Living in the modern world means integrating technology into almost every aspect of our daily lives. This symbiotic relationship with technology opens us up to becoming highly susceptible to hacking. This vulnerability extends from our smartphones, personal and work computers, transport, bank, and credit card purchases to every small smart device you have installed in the home or workplace.

Why are Data Breaches and Cybersecurity Breaches a Growing Concern?

Internet users and consumers might not be concerned enough about the threat of hacking, the real scenario is far from being safe. It is estimated that there is a hacking attack every 39 seconds.

Large companies and Federal Departments including The US Office of Personnel Management (OPM), Anthem Blue Cross, Yahoo, Uber, Quora, Facebook, Cathay Pacific, Marriott International, Equifax, LinkedIn, etc., have all experienced cyber threats in the past few years. No one is immune.

Recently it’s become apparent that the complexity, frequency, and expense of data breaches are ever-increasing. Many major cyber-attacks have targeted high profile companies in the US, Europe, and Australia. To counter this, new legislation has been introduced in affected countries, aimed at changing the rules related to threat timeframes and user notification.

We aim to present a comprehensive picture of an alarming threat of cybercrimes and data breaches, something which affects customers, social network users, and even companies. Information is presented in a series of points, covering the most critical cybersecurity statistics for 2019-21.

data breach stats

Costs of a Data Breach

A single instance of a data breach can have immense implications on a business. A smaller sized-company could be put out of business due to a large breach. Below are some statistics that show how costly data breaches are:

  • The average cost of a data breach currently sits at $3.86 million. That number rises to $8.64 million in the USA. [IBM]
  • Worldwide cybercrime costs will hit $6 trillion annually by the end of 2021. Cybercrime damages will hit $10.5 trillion annually by 2025. [Cybersecurity Ventures]
  • In 2021, ransomware damages will reach $20 billion, 57x greater than the damages in 2015. On average, there is a ransomware attack on a business every 11 seconds in 2021. [Arcserve]
  • The average ransomware payment rose 33% in 2020 and now sits at $111,605. [Fintech News]
  • The average price for a Business Email Compromise hack is $24,439 per case. [Verizon]
  • The average cost per lost or stolen record per individual is $146. [IBM]

Data Breach Numbers and Risks

The 2019 Thales Data Threat Report – Global Edition issued by Zurich Insurance, found that rapid digitalization and the internet of things has expanded the connectivity of the developed world and its infrastructure.

To keep up with rapidly expanding and sophisticated technologies, many companies are investing in their service usability. Chasing greater competitiveness, they are migrating to cloud or multi-cloud environments very quickly. This is when the data storage is maintained by a company itself or in tandem with a third party. This hybrid structure can make data very difficult to secure, states the Threat Report.

Most organizations are finding it challenging to control security breaches and implement strong safety measures. It’s even harder for smaller and mid-sized companies who due to budget constraints or lack of staff make them vulnerable to attack. Here are the data breach statistics that put the risk into perspective:

data breach statistics

  • Over 95% of all data breaches are a result of a human error. [Cybint]
  • The average lifecycle of a data breach (from identification to containment) in 2020 was 280 days. [IBM]
  • In 2020, phishing accounted for 1 in every 4.200 emails. Every minute, $17,700 is lost due to a phishing attack. [Symantec]
  • Phishing attacks account for over 80% of all reported security incidents. [CSO Online]
  • A typical user has a 27.9% chance of experiencing a data breach that could affect a minimum of 10000 records. [Security Intelligence]
  • Data breaches compromised 36 billion records in the first half of 2020. [RiskBased]
  • In 2020, 86% of all breaches were financially motivated. Only 10% were motivated by espionage. [Verizon]
  • Healthcare organizations were the target of 15% of all breaches, while the financial industry and the public sector suffered 10% and 16% of breaches respectively. [Verizon]
  • In 47% of all financial breaches, the victim is a bank. [Fortunly]
  • Increasingly more malware attacks, 25.7%, are targeting global financial services and banks. [Intsights Cyber Intelligence]
  • Year-over-year increases for compromised credit cards (212%), credential leaks (129%), and malicious apps (102%). [Intsights Cyber Intelligence]
  • The United States is in the number one position when it comes to the risk of data breaches. [Statista]
  • Almost 41% of US-based companies allow employees unrestricted access to sensitive data. [Varonis]
  • Experts have calculated that almost 25% of enterprises would succumb to data breaches through IoT devices by the year 2020. The figure poses a problem, as a mere 10% of IT security budgets allocated by companies are directed towards smart device security. [Gartner]
  • 88% of businesses have over 1 million folders and do not limit employee access to company files. [Varonis]
  • Over 4.5 billion data records were affected by data breaches in the first half of 2018, which equates to over 1 million data breaches per hour. [Gemalto]
  • Data breach instances were reported in 2019, with the first half of 2019, experiencing an 11% increase compared to the previous year. [Accenture]
  • Around 25% of consumers across the USA, UK, France, and Germany would abandon a product or service in case of a single ransomware-related service disruption, failed transaction, or instance of inaccessible data. [Arcserve]
  • The number of reported cybercrimes accounts for only 10-12% of the actual number of cyber attacks. [FBI IC3]
  • Personal data was the target in 58% of breaches in 2020. [Verizon]

Business Continuity Plan

Having a Business Continuity Plan (BCP) is critical in the face of a data breach. A plan would outline the type of data being stored, where it’s stored, and what the potential liabilities are when implementing data security and recovery actions. AON’s 2019 Cyber Security Risk Report outlined that most organizations are missing a BCP.

