It seems like every time we read the news these days, we learn about the information of millions of people being breached. So how serious is the issue of data breaches and what impact does it have on individuals and businesses? We reveal the most interesting and recent data breach statistics and facts, many of which are highly disconcerting.
We’ll also take a look at the laws surrounding data breaches and what individuals can do to weather the effects of a data breach. Let’s get to the facts.
Data breach statistics and facts
We’ve collected the most interesting data breach statistics and facts from recent studies:
1. 65% of US companies have experienced a data breach
The 2019 Thales Data Threat Report conducted by International Data Corporation (IDC) surveyed 1,200 executives from nine countries, representing a range of industries. It found that almost two-thirds of US companies have suffered a data breach in the past, although this number could be higher given that many breaches go undetected for long periods of time. The US figure was slightly higher than the global figure of 60%.
2. California has suffered more data breaches than any other state in the last 10 years
A 2019 Comparitech study looked at the number of data breaches experienced by companies in each state, as well as the corresponding number of records exposed. California was by far the front runner with 1,493 breaches and 5.6 billion records exposed since 2008. In second place was New York with 729 breaches and 293 million records exposed and third place went to Texas with 661 breaches and 288 million records exposed.
4. A hacking attack occurs every 39 seconds
Computers analyzed in a University of Maryland study were attacked on average 2,244 times per day. This means that a single computer could be under attack more regularly than once every minute.
4. Companies that have experienced a breach underperform the market by more than 15% three years later
A 2018 Comparitech study examined the share prices of 24 companies listed on the New York Stock Exchange that had experienced major data breaches. We found that after two weeks (from the date the breach was made public), share prices had dropped by 2.89% on average. Although share prices tend to recover after that, when we looked at long-term results, we found that the share prices of affected companies didn’t keep up with the NASDAQ average. One year after the breach, companies underperformed the NASDAQ by 3.7% and after three years, companies were underperforming the NASDAQ by 15.58% on average.
5. 36% of US companies have experienced a data breach within the last year
In the past year, the IDC study above found that more than one-third of US companies reported having suffered a data breach. Again, this could be higher due to the potential for as yet undetected breaches. The global figure was slightly lower at 30%.
6. Half of organizations spend only 6–15% of their security budget on data security
One of the key findings of the IDC study was that despite the massive threat that data breaches represent, many organizations aren’t allocating much of their budget to securing data.
7. 43 percent of data breaches affected small business victims
The Verizon 2019 Data Breach Investigations Report is based on analysis of more than 40,000 security incidents, including over 2,000 confirmed data breaches. It provides us with a trove of interesting facts, including who is involved in data breaches. Almost half of attacks affect small businesses, while 15 percent of data breaches affect healthcare organizations, and 10 percent of data breaches involve businesses in the financial sector.
8. Organized crime groups are responsible for 39 percent of breaches
The Verizon report also offers insight into who is responsible for attacks. Interestingly, more than one-third of breaches entail organized crime groups. Also of note, more than one-third affect internal personnel and more than two-thirds involve outsiders. Not surprisingly, 71 percent of data breaches are financially motivated.
9. 32% of data breaches entail phishing attacks
In its study, Verizon sought to discover how breaches occur and found almost one-third involve phishing attacks, 52 percent entail hacking, and 28 percent center around malware.
10. Discovery time for 56% of data breaches is months or longer
Wondering how long it takes for companies to discover and react to breaches? The Verizon report reveals it’s not as quick as you’d like, especially considering stolen credentials are involved in 29% of breaches. With more than half of companies taking months to discover a breach, by the time a company issues an email blast telling customers to change their passwords, it could already be far too late.
11. 4,800 websites per month are compromised with formjacking code
12. Enterprise ransomware attacks are up 12%
Ransomware attacks (which hold files or systems hostage) represent a huge threat to data security. According to Symantec, while the overall number of ransomware attacks is down 20 percent, the number of enterprise attacks is increasing.
13. Medical notes and prescriptions fetch $15–20 in the underground economy
Symantec’s report offers some intriguing insight into the underground economy, helping to show what might happen to data once it has been breached. Other examples include stolen medical records (worth $0.10–$35.00), retail shopping accounts (valued at $0.50–$99.00), and mobile phone online accounts (fetching $15.00–$25.00).
14. Full ID packages sell for $30–$100 on the black market
A full ID package comprises multiple pieces of PII such as name, address, phone number, SSN, email address, and bank account number.
