Nobody’s safe from data breaches. There have been incidents in every sector from government agencies and financial institutions to little mom-and-pop stores.
However, staying updated is challenging when the technology keeps evolving and criminals become increasingly sophisticated.
That’s why we’ve compiled a list of the essential data breach statistics, facts, and trends to help you stay informed.
Top Data Breach Stats
Here are the most revealing data breach statistics we uncovered during our research:
- There were 6.4 million data breaches in quarter one of 2023.
- People are actively involved in 74% of data breaches.
- Money is the primary motive behind 95% of cyber attacks.
- The average cost of a data breach in 2023 is $4.45 million.
- Stolen credentials are the top cause of intentional data breaches.
Current State of Data Breaches
Data breaches have never been more relevant. Our most sensitive information is available online including our personal information, banking details, and health records.
All this could become open to the public with a few keystrokes.
These statistics show you the scope of the cyber security issue plus the different types of threats and what causes them.
Over 6 million data sets were compromised in the first quarter of 2023. (Statista)
While this number seems high, the record was 125 million data sets exposed in the final quarter of 2020.
The average cost of a data breach has increased from $3.62 million in 2017 to $4.45 million in 2023. (IBM)
As the world goes digital, so do the criminals. Moving online has given hackers more remote access points into worldwide servers which elevates the risk and potential impact of breaches.
95% of cyber attacks are motivated by financial gain. (Verizon)
Hackers might infiltrate a system for a number of reasons including espionage, revenge, and disruption.
However, the overwhelming majority of attacks are for money.
Personal data is the most frequently compromised type of information. (Statista)
That includes identification, contact details, and account credentials. Poor IT governance is often to blame—around nine out of ten user errors lead to personal data getting compromised.
The most common cause of intentional data breaches is stolen credentials. (Verizon)
Almost half of data breaches are due to hackers stealing account details. That’s followed by ransomware which has become increasingly prevalent over the past five years.
“Firewalls, EDRs, and anti-virus solutions are no longer enough to keep businesses safe. The easiest way for a malicious user to gain access to your network is by leveraging a leaked or stolen password and simply log in.Josh Amisav, founder and CEO of Breachsense
To make matters worse, Multi-Factor Authentication and Passwordless apps can be bypassed as well with infostealer malware. Attackers simply use leaked session tokens to completely bypass the authentication. Given that most infostealer malware is not detected by antivirus, it’s clearly one of the biggest threats to the enterprise today.”
74% of data breaches have a human element. (Verizon)
People are often actively involved in security issues whether that’s through credential misuse, scams, or errors.
19% of data breaches involve an internal user. (Verizon)
Around 5% of breaches stem from people both inside and outside a company.
They could be collaborating or an employee could leave a device unattended near an opportunistic hacker.
Web applications are the most popular way to breach a system. (Verizon)
Hackers gain access via web apps in almost two-thirds of cases. Emails are in second place, providing the way in for around a third of data breaches.
A massive 82% of data breaches involve Cloud technology. (IBM)
An increasing amount of people use the Cloud for centralized data storage.
As hackers can gain remote access to these networks, reducing the risk of getting caught, they’ve become a popular target.
Global Data Breach Statistics
While statistics suggest the risk of data breaches is high, it’s essential to account for differences between regions.
Here’s a look at how the countries stack up:
Russia has the highest rate of data breaches with over eight incidents per 10 users. (SurfShark)
France is in second place with a rate of three out of 10 users compromised.
The worst-hit continent is Europe with one in five people experiencing data breaches.
Kosovo has the lowest rate of data breaches in Europe at just 7 out of 100 people. (SurfShark)
Other countries with similarly low rates are Greenland, Bhutan, and French Guiana.
The top five countries (Russia, USA, Poland, France, and India) make up 70% of all data breaches. (SurfShark)
However, many countries are experiencing spikes in security issues.
Poland only just entered the top five in 2022 due to a surge of phishing attacks.
86% of business leaders predict political instability will lead to a “catastrophic” cyber event within the next two years. (WEF)
In response, they plan to tighten their business policies, monitor third parties more closely, and reconsider which countries they work alongside.
Business Data Breach Statistics
The stakes are high for companies when a single data leak could expose millions of customers’ details.
Here we’ll look at the size and scope of cyber threats to organizations and how business leaders respond.
51% of companies say “cyber security is a key business enabler”. (WEF)
In response to cyber threats, organizations have begun to recognize the strategic importance of data protection and security.
