DataProt is supported by its audience. When you buy through links on our site, we may earn a commission. This, however, does not influence the evaluations in our reviews. Learn More.
Data breaches are flooding the news. From large hotels and banks to universities and voters’ lists, it seems none of our personal information is as safe as we’d hope. So, how do breaches happen? What kind of information is compromised? Whose fault is it? And what are the ramifications of such events?
If, after reading bombastic data spill headlines, you’re left with a host of questions, we have answers for you. We’ve compiled a list of the latest stats and facts about this omnipresent digital danger.
Key Data Breach Statistics
- 68 records are lost or stolen every second.
- The average time to identify a data breach inside an organization is 206 days.
- The average cost of a data breach is $3.92 million.
- $150 is the average cost per lost or stolen record.
- 21% of all folders in a typical company are open to everyone.
- Small businesses are the victims of 43% of data breaches.
- Malicious or criminal attacks are the leading cause of data breaches, accounting for 51% of incidents.
Data Breach Today
On average, there were more than 20 data breach reports each day in the first six months of 2019.
If you feel like you hear about yet another data leak in the news every day, you’re not wrong. As the amount of data we collect and process with our devices grows exponentially, so does the number of security breaches and cyber attacks. In fact, there are so many occurring that the news can only cover a fraction of them. According to data breach statistics for 2019, the first half of the year has brought 21 new breaches every day.
3,813 breaches were reported in the first half of 2019, affecting more than 4.1 billion records.
(Risk Based Security)
Putting the previous stat into perspective, by June 30 a total of 3,813 data breaches had been reported. Collectively, these breaches exposed a whopping number of records – more than 4.1 billion in total. When we compare this to 2018 data breaches, the situation is getting worse. The 2018 midyear report showed 2,308 breaches that compromised 2.6 billion records.
68 records are lost or stolen every second.
Some of these data records are lost as a consequence of human error inside a company. Others are compromised due to the growing number of cyber attacks per day. The size of the organization doesn’t seem to play a role – both small and large businesses, as well as governmental bodies, lose or get their data stolen. Even though these incidents are becoming commonplace, there are many things you can do to protect your information.
Just eight of those 3,813 breaches that occurred in the first six months of the year exposed a combined total of more than 3.2 billion records.
(Risk Based Security)
While data compromise is becoming more and more frequent, not all incidents are massive. According to Risk Based Security’s 2019 midyear data breach report, only eight big data breaches accounted for 78.6% of all the records exposed from the start of the year through June 30. This shows that cybersecurity threats are more pressing for large corporations that handle huge swathes of data.
The average time it takes to identify a data breach inside an organization is 206 days.
IBM’s annual Cost of Data Breach Study, which included 500 companies in 13 countries, indicates that the average time to discover a breach has increased by nine days since 2018. Such data breach trends can be attributed to the growing number of IoT devices, widespread use of mobile platforms, increased migration to the cloud, and compliance failures.
There were more than 1,300 data leaks that exposed email addresses and passwords in the first six months of 2019.
(Risk Based Security)
When we look at the data breaches list compiled by Risk Based Security, a global provider of vulnerability intelligence, and analyze the type of data that was breached, we can see that this is typically information users can easily change. During 70% of these leaks, victims’ email addresses were revealed. Passwords were the next most-commonly compromised types of data; in 64% of breaches, victims’ passwords got leaked. Luckily, data you cannot modify – like your Social Security number and date of birth – was revealed in only 11% and 8% of incidents respectively.
137 breaches that happened in the first half of 2019 exposed sensitive information pertaining to third parties.
(Risk Based Security)
No matter how diligently one party might work on keeping data safe within its organization, there’s still always a data breach risk. As the latest data breaches statistics show, 3.6% of recent incidents in organizations worldwide involved information that belonged to their associates.
The average cost of a data breach is $3.92 million.
The most recent IBM study reveals that the costs of violated data security are ever-growing. A company that falls victim to a cyberattack, or one that leaks confidential information due to its employees’ human error, stands to lose $3.92 million on average. Last year, the average cost was $60,000 lower, at $3.86 million.
$150 is the average cost per lost or stolen record.
The same source shows that the cost per record in a data breach is around $150, since 25,575 records get affected on average during a breach. These costs are usually distributed over the course of three years. The majority of costs (67%) are born in the first year, while the rest are paid in the second (22%) and third year (11%) following a breach.
