Data breaches are as old as digital technology itself. What's more, they've been on a consistent upward trend, always seemingly ahead of the latest cybersecurity improvements.
Whilst the consequences of these breaches can devastate individuals and businesses, at ProPrivacy, we believe in the power of information. With that in mind, we bring you the most relevant data breach statistics, the latest facts and trends for 2023, and tips on how to thwart the danger of different cyber threats.
Data breach statistics and facts
The latest advances in technology, the COVID-19 pandemic, a rise in remote working, the upsurge of cloud applications, and ensuing social developments have all utterly changed the business landscape as we know it. This has created space for new vulnerabilities – and even the return of some old ones.
Let's take a look at some of the latest data findings from a selection of studies:
1. Cyberattacks and digital inequality are amongst the top 10 biggest global risks
The Global Risks Report 2023, by the World Economic Forum (WEF), ranked cybersecurity failures seventh among the ten most significant risks facing the world in the next two years. Digital inequality is seen as the ninth biggest threat to the world, as approximately 3 billion people remain offline.
Many countries and businesses have quickly adapted to new forms of interaction and transfers amidst the pandemic, and this digital leap deepened the void between those online and offline, and created new opportunities for malicious attacks.
For comparison's sake, cyberattacks ranked eighth in the previous WEF report, meaning that the threat is expected to increase steadily over the next two years. WEF, somewhat optimistically, also expects cybersecurity failures to disappear from the top ten global risks chart within the next 5-10 years – however, the threat of adverse tech advances could replace it.
2. 56% of US organizations have experienced a data breach
According to the latest Thales Data Threat Report, more than half (57%) of US organizations have suffered a data breach. This number is probably even higher in reality, given that some breaches go undetected for long periods. Out of these breaches, approximately 47% happened over the last 12 months – marking a significant increase from 2020, when approximately 49% of companies had reported some kind of breach.
3. California is the leading US country for data breaches
A 2020 Comparitech study compared the number of data breaches suffered by US states, as well as the number of records exposed in each of the breaches. It was found that California suffered the most over the last 10 years, with over 1,777 data breaches leading to the exposure of approximately 5.6 billion records since 2008. New York state came in second, with 863 attacks and 295 million exposed records, and Texas claimed third place with roughly 819 attacks and 294 records exposed.
Unfortunately, California's cyber-troubles continue, with the state recording at least 600 new breaches since the beginning of 2021 to the present day.
4. 58% of European organizations have experienced a data breach
The situation looks no better as we move to Europe. The European edition of the Thales Data Threat Report showed that more than 58% of European organizations had experienced a security breach at some point – of these, over 42% said they had experienced a breach within the last 12 months.
5. Phishing continues to be the main attack vector, but ransomware is catching up
In 2020, there were 878 publicly reported cyberattacks in the US, affecting approximately 170 million individuals, according to the Identity Theft Resource Service (ITRC). Out of these, 44% (382) were phishing attacks, smishing attacks, and business email compromise (BEC) incidents.
The latest ITRC report revealed that, in 2021, the overall number of data breaches (1,862) was up 68% compared to 2020, and that 33% were composed of phishing, smishing, or BEC attacks. Ransomware was next in line on the threat list, however, accounting for 22% of all cyberattacks – a figure that's growing by the day.
6. Enterprise ransomware attacks are on the rise
Although phishing remains the most frequently used attack vector, the ITRC predicts that, at the current rate, ransomware attacks could surpass phishing scams in 2023.
What's more, Acronis predicted that damages from ransomware could easily exceed $20 billion this year. Ransomware attacks usually involve holding files or systems hostage, and represent an immense threat to the data security of individuals and organizations.
According to the Symantec Security Summary – April 2021, enterprises are becoming increasingly popular targets. It doesn't help that, despite 80% of companies experiencing a firmware attack over the last years, more than 20% of respondents admitted they still don't monitor their firmware data.
7. A hacking attack occurs every 10 seconds
A University of Maryland study demonstrated that a single device connected to the internet was attacked more than once a minute – every 39 seconds, to be precise. The computers used in the study were attacked 2,244 times a day on average. However, this study took place in 2007, almost 15 years ago. In recent times, given the tremendous development of our technology, attacks have multiplied. The latest Check Point cybersecurity report for 2021 shows that attacks now occur at least every 10 seconds.
