Data Breach Statistics: Must-Know Data Breach Facts and Figures
Ayush Saxena
Sep 21, 2024In the words of Sun Tzu, “Do not depend on the foe not coming, but rely on our readiness against him. Do not depend on the foe not attacking, but rely on our position that cannot be attacked.”
Data breaches are becoming a frequent occurrence every passing day. From industries ranging from hospitality, fintech, IT, healthcare, finance, and education, among others, it seems none of our personal data is as safe as we hope. So, why do breaches occur? What kind of data is compromised? What can be done to prevent such attacks? And what are the ramifications of such breaches?
We understand if you’re left with a host of questions after reading bombastic data spill headlines. This article aims to ponder and reflect on the omnipresent digital danger of data breaches plaguing the cyber world. We have compiled some alarming data leakage statistics and security breach statistics and explain the trends observed on a global scale.
Introduction
A data breach constitutes any security incident in which unauthorized parties gain access to confidential information or sensitive data, including personal data (Social Security numbers, healthcare data, bank account numbers) or corporate data (customer data records, financial information, intellectual property).
As per a recent study conducted by IBM and the Ponemon Institute, Data breaches have an average projected cost of nearly $4 million globally.
Data breaches commonly involve financial information like bank account or credit card details, personally identifiable information (PII), protected health information (PHI), intellectual property, or trade secrets. Other terms for data breaches include cloud leak, unintentional information disclosure, information leakage, data leak, or a data spill. Cyber threats, cyber risks, and ransomware breaches engineered by bad actors and cybercriminals are threatening the cybersecurity landscape, leading to an increase in cyber incidents and the cost of cybercrime.
Overview of data breaches
Due to the sheer amount of information in digital form and technological advancement, data breaches have become a common occurrence. Cybercriminals or hackers largely carry out these attacks for financial gain, terrorism, politics, espionage, or other reasons. Data breaches can be costly to remedy through costs of investigation, destroy lives, potentially ruin the reputation of prominent businesses, and redress victim compensation, fines, etc.
Here are some security breach statistics:
A zero-trust architecture was not employed by 79% of critical infrastructure organizations.
Cloud-based data breaches made up 45% of all breaches.
At least 42 million records were compromised between March 2021 and February 2022 due to data breaches.
Hospitals make up 30% of all large data breaches.
Data breaches impacted nearly 294 million people.
Financial motivation is the cause behind 71% of data breaches.
Small businesses are involved in 43% of data breaches.
Public sector entities are involved in 16% of data breaches.
Organized crime groups are responsible for 39% of data breaches.
$4.35 million was the average cost of a data breach in 2022.
Top Data Breach Statistics of 2024
As we further move into 2024, cybersecurity threats continue evolving to become increasingly sophisticated and complex.
Attackers constantly search for new ways to steal valuable data, breach security defences, and disrupt operations. We’ve compiled the following list of 30 sobering security breach statistics to help us better understand the state of cybersecurity in 2024 and offer some ideas for solutions.
By 2023, the average cost of a data breach is estimated to reach $4.2 million (IBM).
By 2023, Cyber attacks aimed at the healthcare industry are projected to increase by 50% (Cybersecurity Ventures).
67% of companies agreed that they are susceptible to insider threats (Ponemon Institute).
By 2023, it is estimated that globally, there will be 7.5 billion mobile gadgets in use (Cybersecurity Ventures).
60% of companies do not have a cybersecurity incident response plan in place (Ponemon Institute).
For an email compromise attack, the average cost to a business is $130,000 (FBI).
90% of cyber attacks entail social engineering tactics (KnowBe4).
In 2023, it is projected that globally, there will be 22.5 billion IoT devices in use (Cybersecurity Ventures).
In the past year, 39% of companies have experienced a malware attack (Ponemon Institute).
In 2023, the projected cost of damages due to cyber attacks will be $6 trillion in damages (Cybersecurity Ventures).
33% of IT professionals surveyed predict their organizations adopting “zero trust” models immediately (in 2023), while 28% are planning to adopt within six months (Armis).
Over 60% of companies that experience a cyber attack shut down within six months (National Cyber Security Alliance).
The estimated cybercrime cost in 2023 will be $10.5 trillion annually (Cybersecurity Ventures).