Small businesses are the victims of 43% of data breaches.
Small business owners have so much on their plate that they often overlook cybersecurity. Unlike large corporations that have extensive resources and knowledge, small companies are not so vigilant about the safety of their data. Nonetheless, they collect sensitive information that has value on the black market. Hackers are well aware of this fact, according to the most recent data breach statistics. Knowing that SMEs have limited defenses against a security breach, cybercriminals target these companies almost half of the time.
14,717,618,286 data records have been lost or stolen since 2013.
According to the Gemalto breach level index, a tremendous number of records have been snatched in cyber security attacks over the years. The recent history of data breaches tells the tale of nearly 15 billion records compromised in the past six years. This information is used by cybercriminals for a number of illegal activities, like fraudulent tax applications, unauthorized money transfers, and loan applications.
54% of the data companies hold is outdated.
If these scary facts have you worried about the type and quantity of information you have shared with numerous companies and organizations, you should know there is a silver lining. More than half of the information stored by the typical company is stale. People change their phone numbers, addresses, emails, and even bank account numbers fairly regularly. So, even if a hacker gets his hands on your data, the chances are it’s not that useful.
A Short History of Major Data Breaches
The first data breach to affect more than 1 million records happened in 2005.
This was the year when large-scale cybersecurity incidents first started making headlines. It was DSW Shoe Warehouse that unintentionally revealed 1.4 million credit card numbers and the names associated with those accounts. Other then-unprecedented data breach examples include the first breach to affect a college and the first big credit card information breach. The former arose at George Mason University, where the names, pictures, and Social Security numbers of 32,000 students and employees were leaked. The latter targeted the payment card processor CardSystems Solutions. On that occasion, hackers exposed approximately 40 million credit card accounts, almost running the company out of business.
The personal information of 6.5 million US voters was exposed in the Georgia Secretary of State breach in 2015.
Thankfully, government data breaches are less common than corporate breaches. However, when they do occur, they tend to reveal sensitive data about US citizens. This was the case in one of the biggest state government breaches to date, which took place in Georgia. The Social Security numbers, birth dates, and driver’s license numbers of 6.5 million voters from the state were leaked in an accident that was blamed on a single system programmer.
The largest data breach in history was the Yahoo! breach of 3 billion user accounts.
(The New York Times)
The as-yet unmatched breach of Yahoo! servers took place in August 2013, but it was only made public three years later. It was initially believed the breach had compromised the data of 1 billion users. However, it was soon determined that anyone with a Yahoo! account was affected. Hackers who accessed the servers of this search engine company got access to users’ names, telephone numbers, email addresses, and dates of birth. According to data loss statistics, even encrypted and unencrypted security questions and answers were hacked.
The personal information of more than 198 million US voters was shared online by a marketing firm called GOP in 2017.
Despite a large number of data breaches in 2017, this one stood out as the largest political data exposure. GOP, a marketing company hired by the Republican National Committee, shared internal documents on a publicly accessible Amazon server. On that occasion, sensitive information like the names, birth dates, voter registration details, and social media posts of 61% of the U.S. population got leaked.
The data of 500 million customers was breached in the Marriott leak in November 2018.
A recent data breach from 2018 affected 500 million guests of the Marriott International chain of hotels. The system was infiltrated by hackers back in 2014, when it was operated by Starwood Hotels and Resorts. However, the cybercriminals’ illegal activity wasn’t discovered until September 2018. In the meantime, Marriott International had acquired Starwood Hotels and Resorts. During those four years, hackers had access to guests’ names, contact details, and other information that, in most cases, couldn’t cause much harm, such as their preferred rooms in the hotel. However, these criminals also gained access to the passport numbers and credit card information of some guests, making them easy targets for identity theft.
885 million title insurance records were exposed in the First American Financial Corp. data breach in 2019.
One of the biggest data breaches of all time was discovered this year by security researcher and blogger Brian Krebs. The real estate title insurance company stored sensitive customer data on its website. Without any protection – not even a password – anyone who knew where to look could have accessed bank account numbers, photos of driver’s licenses, Social Security numbers, bank statements, mortgage records, tax documents, and wire transfer receipts dating back to 2003. Information on hundreds of millions of Americans had sat unprotected on the company’s website for years. It’s still unclear who gained access to the information during that time.