8. Human error is behind 23% of data breaches
We tend to lay all the blame on the cybercriminals behind the attacks when talking about data breaches. However, according to IBM's 2020 study, almost a quarter of breaches, or 23%, is caused by human error. What's more, according to their earlier Cyber Security Intelligence Index report,
Human error was a major contributing cause in 95% of all breaches.
9. The average cost of a mega breach can reach $401 million
A mega breach is any breach that includes more than 1 million compromised records. Although mega breaches are not common, they can have a tremendous impact on entire industries, as well as their consumers. The average cost of mega breaches has shown steady growth since IBM security first published this analysis in 2018, in its Cost of a Data Breach Report. The cost of mega breaches involving between 1 and 10 million compromised records, for example, increased from $50 to $52 since 2020.
10. At least seven 2021 data breaches involved millions of leaked records
The most notable breaches in 2021 included the SocialArks data breach (318 million records), Android data breach (at least 100 million records), and T-Mobile data breach (over 54 million records).
Although the individual breaches caused fewer data exposures compared to last year (when the breaches exceeded billions), the attacks have increased in number and frequency.
Let's not forget the Log4J flaw, discovered in December of 2021, that put hundreds of millions of devices at risk. The full extent of the breach caused by this exploit is yet to be measured.
11. One of 2021's first data leaks involved 318 million records
SocialArks, a China-based company offering advanced business solutions, including marketing and brand building, suffered a massive data breach at the beginning of 2023. In January, the company experienced a cloud misconfiguration that exposed approximately 318 million records of 214 million social media users, including celebrities and influencers, from around the world.
The threat actors scraped all 400GB of the exposed data from Facebook, Instagram, and LinkedIn profiles. These records contained sensitive public and personal data such as names, addresses, contact information, work-related information, and subscriber data.
12. In 2021, only 20% of organizations reported a high level of preparedness
One of the key findings of the most recent Thales study was that, despite the number of cyber threats increasing year by year, only 20% of organizations believed they allocated enough budget towards their security infrastructure. Approximately 34% believed that they were somewhat prepared to handle security risks, 29% said that they were somewhat unprepared, and 17% admitted they were not at all prepared.
13. Affected companies' stocks underperform by over 15% three years later
Another Comparitech study observed the changes in the share prices of 24 companies trading on the New York Stock Exchange (NASDAQ) following large-scale data breaches. The study shows that, as a rule, two weeks after a breach becomes public, share prices drop by almost 3% on average.
Although share prices bounced back soon after, the long-term results show that they struggle to keep up with the NASDAQ averages. In fact, their performance drops exponentially. One year after the breach, companies usually underperform the NASDAQ by approximately 3.7%, and after three years, on average, they underperform by 15.58%.
14. Approximately 28% of data breaches affect small businesses
The Verizon 2021 Data Breach Investigations Report reviewed over 79,000 security incidents – including more than 5,200 confirmed data breaches. The investigation found that approximately 28% of data breaches involved small businesses. The report is full of additional data points, such as that 58% of victims had their personal data compromised; and that 8% of breaches involved misuses of data by authorized personnel.
15. Each stolen record in a data breach costs $161
The annual Cost of a Data Breach Report 2021 by IBM concluded that the average cost of a single stolen record is $161. Just a year earlier that cost was $150. The report offers results based on 537 real breaches for a better understanding of cyber risks in a changing world.
16. It takes approximately 287 days to identify and contain a breach
The IBM report further shows that breaches took a week longer to detect and contain in 2021 (287 days) compared to 2020 (280 days). The delay is also proportional to the damage, meaning that the longer it took to identify and contain a breach, the more costly the damage inflicted. The breaches identified and contained within 200 days resulted in a $3.61 million loss, and those only contained after 200 days yielded a $4.87 million loss.
This data is particularly disconcerting if you consider that compromised credentials are involved in over 60% of breaches. More often than not, by the time a company issues a warning to its customers urging them to take necessary security measures, the data has already been stolen.
17. Incident response systems reduce the cost of a data breach by almost $2.5 million
Using incident response (IR) teams and incident response plan testing (IR capabilities) continued to diminish losses in 2021. At the same time, the difference in average losses between breaches at companies with IR teams, and organizations without IR systems, continued to grow – from $1.77 million in 2020 (or 42.1%) to $2.46 million (or 54.9%) in 2021. Ultimately, this gap has expanded by 12.8% within a year, a trend which is expected to continue throughout 2023.
