50 Data Breach Statistics to Help You Run a Safer Enterprise in 2019

by Christo Petrov

Cyber crime affects everyone, whether you run a large organization or you’re just interested in keeping personal information private. As these up-to-date data breach statistics TechJury put together show, the issue of stolen and compromised records is becoming increasingly serious.

Attackers are getting savvier and the average cost of breaches is rising up. We also found that the increasing use of ‘transformative’ technologies like IoT and cloud computing seems to be making companies more vulnerable to data breaches.

Worrisome Data Breach Statistics

  • A total of 4.5 billion records were compromised in H1 2018 alone.
  • The mean time to recover from a data breach can be as high as 70 days.
  • The average mean time to identify a data breach worldwide is 197 days.
  • 76% of organizations worldwide experienced a phishing attack in the past year.
  • 75% companies say a data breach has caused a material disruption to business processes.
  • Global spending on information security will exceed $124B in 2019.
  • A total of six social media breaches accounted for over 56% of total records compromised in H1 2018.
  • 6.4B fake emails are sent worldwide every day.

Before we continue, what is online data breach in the first place? Online data breach refers to an incident where sensitive, proprietary, or confidential information is taken from a system without the knowledge of the system’s owner.

These statistics, of course, are not meant to scare you or discourage you from using the advanced systems that make our work so much more convenient and productive. Our hope is that a wholesome idea of the size of the problem, the key vulnerabilities, and the set of preventive and corrective measures can help you minimize the risks or effects of data breaches. Indeed, it should add to your cyber resilience and your enterprise’s capacity to maintain its core purpose and integrity in the face of digital threats.

Data Breach Statistics 2019

Data breaches are a serious crime. You may not notice it at first, but it could cost you millions.

1. The global average cost per data breach incident rose to $3.86 million in 2018.

(Source: IBM-Ponemon Institute)

That would approximate to more than $3 billion lost in the first half of 2018. Again, while the number of data breaches has come down marginally over the same period a year earlier, the average cost per incident has gone up by 6.4%. This is the actual cost businesses are paying to cyber criminals, and it is going up almost every year.

2. 944 breaches led to 3.3 billion data records being compromised worldwide in H1 2018.

(Source: Gemalto Breach Level Index)

So, how many hacks happen in a day? That’s more than 5 on average in the first six months of 2018, causing more than a staggering 18 million records to be stolen every day! Compared to the same period in 2017, the number of lost, stolen or compromised records increased by 72%, though the total number of breaches slightly decreased over the same period, signaling an increase in the severity of each incident. Of these 944 data thefts, 189 (20%) had an unknown or unaccounted number of compromised data records.

3. 60% of respondents say they have faced a data breach at some point in their history; 30% have experienced at least one within the past year alone.

(Source: Thales)

The extent of the problem becomes clear when you realize how many people have been hacked. In a comprehensive survey of organizations worldwide, 3 out of 5 say that they have experienced this issue at some point. Half of them have done so within the last year. The problem is graver in the US, where the corresponding figures are 65% and 36%.

4. 41,502 data breaches were reported in Europe between May 2018 and January 2019.

(Source: European Data Protection Board)

There is a silver lining to this spurt in incidents, though. Since the General Data Protection Regulation (GDPR) took effect on May 25, 2018, there has been a marked improvement in voluntary reporting of data breaches in Europe. Pre-GDPR, only a few sectors like telecom and banking were obliged to report data breaches. The GDPR has also helped raise the public’s awareness of their rights under data protection law.

5. Global spending on information security will exceed $124B in 2019.

(Source: Gartner)

How much does cyber security cost? A whole lot, it seems. Worldwide spending on information security products and services is supposed to have been over $114 billion in 2018, an increase of 12.4% from 2017. Persisting skills shortages and regulatory changes like the European Union’s (EU)  GDPR are driving continued growth in the security services market. The top three drivers for security spending are (1) Security Risks; (2) Business Needs; and, (3) Industry Changes. Privacy concerns are also becoming a key factor for organizations.