Recent Security Breaches
540 million records were exposed in the 2019 Facebook data leak.
Facebook has been linked with one social media breach after another, ever since it was launched. The greatest user privacy abuse of this year was reported in January, when it was discovered that the social media giant was leaking sensitive information on publicly accessible cloud storage. Amazon S3 Bucket contained 146 gigabytes of data like Facebook IDs, passwords, Facebook friends, music, movies, books, photos, events, and check-ins. These records are a gold mine for hackers planning phishing scams and social engineering attacks.
A cyberattack on the Alaska Department of Health and Social Services affected the data of approximately 700,000 people.
(Bank Info Security)
According to healthcare data breaches statistics, in April 2018, the Alaska Department of Health and Social Services suffered a malicious attack that infected it with a Zeus/Zbot Trojan virus. What was originally thought to be an incident affecting 500 individuals turned out to be a massive breach. The attacker gained access to names, Social Security numbers, dates of birth, addresses, health information, and income data about some 700,000 citizens who had applied for government programs.
With 22 million records leaked, the American Medical Collection Agency (AMCA) data breach was the biggest breach to affect third parties this year.
(Risk Based Security)
Among the latest security breaches, we have an example of how third parties’ data can be affected when their associates take a hit. AMAC, an industry leader specializing in collection for medical labs, was hacked between August 2018 and March 2019, leaking information belonging to labs that had hired the agency to collect medical bills on their behalf. Even though the AMAC billing page was hacked, information belonging to 12 million Quest Diagnostics and 7 million LabCorp customers were compromised due to this data theft.
Most Common Causes of Data Breaches
In 2017, nearly 60% of cyber attacks in healthcare involved ransomware.
Recent cyber attacks in healthcare have predominantly been ransomware attacks. In 2017, almost 60% of attacks in this industry were conducted by hackers who would cut off an organization’s access to its own data, requesting a fee in exchange for regaining control. The public and business sector are other frequent targets for ransomware attacks because they have the means to pay high ransoms fairly quickly. What they can’t afford is to have a system breach go on for too long.
In 17% of cases, phishing emails were hackers’ way into organizations last year.
Computer crime statistics presented by Security Metrics emphasize the importance of employee training on cybersecurity. Almost a fifth of organizations that were breached by cyber attackers last year fell victim to phishing. This popular form of social hacking entails sending emails to the staff of an organization urging them to change their password because their account has been compromised. When an uninformed employee falls for this trick, they give attackers their credentials. With this information, the hackers have unfettered access to the company’s system.
There are 967.7 million active malware programs in 2019.
Independent IT security institute AV-TEST registers over 350,000 new malware and potentially unwanted applications (PUA) every day. According to malware statistics, to date, hackers have come up with nearly 1 billion of these programs designed to disrupt, damage, or give unauthorized access to a computer system.
57% of organizations that were breached in 2018 had firewalls in place when they were infiltrated.
Business owners who don’t take security seriously enough believe that installing a firewall will keep their organization protected from malicious intruders. Unfortunately, they still face cybersecurity threats even after setting up a firewall. The majority of security breaches from 2018 occurred despite this defensive measure. Additional layers of protection are required to keep an organization’s data safe, like limited access to critical data, regular software and password updates, and ongoing safety training.
69% of the cyberattacks that took place in 2019 were committed by outsiders.
The 12th annual Verizon Data Breach Investigations Report was based on 41,686 security incidents and 2,013 data breaches that happened in 86 countries around the world. Both public and private entities provided the information for this report. Cyberattack statistics drawn from that data reveal that nearly seven in 10 attacks are committed by an outside player.
Malicious or criminal attacks are the leading cause of data breaches, accounting for 51% of incidents.
Cyberattacks come in many forms: viruses, spyware, ransomware, malware, adware, and social engineering to name a few. And hackers are getting more and more creative by the day. So it comes as no surprise that a breach of security inside an organization is most commonly driven by such attacks. IBM’s latest data breach statistics show that 51% of breaches that happened between July 2018 and April 2019 happened due to malicious attacks.
25% of data breaches involve system glitches and 24% are due to negligent employees or contractors.