15. Data breaches involving social media accounted for more than 50% of compromised data records in the first six months of 2018
The total number of data records breached during that period was reportedly 4.5 billion. More than 56 percent of those were due to breaches involving social media platforms. These included the Facebook-Cambridge Analytica scandal, other Facebook incidents, and a breach concerning the now defunct Google+ platform.
16. 635 US data breaches were reported in 2018
According to Privacy Rights Clearinghouse, 8,871 data breaches affecting US companies or customers have been made public since 2005. The highest numbers recorded were in 2012, 2013, and 2014 (885, 890, and 868 respectively).
17. The largest 2018 data breach affected up to 500 million people
18. $3.86 million is how much the average data breach costs
The IBM 2018 Cost of a Data Breach Study centered around interviews with more than 2,200 professionals from almost 500 companies across the globe. All companies represented had experienced a data breach within the 12 months prior. Although the overall number of data breaches reported seems to be trending downwards over time, individual breaches are becoming costlier and entail the loss or theft of an increasingly high number of consumer records. Of all breaches examined in the study, the average cost of a breach was $3.86 million up 6.5% from the previous year. This cost includes things like lost business, notification costs, and other damages.
19. Each stolen record in a data breach represents a cost of $148
The same IBM study found the average cost of one stolen record is $148, up 4.8 percent from $141 in the previous year.
20. Employing an incident response team can reduce the average cost of a data breach by $14 per record
Another interesting statistic from this study was that hiring an incident response team didn’t affect the cost by a huge amount. At $14 per record, this is only an average saving of around 10 percent.
21. Lost business due to a data breach for a US organization costs on average $4.2 million
IBM broke down the cost of lost business for an organization based on the country it operates in. Data breaches tend to cost US companies far more than they cost businesses in other regions (the second highest was an average of $2.18 million). This is thought to be partially due to the increased difficulty in preserving customer loyalty in the US where so many alternative options for most products and services exist.
22. A breach involving 1 million records costs an average of $40 million
To put things in perspective, IBM reveals the average cost of a breach of a given size (in terms of records). A mega breach affecting 50 million records costs $350 million on average
23. Human error is the cause of 27% of data breaches
It’s not always cyber criminals who are responsible for data breaches and, according to IBM, more than a quarter of breaches could have been avoided.
24. It takes an average of 197 days to detect a breach
While this is IBM’s figure across all industries, companies in the entertainment industry are reportedly the slowest, taking an average of 287 days to detect a data breach. Across industries, the average time to contain a breach is 69 days.
25. 41 percent of companies leave more than 1,000 sensitive files open for anyone
The 2018 Varonis Global Data Risk Report examines Data Risk Assessments (covering over 6 billion files in total) conducted by Varonis engineers, to determine the extent of exposure of critical and sensitive information within companies. One area of interest is the number of folders that are open for anyone in the company to view. 21 percent of all folders are left open and 58 percent of companies have more than 100,000 folders open. But perhaps more concerning is when sensitive files are left open. Sensitive files include those containing things like credit card information, health records, or regulated information such as that subject to GDPR, PCI, or HIPAA. Indeed, the study found that 41 of companies have more than 1,000 sensitive files available for anyone to view.
26. 57 percent of companies have inconsistent permissions associated with more than 1,000 folders
The same Varonis study found issues with inconsistent permissions. Inconsistent permissions occur in situations where files or folders either inherit extra access control or fail to inherit access controls. The former may result in users being granted access when they shouldn’t and poses a security risk. When files fail to inherit access controls, users may be unintentionally deprived of access, which could also cause issues. With 57 percent of companies having more than 1,000 folders with inconsistent permissions, this means that most companies don’t know exactly who has access to certain data.
27. In 2018, the number of exposed PII records went up 126% from 2017
The Identity Theft Resource Center (ITRC) examines publicly-available data breach disclosures and released its key findings for 2018. While it found the total number of data breaches was down 23 percent in 2018 versus 2017, the number of records containing Personally Identifiable Information (PII) was up drastically.
28. The business sector experienced the most data breaches in 2018
ITRC looks at which sectors experience the most breaches. The business sector led the pack with 571 breaches, and in second place was the healthcare field with 363 breaches in 2018.
29. In 2019, attackers will focus on biometric hacking to facilitate data breaches
Experian Information Solutions uses its vast experience in data security to make predictions for the data breach field. One of the primary predictions in its 2019 Data Breach Industry Forecast is that hackers will focus on exposing vulnerabilities in biometric authentication systems, such as touch ID sensors and facial recognition software.
