. AT&T Customer Data

Number of individuals impacted: 22.7 million

This one is sort of a mystery: Data believed to be tied to tens of millions of AT&T customers was discovered on the dark web but it’s not clear how the data got there. AT&T has denied it came via a breach of its systems. Meanwhile, some think the information may have come via a credit card company.

Hold Security first discovered that the data was in the hands of Romanian cybercriminals. Mequon, Wis.-based Hold Security later worked with journalist Brian Krebs to disclose and discuss the incident.

1. Neopets
Number of individuals impacted: 69 million

This breach was quite real, not virtual.

Neopets, the popular virtual pet website that allows users to create and care for digital pets called “Neopets,” disclosed this past summer that attackers had gained access to the Neopets IT systems from Jan. 3, 2021, until July 19, 2022. The company learned about the breach after a hacker offered to sell a Neopets database for four bitcoins.

The result: the possible exposure of information related to about 69 million Neopet customers. The Neopet breach was by far the biggest data breach of 2022 through the third quarter, more than triple the size of the second largest cyberincident recorded by the Identity Theft Research Center.