The same study conducted by IBM suggests that the remainder of cyber security threats are internal. Human error data breach statistics show that untrained or reckless staff are behind 24% of security incidents, while system glitches or inadvertent equipment failures account for the remaining 25% of breaches. While bugs in the system are out of companies’ control, they could make more of an effort to prevent employees’ mistakes.
In 2018, insider involvement was suspected in around 40% of healthcare data breaches.
A significant number of healthcare data breaches from 2018 were enabled by an employee of the affected organization. More often than not, though, insider involvement was accidental. A lack of understanding of security policies and procedures was how most staff members contributed to a data breach.
The percentage of malicious attacks that caused information breaches in organizations worldwide has gone up by 21% over the past five years.
The most recent of IBM’s data breach reports shows an upward trend when it comes to malicious attacks. In the five-year period between 2014 and 2019, these attempts at gaining unauthorized access to data have spiked by 21%. Another figure that has gone up is the total cost of a data breach. Malicious attacks happen to be the most expensive, with a per-record cost that is 25% higher than that of breaches caused by human error or system glitches.
Misconfigured databases and services exposed over 3.2 billion records in the first six months of 2019.
(Risk Based Security)
As a rule, the recent data breaches in 2019 that have caused the most damage in terms of the number of affected records are those that were caused by human error. Databases that are poorly configured or left unprotected are often exploited by malevolent outsiders. And the effects are detrimental to organizations. In the first half of 2019, just 149 of the 3,813 incidents reported involved 3.2 billion of the 4.1 billion records that have been breached so far.
91% of skimming incidents in Texas so far in 2019 have occurred on gas pumps.
(Risk Based Security)
Being a large state with long distances between metro areas, Texas has found itself at particularly high risk of skimming attacks on gas pumps. According to Risk Based Security’s data breaches 2019, these incidents target gas stations nine times out of 10. If you happen to be driving through the Lone Star State, be extra careful when swiping your card to pay for gas.
75% of 2019 skimming incidents in Florida have happened at gas stations, while the rest have targeted ATMs.
(Risk Based Security)
Skimming has also been the number-one type of data breach in Florida so far this year. To discover a card data breach that is enabled by illegal card readers placed on payment terminals, residents of Florida had to be even more careful than those living in Texas. In the Sunshine State, three-quarters of skimming devices were attached to gas pump terminals, while the rest were found on ATMs.
On average, more than 4,800 unique websites are compromised by formjacking every month.
Many recent credit card breaches involve a new hacking technique called formjacking. This type of attack snags your card information while you’re filling out an online shopping form. Nearly 5,000 websites are targeted each month, regardless of their size. Well-known names like Ticketmaster and British Airways have taken a hit, just like other small and medium-sized eCommerce websites.
The destruction – or at least disruption – of business operations has become the primary goal of almost one in 10 targeted attack groups.
Information security breaches that use malware with the goal of destroying a company are up by 25% this year compared to last year, according to Symantec. This trend might be fueled by binge-watching Mr. Robot. Or, more likely, it’s motivated by the desire to prove one’s hacking abilities. We have no way of knowing, since cybercriminals aren’t big on taking polls.
Misconfigured S3 buckets were responsible for the theft or leakage of 70 million records in 2018.
Many recent data breaches from 2018 were caused by poorly configured Amazon S3 buckets. Due to the proliferation of this affordable and scalable cloud storage solution, more than 70 million records were stolen or leaked over the course of last year. Internal business documents, system passwords, and even sensitive employee information from three Fortune 100 companies – Ford, Netflix, and TD Bank – were affected by this poorly configured cloud storage.
58% of companies have more than 100,000 folders accessible to all employees.
Research conducted by Varonis reveals some alarming results. More than half of the 130 companies surveyed have more than 100,000 folders that every employee can access. Needless to say, this is an information breach waiting to happen. And when it does, it will be very difficult to determine who was behind it.
There are at least 1,000 folders with inconsistent permissions in 57% of companies.
These security statistics are still alarming, even though the number of folders is a lot smaller than in the previous stat. Inconsistent permissions unintentionally deprive users’ access to a folder, which can lead to employees borrowing each other’s credentials. In other cases, such permissions are accidentally granted to employees who don’t need them. Both put companies at risk of losing valuable data.
21% of all folders in a typical company are open to all employees.
Data breach statistics from 2017 point to the recklessness of many companies. According to the same research carried out by Varonis, a data security and analytics company, more than one-fifth of organizations don’t limit access to any of their confidential folders. That means that the new intern and the CEO can access all the same folders. Such unguarded systems are a hacker’s heaven.