6. Lost business cost is the greatest component of the total cost of a data breach.

(Source: IBM-Ponemon Institute)

Out of the four high-level components of data breach—detection and escalation; notification; ex-post response; lost business cost—data breach statistics indicate that companies attribute about 37.5% to lost business cost. These include activities that attempt to minimize the abnormal loss of customers as a result of a data breach event as well as the cost to acquire new customers following the data breach disclosure. It also includes costs related to business disruption and revenue losses.

7. 75% of companies say a data breach has caused a material disruption to business processes.

(Source: IBM-Ponemon Institute)

Data breaches are serious enough to cause a material disruption to the business processes for at least three-quarters of the companies surveyed. Not all of the cost suffered due to the disruption can be neatly translated into monetary figures.

8. 65% of companies say a data breach has had a negative material impact on reputation.

(Source: IBM-Ponemon Institute)

Data breach trends show that these incidents also have a negative effect on reputation, brand, or marketplace image of companies. In the age of fast-traveling global news and extra-finicky customers, reputation management is a tough ask in normal conditions. Most companies can’t afford their reputation taking a beating because of data breaches. Ask Facebook, which saw a massive drop in share price after the Cambridge Analytica scandal came to public notice in early 2018.

9. The average mean time to identify a data breach worldwide is 197 days.

(Source: IBM-Ponemon Institute)

That’s 197 days of the company’s processes partly or entirely busy dealing with the effects of the breach. In some cases, incident response can take up more than a year, especially when companies do not adopt basic tools like automation and encryption.

10. The highest mean time to identify and contain is in the entertainment industry.

(Source: IBM-Ponemon Institute)

The time to identify and contain varies across industries. While entertainment, health care, and media take the highest time to respond on average as per data breach stats, research, energy, and financial services take the lowest.

11. Geography-wise, the highest mean time to identify occurs in the Middle East; the lowest is in Germany.

(Source: IBM-Ponemon Institute)

Similarly, the average incident response time varies across geographic locations, too. Companies in the Middle East, Brazil, and Turkey seem to take the highest time to identify and contain data breaches, while USA, Canada, UK, South Africa, and Germany are the fastest. The average time in the Middle East is almost twice that of the average time in Germany.

12. The mean time to recover from a data breach can be as high as 70 days.

(Source: IBM-Ponemon Institute)

Once an organization has identified and contained a data breach, there is time that goes into the recovery process as well. Security breach statistics indicate that having a specialized disaster recovery function or team in the organization can bring down the average recovery time by almost one half.

13. The likelihood of a material data breach over the next 24 months has risen to 32.3% in FY2018.

(Source: IBM-Ponemon Institute)

The likelihood of a data breach involving a minimum of 10,000 records has consistently risen over the last five years. The 32.3% figure for FY2018 is a slight increase from 31.6% for FY2017. Interestingly, the larger the data breach an organization suffers once, the less likely it is that it will have another breach in the next 24 months.

14. 65% of IT professionals worldwide say the severity of attacks has increased.

(Source: IBM-Ponemon Institute)

A theme common to many such surveys and studies is that cybercriminals are using the most modern tools to target the security systems of organizations, making it more difficult by the day to counter the attacks. 57% of professionals in the same survey also say that the time to resolve an incident has increased. Plus, the growing use of big data also increases the likelihood of big data security breaches.

15. A total of six social media breaches accounted for over 56% of total records compromised in H1 2018.

(Source: Gemalto Breach Level Index)

Not all data breaches are equally severe though. Some of the biggest ones in recent times have been targeted at social media platforms, including the Cambridge Analytica-Facebook incident. After all, social media sites are the easiest resources for collecting information on millions of customers.

As we will see later, IT professionals feel that this personal user information is of prime interest to cyber criminals. A total of 4.5 billion records were compromized in H1 2018 alone.

16. The most notable compromised social media platform in 2018 was Facebook.

(Source: Identity Theft Resource Center)

Facebook has been the undisputed leader when it comes to social media hack statistics. Among multiple incidents, including the Cambridge Analytica data misuse, one significant breach caused by a coding vulnerability allowed hackers to access tokens for 50 million accounts and view all information in users’ profiles. Google+ was breached twice impacting 53 million users. Quora (impact on 100 million users) and MyFitnessPal (impact on 150 million users) were other well-known platforms breached in 2018.

17. Hospitality company Marriott International had the highest number of reported records exposed in 2018, impacting 383 million people worldwide.