91% of cyber-attacks are initiated with a spear-phishing email (KnowBe4).
53% of companies have experienced a data breach related to third parties in the past year (Ponemon Institute).
300 billion passwords are in use globally as of this year (Cybersecurity Ventures).
Cyber attack reports were filed by 70% of small businesses in 2021 (Keeper Security).
By 2023, $11.5 million is projected to be the average cost of a ransomware attack. (Cybersecurity Ventures).
64% of organizations have already faced some form of web-based attacks (Ponemon Institute).
Hackers aim 40% of cyber attacks at small businesses (Small Business Trends).
It is projected, as of 2023, that there will be a shortage globally of 3.5 million cybersecurity professionals (Cybersecurity Ventures).
In the past year, 48% of companies have experienced a phishing attack (KnowBe4).
68% of business leaders agree that their cybersecurity risks are growing (Accenture).
As of 2023, 3.8 billion social media users are projected globally (Cybersecurity Ventures).
In the past year, 41% of businesses have experienced a ransomware attack (Proofpoint).
66% of companies agree that they will experience a cyber attack in the coming year (Ponemon Institute).
By 2023, cyber-attacks are projected to occur every 11 seconds (Cybersecurity Ventures).
79% of companies believe that in the next year, cyber-attacks will become more severe and more frequent (Ponemon Institute).
55% of respondents, as per the “2022 State of Cybersecurity” report, in the past 12 months experienced a lateral movement attack, and 68% agree that lateral movement attacks will become more severe and frequent in 2023 (Ponemon Institute).
37% of organizations did not recover their encrypted data despite paying off a ransomware attack (Sophos).
Projections and Trends for Data Breaches
It’s vital for business owners to stay up to date in the rapidly evolving field of data security. Below are the projections for cybersecurity incidents that may happen in the coming years.
By 2025, increasing by 15 per cent annually, cybercrime is globally estimated to cost $10.5 trillion (Cybersecurity Ventures).
Attackers will target biometric hacking and expose vulnerabilities in facial recognition, touch ID sensors, and passcodes (Experian).
Skimming isn’t something new, but an enterprise-wide attack could occur on the next frontier on a national network involving major financial institutions, leading to the loss of millions of dollars (Experian).
Every 11 seconds, a company will fall victim to a ransomware attack in 2021. (Herjavec Group)
For the 5 year period from 2017-2021, global expenditure on cybersecurity will exceed $1 trillion cumulatively. (Herjavec Group)
By 2021, cybercrime is globally expected to reach $6 trillion. (Herjavec Group)
One in five enterprise customers will be driven by data privacy concerns to safeguard their data from AI. (Forrester Research)
69% of security professionals concur that staying ahead of cyberhackers is a constant battle, and the cost of doing so is unsustainable. (Accenture)
As per a prediction, an attack will be carried out on a major wireless carrier with a simultaneous effect on both Androids and iPhones. Cybercriminals could hack personal information involving millions of consumers, possibly cutting off all wireless communications within the United States (Experian).
The sensitive data of hundreds of Fortune 1,000 companies may be compromised in case a cloud vendor suffers a breach. (Experian).
The online gaming community will be at high risk, with cybercriminals posing as gamers while gaining access to the personal data and computers of trusting players (Experian).
In the coming two years, 29.6% of organizations will experience a data breach. (IBM)
The costs linked with deepfake scams in 2020 are going to exceed $250 million. (Forrester Research)
Biggest Data Breaches Statistics
Data breaches are becoming more frequent and more severe, with some of the most recent data breaches being the largest recorded. Here are some of the largest data breaches recorded in history.