Only 20% of Americans change their password as a result of a hack in the news.
With data breaches happening left and right, people are becoming desensitized. Data breach stats by Varonis show that just one in five Americans bother to change their password when they hear of a cyber attack in the news. The most common reason for making password changes is still the inability to remember them; half of respondents to the survey identified forgetting their passwords at the top motivation for changing them.
Data Breach Recovery Statistics
On average, it takes 73 days to contain a data breach.
IBM’s data breach 2019 report shows that the number of days to contain a breach has gone up from 69 to 73, after remaining unchanged for four years. This isn’t much, considering the number of new devices companies have begun using in that period of time. On the other hand, the number of days to identify a breach has seen a more significant change – from 191 days in 2017 to 206 days in 2019. This makes the combined time to identify and contain a breach 279 days. The report draws attention to the fact that breaches with a lifecycle shorter than 200 days cost on average $1.22 million less than the lengthier types of data breaches that go on for more than 200 days.
The formation of an incident response team lowers the total cost of a data breach by an average of $360,000.
Online facts show that it’s a matter of when, not if your company will get affected by a data breach. Since this is the case, it’s better to be prepared. According to IBM, having an incident response team is one of the two most important factors in bringing down the cost of a data breach by $360,000. Data encryption is the other factor that is equally important when breach expenses start to add up.
Having a business continuity plan in place reduces the cost of a data breach by about $280,000.
Cybercrime statistics show that another very important cost-cutting factor is having a business continuity plan. Once again, preparedness for a negative situation helps companies overcome such obstacles. Having a plan of action to follow while recovering from an attack reduces the data breach lifecycle by 82 days, in addition to mitigating the cost of a breach by $280,000.
In the first nine months following the Marriott breach, the hotel chain incurred $72 million in expenses, $71 million of which was covered by its insurance.
One of the largest data breaches of 2018 has dented the reputation of the largest chain of hotels in the world. However, when it comes to financial costs, the Marriott hasn’t been ruined by any stretch. As it turns out, the company had cyber insurance at the time of the breach. The insurance company paid the vast majority of the costs that arose in the first nine months after the incident.
In 2018, the average cost of data breach recovery was $1.17 million.
The total cost of recovering lost data, averaging around $1.17 million, consists of four elements. According to data breaches statistics, the cost of detection is $250,000, whereas the cost of notifying the affected individuals amounts to $20,000. Responding to the threat after it’s discovered costs around $350,000. The cost of lost business is, on average, $550,000.
Averaging $740,000, notification costs for US organizations are higher than those of other surveyed countries.
Notifying affected US users of a security breach in 2018 was a lot more expensive than in the other 12 countries that participated in the research. The creation of contact databases, determination of all regulatory requirements, engagement of outside consultants, cost of postal services, email bounce-backs, and inbound communication set-ups all add up to a total of $740,000. India was the country with the lowest notification costs: only $20,000.
For large corporations, the average cost of a data breach is $204 per employee, while for SMBs it is $3,533 per employee.
Small business data breach statistics show how much more challenging it is for SMBs to recover after a data breach. Not only do large companies have more financial resources and stronger reputations to fall back on, but they also have lower costs per employee.
Data in the Cloud: A New Weak Point
48% of corporate lives on the cloud, making it potentially vulnerable.
Nearly half of all corporate data is now on the cloud. Just three years ago, only 35% of such data was stored in the cloud. As this trend continues, we are likely to see more security breach examples like the ones involving leaky Amazon S3 buckets.
On average, businesses now use 29 cloud apps apiece.
In addition to the rise in the percentage of corporate data being stored in the cloud, there’s also a rise in the number of cloud applications deployed by companies. Two years ago, businesses used an average of 27 cloud-based applications. Today they use 29, data breach statistics by Gemalto show.
Even though 78% of organizations consider it important to retain ownership of encryption keys when data is encrypted in the cloud, only 53% actually control their encryption keys when that takes place.
It appears that privacy breach examples are raising awareness of the need to encrypt the data in the cloud and protect it. However, not many companies are taking action to follow through. Approximately eight in 10 companies are aware that they should hold the encryption keys to their data, while only five in 10 are in possession of their encryption keys.