(Source: Identity Theft Resource Center)

Cathay Pacific and Delta in travel, Hudson Bay (5 million shoppers’ payment card information exposed) and Chegg, the online textbook site (40 million users’ profile details exposed) in retail, and UnityPoint Health (health insurance information of 1.4 million patients exposed) in health care were some other notable entries in the list of recent data breaches.

18. Health care accounted for 27% of data breaches in H1 2018, higher than any other sector.

(Source: Gemalto Breach Level Index)

Most sectors saw an increase in the number of incidents compared to the previous half–the exceptions were government, professional services, retail, and technology. Both retail and technology saw an increase in the number of records breached through fewer events. Social media ranks top for number of records breached (76%) due to the high-profile customer data leaks at Facebook and Twitter, involving 2.2 billion and 336 million, respectively.

19. USA is the most popular target for attacks, representing more than 57% of data breaches and 97% of all records stolen.

(Source: Gemalto Breach Level Index)

Security breach statistics show that the number of incidents has come down in the US, though, by 17% compared to H2 2017. With the implementation of the Notifiable Data Breaches law, the number of incidents in Australia increased dramatically from 18 to 308 as could be expected. Europe saw 36% fewer incidents but a 28% increase in the number of records breached, indicating growing severity of attacks. The United Kingdom remains the most breached country in the region. In Asia, the highest number of notified attacks was in India (11).

20. 58% of data breaches in 2017 were with small to medium businesses.

(Source: Verizon, Privacy Rights Clearinghouse)

If you thought that cyber criminals target only huge companies like Facebook and Marriott, small business data breach statistics will surprise you. Small and medium-sized businesses are as much at risk as larger companies. In fact, given that small businesses are less likely to have the resources available to beef up their cybersecurity, many attackers might prefer making money from multiple small targets than that single big one. According to Privacy Rights Clearinghouse, an advocacy group, more than 90% of the breaches they have tracked since 2005 have affected fewer than 100,000 customers in on go.

21. Only 53% of organizations share information on data breaches and incident response with government and industry peers.

(Source: IBM-Ponemon Institute)

This means that despite tracking of cyberattacks by independent parties, there might be many incidents that just go unreported.

Organizations that do share data say that apart from fostering collaboration among peers and industry groups, sharing also has a direct bearing on improving the security posture of the organization. It also has to do with effectiveness of their incident response plan as well as reducing the cost of detecting and preventing data breaches.

The key factors that prevent organizations from doing so include no perceived benefits, anti-competitive concerns, and risk of exposure of sensitive information.

How do data breaches happen?

Have you ever wondered how data breaches actually happen? It’s not what you think.

22. 22% of organizations consider phishing to be the greatest cyber threat.

(Source: Ernst & Young)

Malware comes a close second at 20%, followed by cyberattacks to disrupt (13%), to steal money (12%), and to steal IP (8%). Although there has been quite a lot of discussion about insider threats and state-sponsored attacks, the fear for internal attacks shows up as number eight on the list; espionage ranks bottom of the list.

23. 6.4B fake emails are sent worldwide every day.

(Source: Dark Reading, Cofense)

In the first half of 2018, some 6.4 billion of the emails sent every day were fake. According to internet security statistics from the email security firm Valimail, the US is the No. 1 source of fake email, sending some 120 million phony messages in the second quarter of 2018. According to Cofense, 91% of all cyberattacks start with a phishing email.

24. 76% of organizations worldwide experienced a phishing attack in the past year.

(Source: Check Point, Panda Security)

81% of heads of corporate IT security have detected an increase in the number of cases of attacks getting in through this channel. One of the most common forms of phishing attacks is the BEC (Business Email Compromise) scam where cyberattackers pass themselves off as a client or supplier in order to get money. Around 60% of BEC scam emails do not contain a link, making it harder for cybersecurity systems to detect them.

25. 100% of 850 organizations in a global survey experienced at least one malware attack.

(Source: Check Point)

According to data theft statistics, the average number of mobile malware attacks per organization was 54 between H2 2016 and H1 2017. Even though enterprise mobility management solutions were in place, 75% of the organizations in the studied sample had at least one jailbroken iOS device or rooted Android device connected to their corporate networks. The average number of jailbroken devices was 35 per company. This is a concerning result obviously as jailbreaking strips away the built-in security provided by the iOS and Android operating systems, rendering the entire enterprise vulnerable to an easy attack.