Only one in three organizations detect data breaches using their own resources. (IBM)
Companies only discover security issues in 67% of cases through third parties like users, ethical hackers, and the cybercriminals themselves.
Data breaches take an average of 204 days to identify and a further 73 to contain.
Businesses take 20 days longer to resolve security issues than they did in 2017 as cyber threats become more sophisticated and harder to detect.
Around a third of companies don’t involve law enforcement after data breaches—and cost themselves an extra 9.6% per incident. (IBM)
Organizations that don’t report security issues also find breaches take 33 days longer to resolve than those that do.
Although the most common motive for privilege abuse is financial, 13% of employees leak data because of a grudge against their company. (Verizon)
A further 5% peek into business accounts to discover secrets they can sell to competitors.
Confidential information like this could help rivals gain an edge or undercut their victim’s strategies.
90% of major energy suppliers have experienced a third-party data breach in 2023. (SecurityScorecard)
Our reliance on the energy sector has made it a high-value target for criminals.
Experts believe supply chains are the weak link given 92% of leading companies have also encountered a fourth-party data breach.
Costs from healthcare data breaches have risen by 53.3% since 2020. (IBM)
As more medical records get stored online, average losses have reached $10.93 million.
You may think of hospitals but breaches can also occur at research facilities, healthcare suppliers, and insurance firms.
Financial Data Breach Statistics
Financial data poses a significant risk, given the sensitive nature of the information involved and the sector’s central role of banks in global economies.
That’s why we’ve dedicated a separate section to this industry and its unique cybersecurity challenges.
The finance sector has the second highest data breach costs after healthcare at $5.9 million. (IBM)
Due to strict regulations, financial institutions are subject to harsh penalties for mishandling customer information.
Banking details aren’t the most common type of compromised data in the financial and insurance industry. (Statista)
Financial data only gets leaked in 21% of security incidents. Breaches at banks, investment firms, and insurance companies are more likely to expose your personal details and user credentials.
The majority of hackers exploit vulnerabilities in web apps to seize cryptocurrency. (Verizon)
Over 90% of data breaches related to cryptocurrency occur on web apps.
Users can avoid theft by using complex passwords, enabling multi-factor authentication, and using private networks to make transfers.
Data Breach Victims
Data breaches can have a far-reaching and deep impact, especially when they’re intentional.
Here we’ll focus on the extent of the issue and the individual cost to victims.
There were over 422 million victims of data breaches in the US in 2022. (ITRC)
This number is over 25% higher than in 2020 and 2021. Interestingly, the victim count was in the billions which suggests cybersecurity improved after governments introduced new data laws in 2018.
The personal cost of data breaches can be high—credit card fraud has an average loss of around $11,000 and affects 23,000 people per year. (SurfShark)
Identity theft has more cases per year at 28,00 with a mean cost of $6,776. A staggering 300 million users fall victim to phishing each year, but the average payoff for criminals is just $173.
At 34%, 2022 was the year with the lowest number of breach notices that included both victim and attack details. (ITRC)
This figure means the majority of individuals and businesses affected by breaches don’t have the information they need to address data compromises.
“The trend away from transparency also points out the overall inadequacy of the current patchwork quilt of state data breach notification laws, many of which now date back to 2005 when virtually all breaches involved paper records, lost or stolen laptops, or data tapes lost in transit.”Eva Velasquez, CEO of the Identity Theft Resource Center
The most frequently compromised types of personal data are full names and social security numbers. (ITRC)
With these details, a hacker can open fraudulent accounts and apply for loans.
That’s why it’s essential for businesses to monitor accounts for unusual activity and ask users to verify their identity.
The biggest ever data breach was Yahoo with over 3 million compromised accounts. (CNBC)
Despite occurring back in 2013, the attack on Yahoo still has the highest victim count.
The security issue affected every user account in their system.
Comparing Different Types of Data Breaches
When we talk about a data breach, we mean any lost, damaged, or exposed information.
That means there’s a wide range of reasons why compromises happen from organized cyber criminal groups to someone leaving their smartphone at a cafe.
System intrusion is the most common way hackers gain unauthorized access to networks. (Verizon)
Using software to exploit weak spots in a system has taken the top spot since 2021.
Before then, social engineering was the most popular way to hack into a system.
Phishing scams account for 44% of social engineering. (Verizon)
In phishing attacks, cybercriminals trick users into downloading an attachment or following a link.
These files usually contain malware that collects or damages data.