Yahoo holds the largest data breach record in history, with approximately 3 billion user accounts impacted. (The New York Times)
In a security breach, India’s biometric database, Aadhaar, which contains the personal data of almost every Indian citizen (~1.1 billion people), was compromised. (The Washington Post)
Roughly 885 million sensitive customer financial records were leaked by First American Corporation. (KrebsOnSecurity)
763 million records were exposed by Verifications.io, including phone numbers, email addresses, gender, name, IP address, and other personal information. (Data Breach Today)
Hackers collected 20 years of data in October 2016 and 412.2 million accounts from six databases that included email addresses, names, and passwords for The Adult Friend Finder Network. (The Washington Post)
In June 2013, a Russian hacker breached ~360 million Myspace accounts, but the incident was not disclosed until 2016. (TechCrunch)
Florida-based marketing and data aggregation firm Exactis, in June of 2018, exposed a database containing close to 340 million records on a publicly accessible server. (Wired)
Social media giant Twitter, in May of 2018, notified 330 million users regarding a glitch that stored passwords unmasked in an internal log, wherein all user passwords were accessible to the internal network. (CBS)
Facebook had 540 million user records in 2019 exposed on the Amazon cloud server. (UpGuard)
In 2014, Yahoo announced that at least 500 million user account information was stolen, including names, telephone numbers, encrypted passwords, email addresses, birth dates, and, in some special cases, security questions by what was assumed to be a “state-sponsored actor”. (The New York Times)
Marriott International announced in November 2018 that approximately 500 million Starwood hotel customer’s data was compromised by hackers. (The New York Times)
The Widespread Challenge: Recent Data Breaches and Statistics
Did you know that the average cost of a data breach, as per security breach statistics, grew by 2.6% amounting to $4.35 million in 2022 as compared to $ 4. 24 million dollars in 2021? For critical infrastructure organizations, the average cost of a data breach, however, was increased to $4.82 million dollars.
We’ve outlined some of the most recent and impactful data breaches, with over 2,000 confirmed data breaches in 2019 and hundreds in 2020. This data indicates impactful data breaches that have led to the compromise of sensitive information.
Data Breach Statistics 2022
The third longest mean time to identify and contain was taken by breaches caused by phishing at 295 days, as per IBM’s 2022 Data Breach Report.
As per Verizon’s 2022 report, 36% of all data breaches involved phishing.
Between March 2021 and February 2022, at least 42 million records were exposed by data breaches.
In the US, since H1 2022, around 817 data breaches have been reported.
At an average cost of USD 4.50 million, 9% of data breaches were caused due to stolen or compromised credentials in 2022.
The average or mean time to identify and contain a data breach saw a decrease of 10 days or 3.5% from 287 days in 2021 to 277 days in 2022.
Security AI and automation implementation jumped by nearly one-fifth in a couple of years, from 59% in 2020 to 70% in 2022.
In mid-July of 2022, OneTouchPoint reported a massive data breach that compromised the data of over 1,073,316 individuals.
Based in Florida, on January 2 2022, Broward Health reported a data breach affecting 1.35 million people.
The largest data breach reported in 2022 is the Shields healthcare data breach that affected over 2 million individuals.
On April 24, 2022, Tenet Healthcare-affiliate Baptist Medical Center suffered a cyberattack that affected over 1.24 million individuals.
Due to a hacking incident, Texas Tech University Health Sciences Center was affected by a data breach that was reported on June 7, 2022, which affected over 1,29 million people.
Data Breach Statistics 2021
Phishing is the root cause for nearly 22 per cent of all data breaches accounted for, thus securing it a position as number one of the most prevailing cybercrimes in the FBI’s 2021 IC3 Report.
In terms of data breaches caused by phishing attacks, 2021 was one of the costliest years in the last 17 years.
The top vector of data breaches was stolen and or compromised credentials in 2021, and accounted for 20% of the breaches.
Data Breach Statistics 2020
Clearview AI, a facial-recognition company, on February 26, 2020, revealed that contracts with powerful law-enforcement agencies had the complete client list, and over 3 billion photos were compromised. (Daily Beast)
A popular fraud bazaar, Joker’s Stash, on January 27, 2020, began selling credit card information that included more than 30 million card user accounts stolen from convenience and fuel chain Wawa Inc. (KrebsOnSecurity)
A public-facing database, on January 21, 2020, containing names, email addresses, phone numbers, previous aliases, names of relatives, past and present home addresses, and ages of approximately 56 million US citizens was found on a server with a Chinese IP address and associated to the web-hosting company Alibaba. (NJCCIC)
In the past three years, nearly 93% of healthcare companies have suffered a data breach, as per Herjavec Group’s 2020 Healthcare Cybersecurity Report, and during the same timeframe, 57 per cent have had more than five data breaches.
In 2020, the healthcare industry targeted data breaches saw a 58% increase.
Since 2020, Data breaches in healthcare have gone up by 42% and for the 12th year in a row– having the highest breach costs.