30. Digital card skimming is set to cause massive losses for major companies
Another interesting insight from the Experian forecast is that card skimming is set to continue to evolve. Earlier we mentioned that almost 5,000 sites per month are attacked with card skimming malware (aka formjacking). These types of attack have evolved from physical offline attacks whereby card readers are used to record card information from ATMs and points of sale. Cyber criminals have taken card skimming to the next level by using formjacking malware to attack ATMs and computer systems. Skimming malware has already been used to successfully attack large companies such as British Airways, Ticketmaster, and Newegg, but Experian predicts that the technique will likely become more refined in the near future. Specifically it sees an attack on a major financial institution happening soon.
31. It’s simply a matter of time before a top cloud vendor is breached
One more observation from Experian that may alarm cloud users is that cloud systems are currently seriously under-monitored. This paves the way for cyber criminals to step in and launch a potentially catastrophic attack that could affect multiple major companies at once.
32. Cyberattacks and data fraud or theft are named as some of the biggest global risks
The World Economic Forum Global Report 2019 outlines the biggest global risks, including natural disasters and weapons of mass destruction. In terms of likelihood, data fraud and theft come in fourth and cyberattacks are number five. Cyberattacks rank seventh in terms of impact, ahead of man-made environmental disasters and spread of infectious diseases.
Reporting of data breaches
Until fairly recently, it was common to learn of a data breach well after it took place. We might learn of a massive breach months or even years after the fact. In some cases, this could be because the company itself did not discover the breach for a long time. However, in other cases, it has come to light that businesses have hidden breaches or the facts surrounding them, in order to prevent damage to the company’s reputation.
For example, in 2017, it was revealed that Uber had covered up a 2016 data breach affecting 57 million customers. And as recently as October 2018, Google admitted to a data breach affecting half a million users that had begun three years prior and was discovered in March 2018.
Obviously, not notifying customers about a breach represents a huge privacy threat as they won’t know to take measures to mitigate any potential damage. For example, if you know your password has been breached, then you’ll change your password.
In order to protect citizens’ right to know when their privacy has been breached, many countries now have firm laws in place mandating what companies need to do in the case of a discovered data breach. These laws center around reporting of the breach and notifying customers, but may also cover things like how breach information should be recorded and stored.
For example, at the end of 2018, Canada made changes to The Personal Information Protection and Electronic Documents Act (PIPEDA), outlining exactly how organizations subject to the act need to react to a data breach. Also in 2018, Alabama became the final state in the US to enact a data breach notification law.
See more statistics:
What can individuals do about data breaches?
Individuals are heavily dependent on companies to safeguard their information. They also trust that they will be notified as soon as possible after a breach is discovered. That being said, there are some steps you can take to safeguard your data:
- Use strong, unique passwords: This way, even if someone has your username or email, it will be difficult for them to break into an account. Long strings of letters, numbers, and symbols are a good idea. Passwords should also be unique to each account in order to prevent hackers from using a breached account’s login information on other accounts, an attack known as credential stuffing. You can use a password manager to help you generate and remember passwords.
- Adhere to warnings: If you hear about a breach in the news or receive a notification from a company you deal with, act right away. Change your password immediately and find out what information may have been breached so you can take action. For example, if your credit card number may have been leaked, you might want to replace it.
- Watch out for phishing emails: Although you should take breach notifications seriously, note that this could also be a tactic used by cyber criminals. Fraudsters may send phishing emails (under the guise of password reset emails) that lead to a fake (phishing) sites, designed to steal information such as login credentials. If you do get a password reset email, make sure it’s legitimate by checking for common signs of a phishing email such as a misspelled company name or poor grammar. You can also skip the links altogether and go directly to the company website to change your password.
- Look for secure sites: When carrying out online activities, especially those involving financial or personal information, make sure you’re using a trusted website (one that begins with https://). Even if you spot a good deal, it’s not worth handing over your payment information to a company that isn’t going to safeguard your data.
- Use a VPN: Avoid things like online banking and shopping when connected to public wifi networks. Using a VPN can encrypt your connection and keep you data safe from hackers and other snoopers, even on unprotected wifi.
- Use Two-Factor Authentication (2FA): If your credentials are exposed in a data breach, 2FA or Two-Step Verification (2SV) can prevent a criminal from accessing your account.
- Use have I been pwned?: Sign up to this website to get a quick notification in case your email address has been involved in a data breach. Note you need to sign up separately for every email address you use.
- Monitor your accounts: You can’t always trust that a financial institution or payment platform will catch something awry with your account. Check statements regularly to make sure no one has access and check your credit report to ensure no new accounts have been opened in your name. Don’t forget to check loyalty and reward accounts too; these are often forgotten, but can be of great value to criminals. Identity theft protection services can automate some of these checks.