The cost, frequency, and sophistication of data breaches are on the rise. According to the latest data breach statistics, some high-profile companies have been targeted by major cyber attacks. As a result, data privacy and security have moved to the forefront of boardroom visibility.
The result was new legislation in the US, Europe, and Australia, most of it coming into effect in 2018. Organizations must now adhere to new rules specifying user notifications and timeframes, business size applications, and reporting requirements.
Even without the fines, the cost of data breaches was already high. Still today, there’s the cost behind updating data systems, hiring forensic investigators to look into the incident, briefing the legal department, and paying up settlements with dissatisfied customers. This also includes the potential damages from the worst hacks involving espionage and IP theft, where your competitors can learn about your business practices and future plans.
With all this in mind, what are the risks for you as a customer, as a social network user, or as a company? What particular type of data breach might affect you, depending on the data you’re storing? And how can data breaches be prevented? Check out these statistics and find out what you should be on the lookout for, as well as what steps you should take to minimize damage if you’ve been compromised.
Key Data Breach Stats Takeaways
According to the Breach Level Index, roughly 10 billion records have been breached since 2013
The average total cost of a data breach is $3.86 million
24% of breaches affect the healthcare organizations
In 2018 Facebook compromised 50 million accounts
97% of people use their sensitive data on digitally transformative technologies
Phishing and pretexting represent 93% of social attack-based breaches
General Data Breach Statistics
1. You have a 27.9% chance of experiencing a data breach of at least 10,000 records.
With 6,466,440 records breached every day worldwide, this should come as no surprise. The threat is real and affects individuals and businesses alike. In both cases, the best steps to take are the following: act quickly, seek help, and stop the problem from spreading. The quicker the recovery, the less it will cost you, especially if you’re a small business. Unless you play it smart, you might not recover.
2. It takes organizations around 197 days to detect a breach.
Cybersecurity statistics from 2018 by the Ponemon Institute provided this invaluable insight. The mean time to contain the breach (MTTC) was 69 days. Companies that contained a breach in less than 30 days saved over $1 million.
3. The average total cost of a data breach is $3.86 million, and the average total one-year cost increase is 6.4%.
According to the Ponemon Institute, the overall cost of a data breach involves many more losses than you can imagine. There are the business disruption and revenue loss from system downtime, the lost customers that no longer trust your brand, the new customers you will fail to acquire, and finally, the lawsuits.
Recent trends suggest that the consequences of company data breaches are only going to get worse. The average total cost of a data breach, the average cost for each lost or stolen record (per capita cost), and the average size of data breaches have all increased in 2018.
4. The average cost for each lost record increased by 4.8%, from $141 to $148.
The United States, Canada, and Germany continue to have the highest per capita costs of cyber breaches at $233, $202, and $188, respectively. Turkey, India, and Brazil have much lower per capita costs at $105, $68, and $67, respectively. The increase isn’t too worrying, but the steady rise is still underway.
5. Europe’s General Data Protection Regulation fines for noncompliance may be as high as €20 million.
Paragraph 5 of Article 83 of the GDCR states that infringements can lead to huge fines for companies that have been hacked in Europe. The Office of the Australian Information Commissioner (OAIC) implemented the mandatory Notifiable Data Breach (NBD) Scheme in February 2018. This regulation requires organizations to notify the OAIC of data breaches likely to cause harm, while also notifying the individuals affected.
The Australian practice seems like a particularly good idea since it usually takes companies ages to admit to data breaches. In the Adobe hacking case, for example, the firm had originally admitted that 2.9 million accounts had been affected. It was later revealed that this figure amounted to 38 million.
6. 73% of breaches are perpetrated by outsiders, 28% by internal actors, 2% by partners, and 2% by multiple parties.
The scariness of this stat mainly originates from the fact that 1 in 4 data breaches was the fault of one of a company’s own people. And we don’t mean the ones who clicked on a dodgy link. The 2018 Verizon Data Breach Investigations Report (DBIR) suggested that the insider attackers were mainly motivated by financial gain, espionage, and yes, honest mistakes. System admins are the top internal actors responsible for these recent data breaches, at 25.9% of the time.