26. 40% of organizations worldwide were impacted by cryptominers in 2018.

(Source: Check Point)

Unlike ransomware, cryptomining offers cyber criminals a much stealthier style of attack that can remain on an organization’s servers for months without being detected. During this period, its authors earn a steady stream of passive income. Check Point Research also found that over 20% of organizations are impacted by cryptojacking malware every week.

27. Nearly 45% of malware incidents involve ransomware, up from less than 10% in 2015.

(Source: Verizon)

Ransomware is a low-risk, high-gain crime that, as recent cyber breach statistics show, is gaining popularity at a terrifying pace. Cyber criminals are also growing bolder with the share of personal devices targeted with ransomware coming down and that of enterprise servers, for which much greater ransoms can be demanded, going up.

28. 56% of data breaches in H1 2018 were caused by malicious outsiders.

(Source: Gemalto Breach Level Index)

This was a decrease of 7% from H2 2017. In terms of number of compromised records, the share is higher at 73%. Accidental loss accounted for over 879 million (26 percent) of the records lost this half, the second most popular cause of data breaches representing over one third of incidents. The number of records and incidents involved in malicious insider attacks fell by 60 percent this half compared to the same time period in 2017.

29. 83% of all records stolen in H1 2018 involved identity theft.

(Source: Gemalto Breach Level Index)

Identity theft has continued to be the leading type of data breach, at least since 2013. While the number of identity theft breaches decreased by 26% over the first half of 2017, the number of records stolen through these incidents increased by 757%, representing 83% of all records stolen. Data breach statistics show a disturbing trend in the escalation of severity. Though overall incident numbers are on the decline H1 2017 vs. H1 2018 (171 for H1 2017 and 123 for H1 2018), the number of records breached increased H1 2017 vs. H1 2018 (2.7 million and 359 million) respectively.

30. 28% of organizations say customer information or customer passwords are the information of greatest value to cyber criminals.

(Source: Ernst & Young)

12% say it’s the companies’ financial information, while another 12% say their strategic plans are the top information cyber criminals are looking for. Other categories that rank slightly lower in terms of threat perception are R&D information, M&A information, and intellectual property.

31. Average cost of data breach can come down by more than 50% if the disaster recovery process is automated.

(Source: IBM-Ponemon Institute)

Automation means codifying a set of manual disaster recovery steps via the creation of scripts that drive singular actions at component levels. Cybersecurity statistics show that the difference in the average cost of the data breach can be as much as 50% between companies that don’t and those that do deploy an automated disaster recovery process that provides resiliency orchestration.

32. 40% of companies deploy manual disaster recovery processes.

(Source: IBM-Ponemon Institute)

However, the sample of companies from different parts of the world studied by the Ponemon Institute found that as many as 40% continued to use a completely manual data recovery process. This is a definite improvement from the previous year, but, given the potential savings involved, remains a metric that organizations fare surprisingly poorly on.

33. Existence of a strong incident response team has the most positive effect on data breach cost; third-party involvement has the most negative.

(Source: IBM-Ponemon Institute)

Out of 22 factors that can either increase or decrease the cost of data breach, having an incident response team has been found to be the most beneficial, with a potential to lower the per capita data breach cost by $14. Equally critical are the factors that can increase the per capita cost, which include third-party involvement (by $13.4), extensive cloud migration ($11.9), compliance failures ($11.9), and extensive use of mobile platforms and IoT devices.

34. 55% of industrial organizations allow third parties such as suppliers, partners, and service providers to access their industrial control network.

(Source: Kaspersky)

Even though there is a wider acceptance of the risks of third party data breach, more than half of industrial organizations permit outsiders to access critical systems. It is important to note that organizations that allow third-party access like this are also 63% more likely to experience a security breach as compared to those that don’t allow such access.

35. Only 1% of the stolen, lost, or compromised data records in H1 2018 were protected by encryption.

(Source: Gemalto Breach Level Index)

Extensive use of encryption is one of the top factors that decrease the cost of a data breach, as it can render the stolen information useless. This wasn’t the case with pretty much all the data cyber criminals were able to lay their hands on in H1 2018. This figure was at an already low level of 2.5% in H1 2017, which makes a further drop of a percent-and-a-half even more concerning.