18. Business lost to a data breach costs $1.59 million
According to IBM, the cost of data breaches comprises four main segments: detection and escalation, notification, post-breach response, and lost business. Lost business was responsible for the largest portion of costs caused by breaches in 2021, with the average total cost sitting at $1.59M, or 38%, of the overall average. That's a slight increase from 2020, when the average total cost of lost business was $1.52 million. Increased customer turnover, loss of revenue during the system downtime, and costs of diminished reputation all contribute to the massive repercussions of lost business.
19. 70% of Cloud organizations suffered a data breach
The State of Cloud Security report by Sophos explained that at least 7 out of 10 cloud infrastructures experienced a breach in 2020. The report also identified the two main root causes for cloud-related security incidents:
- Stolen or phished credentials
- Misconfiguration leading to a breach
The most recent Acronis Report warned that the rising popularity of cloud services and serverless computing goes hand in hand with ever-increasing risks of API attacks.
20. Cybersecurity failures aggravated by 12.4% since the pandemic started
Cybersecurity failures rank in at number seven on the WEF Global Risk Report. Amongst the top ten threats that have worsened since the beginning of the Covid-19 pandemic, cybersecurity failures saw a 12% increase – overtaking the risk of infectious disease (which increased by 10.5%). The number one risk, somewhat unsurprisingly, is the risk of the erosion of social cohesion, which has become greater even than livelihood crises after the peak of the pandemic.
21. Only 1 in 3 organizations have adopted a Zero Trust approach
The Zero Trust approach is based on a presumption that user identities, or the network itself, may already have been compromised. Therefore, it employs artificial intelligence and analytics to continuously validate connections between resources, data, and users. At end of the 2021, IBM examined the impact of zero trust security strategies for the first time.
The report showed that breaches occurring at organizations without a Zero Trust approach cost, on average, $5.04 million. Organizations at a mature stage of deployment of Zero Trust had an average cost of $3.28 million per breach. Despite the whopping $1.7 million cost difference, or 42%, approximately 65% of respondents admitted they still don't use a Zero Trust approach, and only 35% of respondents said they had partially or fully deployed this strategy.
22. The average cost of a breach in a hybrid cloud environment is $3.61m
IBM compared data breach costs in hybrid cloud environments versus the cost of data breaches in less modernized cloud structures. The former lost an average of $1.19 million less than the latter. In other words, companies in the middle of a large-scale cloud migration experienced breach costs that were 28.3% higher than those in earlier stages of cloud modernization. In addition, companies that had completed their cloud migration could identify and contain breaches a whopping 77 days earlier than those that hadn't.
23. Organized crime groups are responsible for up to 80% of breaches
The Verizon report also gave us insight into which groups or individuals are the most prevalent attackers – and approximately 78% of total breaches involved external organized crime groups. Less than 2% of breaches involved outsiders, while internal attacks inflated to 20%, mostly due to abuse of privileges and mishandling of data. Less surprising, however, is the finding that financial motives are behind over 70% of data breaches.
24. Almost two-thirds of organizations leave over 20 million files unprotected
The 2021 Varonis Financial Services Data Risk report examined the number of sensitive files available to anyone within a given organization. The research found that within 65% of financial services companies, all employees have access to 15% of sensitive files. Sensitive files include those containing credit card details, health records, or regulated information such as that subject to GDPR, PCI, or HIPAA.
A concerning number of folders (around 13%) are also left unsecured for anyone to access. To convert this into numbers, the average employee can see 11 million company files – or 20 million if it's a large organization. This analysis included financial services such as banks, investment companies, and insurance firms.
25. Remote work caused a $1.07 cost difference in data breaches
Remote work and the ongoing digital transformation of our lifestyles has further increased the financial consequences of data breaches. In 2021, it was determined that breaches involving remote work cost, on average, around $1.07 more than breaches where remote work wasn't a factor.
Organizations with more than 50% of their staff working remotely also took longer to identify and contain breaches – 58 days, on average. A shocking number of organizations failed to implement necessary precautions and provide training during the office-to-home transition. These measures were omitted in order to save money, however, they ultimately led to an increased number of data breaches and incurred additional costs.