Historical trends: Data Breach Statistics Before 2020
Online graphic design tool Canva, on May 24, 2019, suffered a data breach that affected 137 million users. The exposed data included usernames, cities, email addresses, names, and passwords stored as bcrypt hashes. (Canva)
Capital One, in July 2019, revealed that more than 100 million credit card applications, customer accounts, and Social Security Numbers were compromised. (CNN)
A bug gave cyberhackers access to millions of Fortnite accounts in January 2019, and at that time, the game had 200 million users, with 80 million users active each month. (The Washington Post)
In 2019, the major cause of data leakages was Facebook breaches.
Between March 8, 2018, and October 25, 2019, Singapore-based Farrer Park Hospital experienced a breach compromising the confidential medical information of over 2000 individuals, which was automatically forwarded to a third party.
Equifax announced in September 2017 that its data and systems had been breached, impacting over 148 million individuals. The data compromised included social security numbers, names, phone numbers, dates of birth, home addresses, and driver’s license numbers.
By 2018, two-thirds of the people online have had their records compromised or stolen by hackers.
Identity theft was identified as the most common kind of data breach incident, accounting for roughly 59 per cent of all global data breach incidents as of 2016.
The United States, in 2019, had 1,473 reported data breaches, where 164.68 million records were exposed.
Myspace, in 2013, had a source breach caused by malicious outsiders, which led to account access to almost 360,000,000 records.
The USA experienced a large number of data breaches from 2013 to 2017, at around 6550, while for the UK, it was 570.
With over 2,248 breaches between 2013-2016, the most targeted sector remains healthcare.
Between 2013 and 2016, data breaches caused by malicious outsiders grew steadily.
Counting the Costs: Understanding the Financial Toll of Data Breaches
The global average cost of a data breach can come in the form of direct and indirect expenses. Direct expenses include digital forensics, third-party risk management software, attack surface monitoring software, monitoring subscriptions, hotline support, and potential settlements. Indirect costs can include customer churn, in-house data breach investigations, and reputational damage.
According to the 2019 Cost of Data Breach Report from IBM Security and Ponemon Institute, in the last five years, the global average cost of a data breach has risen by 12 per cent to $3.92 million. This was driven by the increased regulation, the multi-year financial impact of breaches, and the difficult process of resolving cyber-attacks.
See just how expensive a data breach can get with the data below.
$3.92 million is the average cost of a data breach globally. (IBM)
At $8.19 million, the United States experiences the highest cost of a data breach. (IBM)
Greater losses related to cybercrime are linked to wealthier countries. (CSIS)
At $6.45 million, healthcare organizations experience the highest average industry cost. (IBM)
Each year, roughly $600 billion, or around one per cent of global GDP, is lost to cybercrime (McAfee)
The cost increased by more than $370,000 if a third party caused the data breach, for an adjusted average cumulative cost of $4.29 million. (IBM)
At $2.6 million, Malwaredata breaches are the costliest, with web-based attacks on the second spot, followed by denial of service attacks (Accenture).
For 2018, $221,836.80 was the cost of downtime linked with internet service outages caused by DDoS attacks. (NETSCOUT)
Extensive use of encryption, threat intelligence sharing, data loss prevention, and integrating security into the software development process (DevSecOps) were all linked with lower-than-average data breach costs. Among these, encryption had the highest impact, lowering breach costs by an average of $360,000. (IBM)
The average total cost of a breach was $1.23 million less for organizations that conducted extensive testing of an incident response plan as compared to those that neither had an incident response team nor tested their incident response plan ($3.51 million vs. $4.74 million). (IBM)
$150 is the average cost per lost record. (IBM)
By the year 2020, experts said that the average cost of a data security breach for a major organization would be over $150 million. Due to the increasing digitalization and connectivity over the last few years, this estimate is higher. (BigCommerce)
Following a breach, share prices of breached organizations hit a low point of approximately 14 market days. Share underperform the NASDAQ by -4.18%, and prices fall 7.27% on average. (Comparitech)
$24,439 per case is the average price for a Business Email Compromise hack. (Verizon)
$1.42 million is the average cost of lost business for companies as per a 2019 study, which represents 36 per cent of the total average cost. (IBM)
With an average monetary loss of $3.24 million and $3.5 million, respectively, system glitches and human error breaches are still costly, although less expensive than malicious attacks. (IBM)
3.9% is the average customer turnover caused by breaches as of 2019. (IBM)
$5.11 million is the average cost of a data breach for enterprise-level organizations (more than 25,000 employees), which comes to about $204 per employee. (IBM)
At an average cost of $3,533 per employee or $2.65 million, for smaller businesses between 500 and 1,000 employees, the impact of a data breach is disproportionately larger. (IBM)
After a data breach, hospitals spend 64% more on advertising. (American Journal of Medical Care)
Data Breaches by the Numbers
When assessing and analyzing the cybersecurity risk of data breaches, there are many factors to consider. Your business must prepare for and mitigate an ongoing data breach, much of which should be established in an incident response plan. Read below to find the frequency of breaches, the average response time, and other key information.