7. 50% of data breaches were carried out by organized criminal groups, while 12% of the attackers were identified as government-related or those affiliated with a nation-state.
The report also suggests that organized cybercrime is the new guy in a hoodie. They have resources, large botnets, and the inner-workings of a legitimate company. State-affiliated groups were involved in more than 1 in 10 hacks worldwide.
8. 48% of breaches featured hacking, 30% included malware, 17% were social attacks, 12% involved privilege misuse, and 11% were physical actions, according to Verizon’s look into data breaches from 2018.
Many of these types of attacks were used in a single breach, as is the case with malware and ransomware, as a diversion for data theft. It was, therefore, difficult to come up with the figure for every separate attack, so action varieties in breaches were introduced. The use of stolen credentials (hacking) took the lead, with RAM scraper (malware), phishing (social), and privilege abuse (misuse) trailing behind.
9. According to Verizon’s cyber attacks statistics from 2018, 24% of breaches affected healthcare organizations, 15% of breaches involved accommodation and food services, and 14% were breaches of public sector entities.
The healthcare industry has the dubious distinction of being the only one that has a greater insider threat than an external one. This somewhat bleak finding is linked closely to the fact that there can be a large number of errors and employee misuse. Healthcare is almost seven times more likely to feature a causal error than other verticals in our dataset.
So how can security breaches be prevented in healthcare? One huge step would be refusing to pay ransoms, not to mention minding the connected IoT devices. Paying ransom might seem like the best option to a healthcare organization. This act, however, is a guarantee that more attacks will follow, as criminals now see them as a paying client. Also, the industry’s huge number of IoT devices increases the risk of quick and easy breaches.
10. 58% of the victims are categorized as small businesses.
By small business, the 2018 Verizon report means organizations with fewer than 250 employees. Most people are surprised to hear that small businesses are hackers’ primary targets, but according to recent data breach statistics, it’s true. These incidents never hit the news, which is probably why they’re so invisible. Remember the Target breach when tens of millions of people lost their credit card details to hackers?
Here’s what most people don’t know: Target’s network was infiltrated via a small HVAC company. The attackers then stole access credentials to Target’s network. Small businesses lack sufficient security measures and, most of all, properly trained personnel. They also neglect to back up their files or data (ransomware bait right there). And finally, they are often leveraged so that bigger companies can be hacked.
11. 60% of small to mid-sized businesses forced to suspend operations after a cyber attack never recover enough to reopen for business.
Within 6 months of a successful cyber attack, most businesses of this size never recover. Frankly, most small businesses lack the necessary resources to recover. Because of this, sometimes a cybersecurity breach can cost you everything. For this size of company, the IT department has to protect user identities, the devices used, their network, and their cloud services. This means they have to operate on 4 separate security platforms. Additionally, they usually lack proper insurance coverage and the means to pay any ransom in case of ransomware. They also lack the resources and the infrastructure to handle any damage to their reputation.
12. Over 6,500 incidents that resulted in compromised data were disclosed publicly in 2018.
How many data breaches were there in 2018? The number of publicly known data breaches has decreased when compared to 2017, despite harsher breach notification legislation. Two-thirds of these breaches targeted businesses, according to a report from security intelligence vendor Risk Based Security (RBS).
13. A malicious email was the source of the installation of 49% of non-POS malware.
Social engineering seems to be hugely successful at extracting data. One of the most significant takeaways from this report is that phishing and pretexting represent 93% of social attack-based breaches. Email breaches continue to be the most common vector for launching social attacks, with 99% of the actors being external to organizations. 59% of phishing and pretexting attacks are motivated by financial gain, with an additional 38% attributed to corporate espionage.
14. 76% of breaches were financially motivated.
According to Verizon’s report, 68% of breaches take months or longer to be discovered. This gives criminals a lot of leeway for putting your data up for sale on the black market. In his 2018 report for Bromium, Dr. Mike McGuire combined the data he found on the dark web with a McFee report.
