The costs of data breaches

According to IBM’s Cost of a Data Breach 2024 report based on a survey of 600+ companies impacted by data breaches in the past year, the worldwide average cost of a data breach is now estimated at $4.88 million, a 10% increase compared to the previous year. The cost of each data breach includes detection, notification, post-breach response, and lost business.

In the US, however, data breaches are the most expensive globally, averaging $9.36 million. Costs in the Middle East follow closely at $8.75 million per breach. In the European Union, the average cost exceeds $5 million.

For mega breaches — that is, data breaches involving 1 million or more compromised records — total costs are significantly higher, ranging from $42 to $375 million.

Nearly half of the data breaches analyzed in the report involved personally identifiable information (PII) belonging to customers, while 37% of the breaches involved employee PII.

70% of companies surveyed by IBM reported experiencing a significant or very significant disruption to business as a result of a data breach. Even for companies that reported minor business disruptions the costs incurred by data breaches were only marginally lower.

Almost 90% of companies were required to report their data breaches to regulators and other government agencies. About one-third of the companies also paid fines: of these, 56% paid fines ranging from $50,000 to $250,000, and 25% paid fines exceeding $250,000.

Approximately 80% of companies said they required 100 or more days to fully recover from a data breach.

Breakdown of data breach costs

IBM’s report categorizes the costs of a data breach into four main areas:

Detection and escalation: forensic and investigative activities, assessment and audit services, crisis management, communications with executives and boards. The average cost in this category is $1.63 million, or 33.4% of the total average cost of a data breach.
Notification: emails and other kinds of communication with affected individuals, determination of regulatory requirements, communication with regulators, and engagement of outside experts. The average cost of notification is $0.43 million, or 8.8% of the total average cost.
Post-breach response: help desk and inbound communications, credit monitoring and identity protection services, issuing new accounts or credit cards, legal expenditures, product discounts, and regulatory fines. Post-breach response cost an average of $1.35 million, or 27.6% of the total.
Lost business: business disruption and revenue losses due to system downtime, cost of losing customers and acquiring new customers, reputational damage, and diminished goodwill. The average cost of lost business is $1.47 million, or 30.1% of the total.

Data breach costs by industry

The top 5 industries with the highest cost of a data breach are:

Healthcare: hospitals and clinics.
Financial: banking, insurance, and investment companies.
Industrial: chemical processing and engineering, and manufacturing companies.
Technology: software and hardware vendors.
Energy: oil and gas companies, utilities and alternative energy producers and suppliers.

Contributing factors to data breaches

Over half of the companies that IBM surveyed reported staffing shortages as a contributing factor. The staffing shortages are severe, growing double digits year by year, and the skills gap can’t be sufficiently mitigated by adopting AI-based security tools.

Another reported factor was the uncontrolled proliferation of data, resulting in “shadow data” that is not properly accounted for. This means PII detection and discovery practices leave a lot to be desired. Companies that store data in one environment, adhering to the single-source-of-truth principle, face data breaches consistently less often. Furthermore, breaches that don’t involve shadow data are typically 16% less expensive.

Top attack vectors

The top attack vectors behind data breaches were phishing and credential theft. Phishing involves sneaking out credentials as well, which means both of these attack vectors should be most importantly addressed by healthy identity and access management (IAM) practices.

What increases and reduces data breach costs

According to companies surveyed by IBM, the following were the top factors causing data breaches to be more expensive:

Complex security systems. This includes using as many native data protection mechanisms as there are types of databases, instead of introducing a data protection layer to cover them all.
Shortage of skills to build a robust data protection system.
Third-party integration issues. Integrating with a lot of third parties means becoming dependent on their security measures and taking a part of the risk if these measures are not sufficient.

On the other hand, the following factors helped reduce data breach costs:

Employee training. Making employees a competent part of the company’s security system instead of being a weak link in it can go a long way towards cutting data breach costs.
AI and machine learning-driven insights across breach prevention, detection, investigation, and response.
Having a good security information and event management system (SIEM) in place. You can’t secure what you can’t see.
Incident response planning. That’s knowing what your company needs to do when a security incident occurs, who needs to do that, when and why.
Data encryption. If someone does get into your system and copies data out, make sure they can’t do much with the data. In fact, encryption and tokenization are two data protection techniques that, when implemented right, enable you to render data useless to attackers even they are able to get their hands on it.

Two-thirds of companies that suffered a security breach planned to increase their security investments. The most common planned investment types include incident response planning and testing, threat detection and response technologies, employee training, IAM, offensive security testing, data security and protection tools, managed security services, and insurance protection.