36. According to the 2019 Thales Global Data Threat Report, 97% of responding companies are using sensitive data on digitally transformative technologies.

(Source: Thales)

These technologies include cloud computing, big data, IoT, containers or mobile environments, all of which create new attack surfaces and new risks for data. The idea is not to discourage companies from using these technologies but to ensure they are aware of the kinds of vulnerabilities these create and take adequate steps to safeguard their and their customers’ data.

37. Only 30% of respondents are using encryption within these environments.

(Source: Thales)

Encryption, as we have covered above, might not prevent data breaches, but it does ensure that the data stolen cannot be misused. The Thales study also found that far too many companies globally have still not woken up to the value of data encryption, despite using new technologies that make data theft likelier. The effects of how many data breaches could be rendered harmless if only companies opted for this one tool!

38. A 2018 worldwide survey of 2,848 IT professionals revealed 77% of organizations do not have a formal cybersecurity incident response plan applied consistently across the organization.

(Source: IBM-Ponemon Institute)

Lack of investment in AI and machine learning was ranked as the biggest barrier to cyber resilience, and investment in this area was ranked as the lowest priority for the next 12 months. Having insufficiently skilled personnel dedicated to cybersecurity was the second biggest barrier, with only 29% having the ideal staffing level.

39. Fewer than 1 in 10 organizations say their information security function currently meets their needs.

(Source: Ernst & Young)

And many are worried that vital improvements are not yet under way. Data security statistics show that smaller companies are more likely to be lagging behind. While 78% of larger organizations say their information security function is at least partially meeting their needs, that falls to just 65% among their smaller counterparts. This is in stark contrast to the proactive cyber criminals who continue to raise their game.

40. 44% of respondents rated complexity as the greatest perceived barrier to implementing data security.

(Source: Thales)

This is above other reasons like staff, budget, and organizational buy-in. Many organizations work in a multi-cloud environment, which greatly compounds the difficulties they face in protecting their sensitive data as each environment, and often each implementation with the environment can require a unique data security approach.

41. 87% of organizations do not have sufficient budget to provide the levels of cybersecurity and resilience they want.

(Source: Ernst & Young)

This is despite the indication from data breach statistics that organizations are spending more on cybersecurity, devoting increasing resources to improving their defenses, and working harder to embed security-by-design. Protections are patchy, relatively few organizations are prioritizing advanced capabilities, and cybersecurity too often remains siloed.

42. Only 39% of organizations claim their board or executive management team has a comprehensive understanding of information security to fully evaluate cyber risks and preventive measures.

(Source: Ernst & Young)

With many organizations actively pursuing digital transformation, it is essential to see that cybersecurity doesn’t get left behind. Thankfully, about 31% additional organizations have management teams with limited knowledge and 25% have teams that are taking positive steps to improve their understanding. Even in this department, data breach stats show that larger organizations score slightly better than smaller organizations. Interestingly, 60% of organizations say that the person directly responsible for the information security is not a board member.

43. Only 39% of company boards actively participate in setting security policies.

(Source: PwC)

According to another 2018 survey of companies worldwide, it was found that for all the talk about security needing to become a board-level issue, many boards still appear to be relatively uninvolved in their organization’s security strategy. Only 45% are involved in setting security budget, 44% formulate overall security strategy, and 31% review current security and privacy risks.

44. 34% of organizations see careless or unaware employees as the biggest vulnerability.

(Source: Ernst & Young)

Data breach statistics show that outdated security controls are ranked the biggest vulnerability by 26% of the organizations. In fact, 53% of organizations have no program or an obsolete one for critical cybersecurity aspects like threat detection, vulnerability identification, breach detection, data protection, breach response, and identity and access management. Vulnerabilities also increase when it comes to third parties.

45. 63% of organizations do not increase spending on security if a breach causes no perceived harm.

(Source: Ernst & Young)

Organizations concede that they would be unlikely to step up their cybersecurity practices or spend more money unless they suffered some sort of breach or incident that caused very negative impacts. Apart from the obvious red flag that such behavior raises, there is also the fact that, in many cases, even when there is actual harm done, it takes a long time for it to come to the surface.