The rate of pretexting scams has quadrupled since 2017. (Verizon)
As the name suggests, “pretexting” is when the hacker pretends to be someone the victim knows and asks them for their credentials.
That’s why it’s become popular for companies to post disclaimers saying they’ll never ask for your details.
Misdelivery makes up 43% of data breaches caused by human error.
Now most communication has moved online, it’s easy to accidentally send a message to the wrong recipient.
You might ‘cc’ them into a thread or input the wrong name into the email address field.
Compromised devices are around five times more likely to be misplaced than stolen.
Hackers can gain entry to networks from open user accounts on smartphones and laptops but they’re usually crimes of opportunity.
Experts predict ransomware will cost the world 265 billion by 2031. (Cyber Security Ventures)
The average loss of an attack is already $10 million. Due to criminals refining their technology, experts believe ransomware will hit a company every 2 seconds by the 2030s.
Data Breach Laws and Regulations
With the introduction of stringent laws, the state of data security and protection has transformed. Let’s look at the impact of these regulations:
Over 90% of organizations are unprepared to meet GDPR and CCPA guidelines. (CYTRIO)
This startling fact applies to businesses of all sizes, not just small teams with few legal resources.
Businesses operating in the EU can receive fines of up to €20 million ($21.5 million) or $4% of their global revenue for violating GDPR guidelines. (GDPR)
The GDPR is relatively new and only just celebrated its fifth anniversary in 2023.
However, the EU legislature is already the standard for many other data protection laws worldwide.
The largest ever fine for a data breach was $1.1 billion dollars. (Statista)
Vehicle-for-hire company, Didi Global, settled for this amount in 2022 after allegedly collecting millions of pieces of passenger data including screenshots, locations, and facial recognition information.
Amazon comes in second place with an $877 million fine for security incidents in 2021. (Statista)
The EU found the retail giant had breached GDPR guidelines by using account holders’ information for marketing purposes.
An Amazon spokesperson said, “There has been no data breach, and no customer data has been exposed to any third party.”
Around three in four organizations say that cyber and privacy regulations help them effectively reduce risks. (WEF)
Only 3% strongly disagree that they benefit from legislation surrounding data protection and security like the GDPR.
What Journalists Are Reporting About Data Breaches
Now data breaches are becoming more common, there’s growing concern about how well companies guard sensitive information.
That’s why significant security issues like the ones below often make the news.
23andMe announced that hackers had gained access to over 6.9 million profiles by using old passwords. (The New York Times)
Besides personal data, the genetic testing service holds information about users’ health and ancestry.
A spokesperson said 23andMe was notifying all account holders and asking them to change their login credentials.
Even cybersecurity providers aren’t safe—authentication service, Okta, encountered a hack that caused their shares to drop by 7%. (CNBC)
Okta is a leading identity management solution that helps businesses verify users as they log into a system.
Hackers entered their customer system to gain access to credentials.
TikTok received a €345 million ($371 million) fine for making children’s accounts public by default. (The Guardian)
There are different expectations of privacy for minors. The Irish Data Protection Commission (DPC) ruled that TikTok hadn’t included sufficient checks for parental controls or guided underage users to make their accounts private.
Trends in Data Breaches and Cyber Security
So far we’ve covered recent trends and statistics in data breaches. In this section, we’ll look at upcoming trends and experts’ predictions for the next ten years.
51% of businesses are planning to invest more into cybersecurity due to a breach. (IBM)
Investing in AI and automation security software solutions could save organizations up to $1.76 million per year.
Business leaders say increasing employee awareness is the most effective way to strengthen their cybersecurity. (WEF)
However, experts disagree—they say investing in cloud-based services and integrating technology into all areas of the organization should take priority.
Companies that invest in security will reduce data breaches by two-thirds. (Gartner)
There is a constant risk of cyber attacks but organizations that continually improve their threat management will deflect most hackers by 2026.
“Geopolitical instability, rapidly maturing and emerging technologies, lack of available talent, and increasing shareholder and regulatory expectations represent some of the significant challenges that concern cyber and business leaders.Jeremy Jurgens, Managing Director of World Economic Forum
The outlook, however, need not seem bleak. There’s hope for better understanding – and more effective action – in the future.”
No matter what industry you work for, it’s important to consider the role of data protection.
Breaches can affect everyone from large organizations and governments down to individual people.
As the world recognizes and adapts to the new risks, we’re moving from a reactive to a forward-thinking approach.
We think 2024 will be a year when companies continue to invest in cybersecurity and robust data security becomes standard, rather than an afterthought.