He devised the following data breach statistics: Credit card data is worth approximately $10 each (the average sale value per record in 2016/2017). With 1.5 billion pieces of stolen data available at $10, the total revenue is $15 billion. Banking or payment system data is worth $114 billion. Login credentials are worth approximately $495 million. Stolen cards have an estimated loss (in revenues) of $30 billion. And finally, the entirety of stolen data revenue amounts to $160 billion.
15. 13% of these breaches were initiated to gain a strategic advantage (espionage).
Some of the biggest cyber attacks show that advanced hacking groups are becoming bolder when conducting campaigns, with the number of organizations targeted by the biggest campaigns rising by almost a third. A combination of new groups emerging and attackers developing successful strategies for breaking into networks has seen the average number of organizations targeted by the most active hacking groups rise from 42 between 2015 and 2017 to an average of 55 in 2018.
According to recent data on these breaches, hackers associated with China’s Ministry of State Security breached the Hewlett Packard Enterprise and IBM, then accessed their clients’ computers. Their recent network attacks could indicate that China’s strategic plan to produce higher value products and services is taking off, and foreign intellectual property is of value for this.
16. In the case of 68% of breaches, it took months or longer before they were discovered.
The longer it takes to both detect and contain these breaches, the costlier the repairs—and the angrier your users. With the new legislature in Europe, Australia, and the US, a failure to notify your users or your superiors about a relevant breach will result in immense fines. And yet, new cyber crime facts and statistics are still expected to get worse.
If you want to avoid sanctions in 2019, follow the prescribed security protocols, and notify the authorities as quickly as possible. Also, don’t be tempted to play along with the attackers or pay a ransom. This would put you on the “payer” list, thereby increasing your risk of repeated attacks significantly.
17. 97% of people are using their sensitive data on digitally transformative technologies.
If faced with a choice between safety and convenience, most people choose convenience and run the risk of major cyber attacks. The 2019 Thales Data Threat Report concluded that people are using, and therefore exposing, a huge amount of confidential data entrusted to them by their users. The sensitive data includes client information, credit card info, payment or financial details, intellectual property, and even business databases or contract records.
18. Less than 30% of respondents use data encryption in these cases.
The 2019 Thales Global Threat Report study also found some key areas where the encryption rates are higher, like with the IoT (42%), containers (47%), and big data (45%). Data encryption that would render information unreadable and therefore useless to the attacker allows you to protect corporate secrets and other confidential information.
19. 44% of users consider the complexity behind data security as a perceived barrier to implementing it.
For reasons of competitiveness and usability, more and more companies are moving to cloud or multi-cloud environments. The job of storing data is done either by the company or a third party, which is then even more difficult to secure, says the 2019 Thales Data Threat Report. Most organizations find it difficult to manage all these internet security breach challenges and implement proper safety measures. What’s more, when it comes to smaller and mid-sized companies, budget restraints and staff shortages make this task even more difficult.
20. IDG Research reports that 25% of companies don’t have a cloud-first policy. Security concerns played a big role in this.
The ongoing migration of data to the cloud increases security risks. The data is available to multiple corporations in a shared space, and readily available to the companies’ employees. As always, if it’s there so you could have easy access, the black hat hackers will also have less trouble getting their hands on it. In one of the biggest data breaches in 2018, Facebook compromised 50 million accounts. All the platforms and third-party services that use the Facebook login feature are now vulnerable.
21. 59% of companies in the UK and the US experienced a data breach after going through a third party. Only 16% consider their third-party risk management systems effective enough.
The results of the third annual Ponemon Institute’s “Data Risk in the Third-Party Ecosystem” study remind us that the worldwide data hack risks are beyond our control more than we realize. Even with proper employee training, antivirus software, and firewalls, our data is at huge risk. A company might use a third-party hosting service that again works with a fourth-party systems integrator. The oversight of suppliers isn’t something many companies can afford or manage.
To top it off, cyber attack regulations will hold your company accountable even if a third-party was at fault. Also, in the case of 2018’s US information security breaches, as many as 61% of companies had a vendor or third-party data breach. That’s up 5% from 2017, and 12% from 2016.