26. Average total cost of a data breach is the highest in the health industry
The health industry was most severely impacted by data breaches for the eleventh consecutive year. Within the industry, the average total cost of a breach inflated from $7.13 million in 2020 to $9.23 million in 2021 – marking a 29.5% increase. The energy sector slipped from second to fifth place in the rankings of the most expensive data breaches per industry. The average total cost of a breach in the energy sector sat at $6.39 million in 2020 before dropping to $4.65 million in 2021 (a 27% decrease).
27. Almost 8,000 websites per quarter become victims of formjacking
Symantec Threat Landscape Trends showed that, on average, 7,836 websites were compromised through formjacking in Q1 of 2020. A year earlier, Symantec's Internet Security Threat Report revealed that formjacking attacks compromised approximately 4,800 websites each month.
28. In 2021, the number of data breaches increased by 68% compared to 2020
The Identity Theft Resource Center (ITRC) shared its key findings concerning data breaches in 2021, based on the analysis of publicly-available breach disclosures. According to the report, the number of data compromises jumped from 1,108 in 2020 to 1,862 in 2021 – or by 68% within a year. Luckily, the number of individual victims dropped by approximately 5%.
29. The greatest number of data breaches occurred in Q4 of 2021
The same Identity Theft Resource Center (ITRC) report revealed that the majority of cyberattacks in 2021 occurred in the last quarter (Q4) of the year. The number of breaches exceeded 500, affecting 30 million victims in the United States. In Q3, whilst there were significantly fewer breaches (389), the number of total victims was higher – sitting at 64 million.
30. The average cost of a data breach in the US is above $9 million
The IBM 2021 Cost of a Data Breach Report showed record costs incurred by data breaches within US organizations. Data breaches are more expensive in the US than anywhere else in the world – and the country has claimed the top spot in the rankings for eleven consecutive years, with the average cost of a data breach sitting at $9.05 million. Next in line are the countries of the Middle East, as well as Canada and Japan.
The US experienced a rise in the average total cost per breach between 2020 and 2021 – from $8.64 million to $9.05 million. At the same time, in the Middle East, costs increased from $6.52 million to $6.93 million, and in Canada from $4.50 million to $5.40 million.
31. American Express card details sell for $35 in the shadow economy
Did you know that the Dark Web Price Index is a thing nowadays? This means that there are now websites that can tell you how much your personal information is worth, with price lists available for anyone to see.
These lists claim that a copy of a credit card with a PIN sells for $15-$35 – and that American Express details fetch the highest prices. In addition, stolen banking credentials for accounts holding over $2,000 sell for around $140.
32. Gmail account credentials are worth $80 on average
Stolen Gmail credentials are highly sought after by cybercriminals – and this makes sense when you consider how many people link their Gmail accounts with social media platforms and more. A threat actor could, feasibly, use a person's Gmail credentials to gain access to several other accounts.
Reporting data breaches
Sometimes months or even years pass between a breach occurring and it being made public knowledge. In the meantime, however, your sensitive data is vulnerable, and at risk of being abused at any moment.
This represents a huge security threat. Those who are unaware of the breaches affecting them won't do anything to mitigate the potential damages. After all, we're less likely to change our passwords if we don't think they're in danger of being cracked.
We've seen how far-reaching the consequences of a smeared reputation can be, and how much money they can cost a business – regularly bringing them to the brink of bankruptcy. However, we do not think trying to conceal a breach is ever justifiable.
In 2017, it was discovered that Uber had suffered a data breach a year earlier, which affected over 57 million customers. And, in October 2018, Google admitted to a three-year-long data breach, involving half a million users, which was discovered in March 2018 but kept secret for seven months.
As a response to these illegal practices, many countries have hired law firms to regulate the actions of organizations in case a breach occurs – these firms will report the breach, notify customers, and handle storage of the compromised information. Canada made changes to the PIPEDA Act in late 2018, too, outlining the exact actions companies must carry out in the aftermath of a breach, and Alabama finally enacted the State Data Breach Law (the last US country to do so).
How can I protect myself from data breaches?
Once we choose a bank, register with an agency, or subscribe to a service, we tend to rely on their security system and data protection measures to keep our information safe. However, in today's world, this is no longer good enough.
Cyberthreats evolve and multiply and more vulnerabilities are revealed each day, so it's clear that we each have a part to play in mitigating the risks. Luckily, there are proven measures we can take to reduce the likelihood of suffering a data breach.