25,575 records is the average size of a data breach. (IBM)
279 days is the average time to identify a security breach. (IBM)
72.85% of exploited applications worldwide were accounted for by office applications in the third quarter of 2019. (Statista)
There was a 186% rise in the number of US residents affected by health data breaches in 2019. (Statista)
95 per cent of breached records were accredited to three industries in 2016: Government, technology, and retail. (Tech Republic)
36% of breaches were experienced by the medical or healthcare industry in 2019. (ITRC)
137 breaches were experienced by the financial sector in 2018 that compromised 1.7 million accounts (SANS)
In 2018, in the US, there were 31,107 incidents of reported cybercrime for which US law enforcement agencies have information. (GAO)
The root cause for nearly half (49 per cent) of inadvertent data breaches was human error and system glitches. (IBM)
Once identified, the average time to contain and mitigate a data breach is 73 days. (IBM)
1,473 breaches were recorded in 2019, up from 1,257 the year before. Last year, 164.6 million records were compromised. (IDC)
780,000 records are compromised to hacking each day. (McAfee)
Industries Under Siege: Data Breach Statistics by Industry
Malicious ransomware attacks targeted 28% of critical infrastructure organizations. These sectors included healthcare, government organizations, financial services, and more.
Here are a few of the industry-specific data breach statistics:
1. Healthcare
- In the scenario of healthcare-related claims, the triggering causes were accidental data breaches at 29% and malicious data breaches at 18%.
- The average breach in the healthcare industry has grown by nearly USD 1 million to amount to USD 10.10 million.
- For 12 years running, healthcare breach costs have been the costliest industry, increasing by 41.6% since 2020.
- A survey conducted revealed that, due to ransomware attacks, nearly 70% of healthcare organizations saw delays in procedures and longer hospital stays.
- Ransomware attacks were the cause of 8% of healthcare data breach claims.
2. Finance
- The insurance sector faced major claims triggers and losses through accidental data breaches at 35% and malicious data breaches at 39%.
- Averaging at USD 5.97 million, financial organizations had the second highest costs.
- The financial industry saw an increase of USD 0.25 million or 4.4% as breach costs increased from USD 5.72 million in the year 2021 to USD 5.97 million in the year 2022.
- In 2018, the financial sector experienced 137 breaches that compromised 1.7 million accounts.
3. SMEs
- Government, retail, and technology were responsible for 95 per cent of breached records in 2016.
- For malicious data breaches at 22%, manufacturing organizations faced cyber insurance claims the most.
- With wholesale and retail businesses, the significant causes of an insurance claim were accidental data breaches (8%) and malicious data breaches (30%).
How do Data Breaches Occur?
Here are a few main data leakage statistics involving the most frequent kinds of attacks that lead to ransomware, data breaches, and phishing.
1. Phishing
Phishing attacks are social engineering aimed at tricking you into revealing sensitive information such as usernames or passwords.
At 16%, phishing was identified as the second most common cause of a breach and the costliest in breach costs at USD 4.91 million.
Over the course of 2018, phishing attacks grew by 250%.
As per the AICPA (2018), 26% are targeted by phishing emails out of 60% of Americans who have been exposed to fraud schemes.
Breaches caused by compromised or stolen credentials had an average cost amounting to USD 4.50 million.
2. Ransomware
Ransomware is malicious malware tailored to deny access to data or systems until a ransom is fulfilled. Phishing emails are the major cause of spreading ransomware.
In an IBM study, 11% of breaches were identified as ra