22. In a 2018 Ponemon Institute survey, 52% of organizations that maintained IoT inventory said they had at least 1,000 IoT devices. However, the real study average was actually 15,000.
Knowing exactly what type of data you are storing, where you are storing it, and what the potential liabilities might be is of vital importance when implementing data security. As AON’s 2019 Cyber Security Risk Report concluded, most people can’t even do that. What causes data breaches? Criminals and human error, naturally. But most of all, it’s the failure of organizations to mind the details and do a fair assessment of their disadvantages. Weak passwords, untrained staff, improper configuration, and an outdated OS are all on you.
23. In the last year, 21% of companies experienced an attack or breach because of unsecured IoT devices, and 18% said the attacks were caused by third-party devices.
In a more ridiculous recent cyber security breach, hackers stole a casino’s customer data via a connected fish tank. Attackers gained access to the casino’s high-roller database. Devices with simple functions and default passwords that are rarely changed (if ever) are particularly easy targets. An IoT attack is an easy way to gain a foothold into a network.
24. Media reports surrounding 2018’s biggest data breaches have speculated that each company involved could face a potential fine of at least $500 million if certain GDPR violations are discovered.
Data breach statistics from 2018 and 2017 must have scared individuals and governments on a global scale to produce these regulations. In January 2019, Google was fined €50 million for their failure to disclose to users exactly how their data is collected across services, including the Google search engine, YouTube, and Google Maps.
British Airways could lose £500 million over the 2018 data leaks.
25. Only 4% of breaches were “secure breaches” in which proper encryption was used and no stolen data could be taken advantage of.
According to Breach Level Index, nearly 10 billion records have been stolen or breached since 2013, and out of said breaches, only the measly 4% mentioned above did its job. Here’s the deal: it’s a bother for most companies to use proper encryption, so they often end up switching it off. Every time you want to perform any type of data-focused operation, you have to decrypt the encryption. This makes data highly inaccessible, and, as the stats tell us, unattractive to users.
So how can you protect your customer data? A Medium article from June 2018 offers a solution. Homomorphic encryption is one alternative that can help you work both quickly and safely. Homomorphic encryption gives companies an easy way to run analytics on their data while staying safe. Up until recently, this process was way too slow. However, BM’s homomorphic encryption now runs 75 times faster, according to a paper from the International Association for Cryptologic Research.
26. 27% of all data breaches were unintentional or inadvertent in nature, according to the 2018 Verizon report.
So what percent of data breaches are caused by human error? Not many, and certainly less than there were in 2013. Back then, accidents were behind more than half of the data breaches that took place, according to the Information Commissioner’s Office. The figure covers human error and system glitches, including both IT and business process failures.
27. 48% of data breaches involved a malicious or criminal attack.
What causes the highest percentage of data breaches? Criminals, according to Verizon’s most recent report. They’re the bad guys with nasty intentions for organizations in all countries. The most common types of malicious or criminal attacks include malware infections, criminal insiders, phishing/social engineering, and SQL (structured query language) injection.
Cyber Attack Statistics by Year
28. In 2014, 145 million eBay records became compromised in a major breach.
The attack, which took place sometime between late February and early March, allowed the attackers access to the names, encrypted passwords, email addresses, postal addresses, phone numbers, and dates of birth of eBay’s customers, ranking this event among the biggest corporate security breaches. eBay has come under fire over its handling of the breach, in which hackers accessed personal data of all 145 million of its users.
29. Yahoo’s data breach was even more massive, with 3 billion of its users compromised.
Yeah, that’s all of them—no user was left unbreached. The next biggest data breaches are the Marriott Hotel breach in 2018, with 500 million accounts hacked, and (you’re not gonna believe this one) another Yahoo hack from 2014. The 2014 breach also compromised 500 million user accounts.
A simple spear-phishing email gave the attackers access to millions of accounts making this one of the biggest data breaches of all time, but they only generated cookies for about 6,500 accounts. They targeted an assistant to the deputy chairman of Russia, an officer in Russia’s Ministry of Internal Affairs. Others belonged to Russian journalists, officials of states bordering Russia, and US government employees.