Keep your devices and software up to date
Updating your devices won't stop each and every cyberattack, but it can protect you from some of them. Many cyberattacks are successful thanks to system vulnerabilities that could've been patched out by the latest system updates. No software is perfect, but updates are there to make them better and safer in the long run.
Make sure you apply updates regularly – we can't stress enough the importance of keeping your OS and apps up to date.
Build up your defenses
Once they're updated, it's time to build up the defenses on your devices. For a start, consider investing in one of the best antivirus apps out there. But don't worry, strong antivirus protection doesn't have to cost an arm and a leg. There are plenty of reliable services on the market that are reasonably priced and more than up to the task.
Next, you should also:
- Use only strong, unique passwords – the best passwords contain random combinations of letters, numbers, and symbols. Never use the same password for different accounts, either. This is because if one of these accounts gets hacked, the other ones are immediately at risk, too – a threat known as credential stuffing. Users should take particular care with Gmail accounts that are linked with other platforms and services. If you have difficulty creating/managing complex passwords, try any of our recommended password managers – they are secure, reliable, and make your life much easier.
- Use Two-Factor Authentication (2FA) – if you aren't already, consider using 2FA or Two-Step Verification (2SV), at least for the most sensitive of apps – such as your health, banking, or work-related apps. This way, even if a criminal seizes some of your credentials, 2FA or 2SV could stop them from accessing your accounts and inflicting major damage.
- Install a Virtual Private Network (VPN) – a good VPN will encrypt your online traffic and change your IP address, making your online activities much more private and secure. This way, your data becomes almost inaccessible to hackers and other snoopers, even when connected to unprotected (public) Wi-Fi. Same as an antivirus, a good VPN doesn't have to cost a fortune, and you can always go with one of the best cheap VPNs.
Don't share your credentials with anybody
As well as ensuring your passwords aren't weak, predictable, or re-used, they should also be treated with the utmost secrecy. Your passwords are yours, and not even your parents, siblings, or best friends should know them. As honest and noble as their intentions are, they are also just human beings prone to making mistakes and are susceptible to cyberattacks.
Some say pen and paper are your best friends, but with passwords, this isn't the case – everything written on paper is in danger of being lost or stolen. If you can remember them, that's a much safer option, and if not, we recommend the use of a password manager.
Stay alert and adhere to warnings
Financial institutions and payment platforms are usually well-organized and protected, but they're not almighty. They won't always be able to catch the little things that could go awry with your account.
Check your mailboxes, statements, and credit report regularly to make sure there haven't been any recent breaches or sudden suspicious changes. Don't forget to check loyalty and reward accounts as well – we tend to forget these, but criminals can abuse them in so many ways.
If you receive a data breach notification from your bank (or other organization) – act immediately. The same goes for whenever you hear about a breach in the news. Find out what information may have been at risk, and act accordingly (for example, if your credit card number has been compromised, replace the card immediately). Also, change any affected passwords right away.
Watch out for phishing emails
Keep in mind that phishing emails are constantly on the rise, and can be very dangerous. Although we have to stay alert for breach notifications, remember also that not all of them are genuine.
Fraudsters love using your fear against you. They'll send phishing emails urging you to reset a password that has "leaked", providing you with a quick access link to do so, which, in reality, is fraudulent and designed to steal your login credentials or account information.
Phishing red flags
If you get a password-reset, or similar, email or SMS, check for common signs of phishing, such as misspellings or poor grammar. Never open embedded links, even if the email urges you to do so – instead, go directly to the official company website and change your password from there.
If in doubt, call your bank (or the service provider in question) directly and discuss the content of the email you've received.
Use only secure websites
Nowadays there are a plethora of insecure websites that can abuse your data or share it with third parties. Even sticking to secure websites (that begin with https://) isn't a guarantee of safety. Still, it's much less dangerous than using insecure alternatives (using http://). Beware of "good deals", "limited time only offers" and similar sales pitches from these websites! Don't risk sharing your payment info with a company that isn't going to safeguard it, or worse yet, is just going to abuse your data.
Have you been pwned?
Did you know that you can check 'Have I Been Pwned?' easily and entirely for free? All you need to do is to sign up, and you'll get a notification advising you if your email address has been involved in any sort of data breach. To keep tabs on all the email addresses you own, sign up separately for each of them.