A study released by Flashpoint and Risk Based Security found two startling facts: It’s report of a drop in the total number of breaches is likely erroneous, and the time it takes for an organization to report. a breach has increased to the highest levels since 2014.

Much of what Flashpoint and RBS found was similar to other reports on the topic: Healthcare was a leading target, ransomware is more popular than ever and billions of records were stolen. One of the more interesting data points that the report covers is its reported 5% drop in the total number of breaches between 2020 and 2021, a figure that report contributor and Flashpoint cybersecurity intelligence analyst Ashley Allocca said likely doesn’t reflect reality.

“Readers of the 2020 Year End Report may recall at the time that report was issued, the number of publicly disclosed breaches stood at 3,932. We estimated that number would grow by 5% to 10% over the course of 2021. The number actually increased by 11.8%,” Allocca said. Assuming the same 5-10% growth, 2021 would likely settle into the 4,352 to 4,560 range, putting on par, or just a bit higher, than 2020.

SEE: Password breach: Why pop culture and passwords don’t mix (free PDF) (TechRepublic)

Allocca said that the question of whether or not the data breach landscape is “getting better” is a frequent question she hears. Unfortunately, she said, the numbers don’t give a clear answer, and there’s more to consider than just the raw data. “The time it takes to report a breach, coupled with the lingering effects of a drop-off in media coverage and more ransomware attacks that can be kept out of public view, has undoubtedly played a role in the decline in publicly reported breaches,” Allocca said.

Fewer reports doesn’t mean things are looking up

The report includes data going back to 2014 on the average number of days it took to disclose a breach, starting with 91 days. By 2017, that number had dropped to 49 days, but has since crept back up, hitting 89 days in 2021, second only to the lag time noted in 2014.

2018 was the year GDPR took effect, which imposed a 72-hour deadline for informing data protection offices of a breach. In 2018 the average number of days to report was 50. In 2019 and 2020 it was 72, representing a significant increase from the low of 49 days in the year before GDPR came onto the scene.

Inga Goddijn, EVP of Risk Based Security, said that reporting delays have definitely become more pronounced since regulations about timely reporting were put in place. Goddijn pointed out several reporting outliers that may be skewing numbers, though.

“In 2021, 15 breaches took more than 365 days—a full year—to go from discovery to the release of a formal breach notification letter. Another 169 events took six months or more,” Goddijn said.

SEE: Google Chrome: Security and UI tips you need to know (TechRepublic Premium)

She added that COVID-19 isn’t the sole cause for this lapse in reporting rapidity. “It would be easy to blame delays on the pandemic, but this trend started well before COVID became a household name. Complex incident investigations, weak enforcement and a deliberate blindness to notification obligations appear to be at the root of the delays,” Goddijn said.

The report concluded with the statement that data breaches and attacks in 2022 will be difficult to predict, but they’re hardly on the decline. “As long as malicious actors have a pathway to attack monetization, there will be no shortage of breaches to cover,” the report said.