30. In the 2014 Sony data breach, $8 million was paid to employees over hacked data
The Sony Pictures breached data included personal information on employees and their families, employee emails, information on salaries, even copies of yet unreleased films. Soon after the breach, the hackers threatened another 9/11 attack if the movie The Interview, which portrayed an assassination plot against North Korea’s “Dear Leader,” was released in theaters.
Careers were ruined, anxiety, fear, and stress were high for everyone involved, and no amount of money was requested. This is one of those data breach examples where causing damage and embarrassment are the sole motivation. Remediation costs were first estimated at $40 million to $100 million. The eventual losses amounted to $100 million.
31. In 2017, the Equifax data breach affected 143 million consumers.
The attackers gained access to names, social security numbers, birth dates, addresses, and driver’s license numbers when this credit company was hacked. As many as 209,000 credit card numbers were also compromised. Analysts at William Blair estimate that Equifax’s costs for this crisis could run between $200 million and $300 million. And that’s after the insurance steps in.
32. The US Postal Service’s website exposed data on 60 million of its users.
It took the US Postal Service a year to fix this security weakness. In one of the more alarming famous hacks, anyone who had an account at usps.com could view account details for some 60 million other users, and in some cases to modify account details on their behalf. Interestingly, this case happened back in 2014.
33. In July 2016, WikiLeaks released 19,252 emails and 8,034 attachments that were stolen from the US Democratic National Committee.
This is one of the most famous recent government breaches. Nearly 20,000 emails were released by WikiLeaks, providing an embarrassing inside look at the Democratic Party’s operations on the eve of the Democratic National Convention.
34. Timehop, the social media app, had 21 million users’ data stolen.
Timehop collects your old photos and posts them from your iPhone, Facebook, Instagram, Twitter, and Foursquare. They cash in on your nostalgia much like the memory feature on Facebook. This cloud data breach took advantage of an obvious flaw: the account was not protected by multifactor authentication. This attitude sometimes makes password-based breaches a breeze.
35. The 2019 Have I Been Pwned data breach made 773 million emails and passwords vulnerable.
The world’s most wide-reaching data breaches (not counting Yahoo, of course, because nobody bests Yahoo), have found a challenger. In most more or less famous cyber attacks, a single site is affected. Nonetheless, this one contained emails and passwords from a number of breaches—a gargantuan compilation. Troy Hunt, the guy who discovered the breach, works with other security experts to record various data breaches on his database. Anyone can search an email on his website to check if they’ve been breached.
In an amusing turn of events, this database has been hacked, and this is now one of the biggest data breaches to date. The final installment on this list of breached data ought to remind you: change all your passwords. Get a password manager. And finally, generate strong passwords based on word combinations impossible to figure out.
In 2018, relevant data breach notification legislation came into effect and changed everything for most of the developed world, including Europe, the US, and Australia. The first thing you’ll need to do if you want to stay safe and not pay immense fines is check out the new requirements in your region.
Secondly, you need to assess what type of data you’re storing and where, along with any potential liabilities, like IoT devices you weren’t even aware you had. You remember the casino breach where attackers broke in via a fish tank, right?
The costs of data breaches have increased, and yet companies and individuals worldwide don’t seem inclined to advance their security protocols. So what could companies do to protect your data from data breaches? They can manage their security across platforms and providers, train their staff to recognize phishing attacks, get in with the newest anti-malware software, and apply multi-factored authentication.
As an individual, you are advised to change your passwords regularly and get a password manager. Update your OS, and avoid downloading apps from dodgy sources. Data encryption is also must, and if you’re a smaller company and work with your own device technology, make sure you check all your devices. After all, you might be used as a foot in the door for an attacker to target a larger company you’re working with.
Current data breach statistics are looking bleak, but if you follow the right protocol and make a fair assessment of your potential weaknesses, you’ll minimize potential risks. And remember, don’t go cheap with your security, or a particularly successful attack might cost you more than you can handle.