How can data breaches be prevented?

There are things organizations can do in order to prevent data breaches. Let’s have a look on common solutions.

46. 61% of organizations worldwide cite the hiring of skilled personnel as the top reason for improved cyber resilience.

(Source: IBM-Ponemon Institute)

More than 70% of organizations say their cyber resilience has improved in the 2017-2018 period. Top reasons for this include better hiring, improved information governance practices, visibility into applications and data assets, and implementation of new technology like cyber automation tools such as artificial intelligence and machine learning.

47. Cloud computing is an area of priority for cybersecurity investment for 52% of organizations in 2019.

(Source: Ernst & Young)

Cloud computing will also see an increase in security spending by 57% of organizations. According to cybersecurity statistics, the other areas in the top 5 include cybersecurity analytics, mobile computing, IoT, and robotic process automation.

48. Preparedness and agility are by far the most important factors to achieving a high level of cyber resilience.

(Source: IBM-Ponemon Institute)

Asked to choose from seven key factors that help achieve a high level of cyber resilience, IT professionals from across the world gave the highest preference to preparedness and agility, notably well above planned redundancies. The best way to counter the unpredictable and ever-present nature of cyber threats is to be prepared all the time.

49. 70% of IT professionals consider identity management and authentication an effective security technology.

(Source: IBM-Ponemon Institute)

In addition to people and processes, data breach stats show that the right technologies are essential for achieving cyber resilience. The seven most effective technologies for achieving cyber resilience are: identity management and authentication, anti-virus/anti-malware, intrusion detection and prevention systems, incident response platforms, network traffic surveillance, encryption for data at rest, and security information & event management. Out of these seven, most IT professionals agree on identity management and authentication, making it the top security technology.

50. 88% of IT professionals agree that curtailing unauthorized access to mission-critical applications is the top cybersecurity activity their organization needs to implement.

(Source: IBM-Ponemon Institute)

While it is impossible to predict how the next cyberattack will unfold, IT professionals agree that there are certain preventive measures they can take to minimize the risks involved. These measures reduce the chinks in the security armor that cyber criminals eventually exploit to steal data. Data breach statistics show that the top measures include curtailing unauthorized access to mission-critical applications and sensitive or confidential data. Other important measures are limiting the theft of data-bearing devices (including IoT), enabling efficient backup and disaster recovery operations, and curtailing end-user access to insecure internet sites and web-based apps.

References:

  1. IBM-Ponemon Institute
  2. Gemalto Breach Level Index
  3. Thales
  4. European Data Protection Board
  5. Gartner
  6. IBM-Ponemon Institute
  7. IBM-Ponemon Institute
  8. IBM-Ponemon Institute
  9. IBM-Ponemon Institute
  10. IBM-Ponemon Institute
  11. IBM-Ponemon Institute
  12. IBM-Ponemon Institute
  13. IBM-Ponemon Institute
  14. IBM-Ponemon Institute
  15. Gemalto Breach Level Index
  16. Identity Theft Resource Center
  17. Identity Theft Resource Center
  18. Gemalto Breach Level Index
  19. Gemalto Breach Level Index
  20. Verizon, Privacy Rights Clearinghouse
  21. IBM-Ponemon Institute
  22. Ernst & Young
  23. Dark Reading, Cofense
  24. Check Point, Panda Security
  25. Check Point
  26. Check Point
  27. Verizon
  28. Gemalto Breach Level Index
  29. Gemalto Breach Level Index
  30. Ernst & Young
  31. IBM-Ponemon Institute
  32. IBM-Ponemon Institute
  33. IBM-Ponemon Institute
  34. Kaspersky
  35. Gemalto Breach Level Index
  36. Thales
  37. Thales
  38. IBM-Ponemon Institute
  39. Ernst & Young
  40. Thales
  41. Ernst & Young
  42. Ernst & Young
  43. PwC
  44. Ernst & Young
  45. Ernst & Young
  46. IBM-Ponemon Institute
  47. Ernst & Young
  48. IBM-Ponemon Institute
  49. IBM-Ponemon Institute
  50. IBM-Ponemon Institute

Related Posts

Leave a Comment