When you investigate what’s causing data breaches, many times, it’s criminal activity or human error, or a mix of both. But the most common cause is the failure of organizations to prepare and do assessments in advance to identify their weaknesses. And failing to come up with answers to remedy and recover from their disadvantages. Taking care of weak passwords, improper configuration, untrained staff, or an outdated OS are all things companies can do beforehand to prevent attacks.

Incident Response

A BCP requires an effective cyber incident response plan. This refers to an organized approach that is aimed at addressing, managing, and rectifying the damages, in the aftermath of a cyber-attack or data breach incident.

  • In 2020, the average time organizations took to discover a data breach was 207 days. [IBM]
  • Companies that contain a data breach in less than 30 days save over $1 million annually. [IBM’s Ponemon Institute]
  • More than 77% of companies do not have an incident response plan. [Cybint]

Largest Data Breaches in History

The number of instances related to data breaches has been steadily increasing since 2013, with an estimated 14,717,618,286 cases where data has been either stolen or lost. Below are some of the most prominent instances of data breaches ever recorded in recent years.

  • Target in 2013: The data breach was carried out via malicious software installed on machines used by customers to pay with their cards. A total of 110 million Target accounts were compromised. [Forbes]
  • E-Bay in 2014:The data breach was carried out using stolen login credentials from a small number of employees. A total of 145 million eBay accounts were compromised. [Business Insider]
  • Anthem Inc. in 2015: The data breach was carried out by hackers after they infiltrated the company server. A total of 37.5 million personally identifiable records of customers were stolen. [Threatpost]
  • Yahoo! in 2013/2014: One of the most significant data breaches occurred in 2013-2014, where Yahoo’s 3 billion accounts got compromised. It was a coordinated attack by an organized, unidentified cyber-criminal organization. [REUTERS]
  • AOL in 2003: An estimated 92 million customer accounts were compromised after Jason Smathers, a 24-year-old AOL software engineer, caused the security breach. [WIRED]
  • Quora in 2018: The data breach was caused due to unauthorized access by a malicious third party. One hundred million user accounts were compromised. [Quora]
  • Facebook in 2018: This data breach was caused after hackers exploited a vulnerability in Facebook’s “View As” code. They were left with 50 Million compromised accounts. [The Guardian]
  • Marriott International in 2014/2018: The breach occurred due to unauthorized access to the guest’s information database. As a result, over 500 million user accounts were compromised. [Forbes]
  • Uber in 2016: Attackers, in this case, obtained credentials and accessed Uber’s cloud servers. They then got access to sensitive user information. As a result, more than 57 million users and driver accounts were compromised. [TechCrunch]
  • Equifax in 2017: The data breach occurred as a result of a vulnerability in the open-source software used to access its servers. As a result, the personal information of 143 million consumers was exposed. [Forbes]
  • Aadhar Data breach in 2018: The Indian Government’s national ID database, which stores “Aadhar” information, succumbed to a cyber-attack in March 2018. The personal data of over 1.5 billion Indian citizens, including phone numbers, addresses, ID numbers, etc., were left exposed on the web. Experts have labeled this as one of the worst data breaches of all time. [TechCrunch]
  • Marriott International in 2020: a security breach affected data of more than 5.2 million hotel guests of Marriott International. [Marriott]
infographic of big data breaches
Statistics provided by Ana Bera, co-founder of safeatlast.co

Click here to see the full infographic!

Data Hacking Trends

With the exponential growth of the cloud and IoT applications, such as connected health devices, house or child monitoring equipment, and smart cars. The demand for data-centers keeps increasing. This is also increasing new forms of cybercrime since all these devices are now hackable, susceptible to IoT attacks. It’s not surprising since connected devices are becoming more and more entangled and integrated into everyday lives.

In only 2 years, the total data stored in the cloud – which includes everything from public clouds operated by third-party vendors, government-owned clouds, social media companies, and private clouds run by mid-to-large-sized companies – will be a hundred times greater than today.

Modern hacking trends include a myriad of cybercrime techniques aimed at compromising data. Some of the most dangerous and common types of security threats include:

  • Since COVID-19, the FBI announced a 300% increase in reported cybercrimes. [IMCGrupo]
  • An estimated 4000,000 DDos attacks were reported monthly in the last few years. [Caliptix Security]
  • By 2023, the total number of DDoS attacks across the world will be 15.4 million. [Cisco]
  • Over 30% of all data breaches involve an internal actor. [Verizon]
  • In a report from Forrester, their research revealed that only 12% of breaches were targeting public cloud environments. 37% of decision-makers believed that heightened security made the migration to the public cloud vital to future success. [Forrester]
  • The top malicious email attachment types are .doc and .dot (37%). The next highest is .exe (19.5%). [Symantec]
  • Over 94% of all malware deliveries go through emails. [CSO Online]
  • In 2020, 65% of criminal groups relied on spear-phishing as the primary infection tactic. [Symantec]
  • An average IoT device experiences 5,200 attack attempts every month. [Symantec]
  • Organizations reporting phishing and social engineering attacks are increasing by 16% year over year. [Accenture]
  • In 2020, 45% of all breaches featured hacking, 17% used malware, and 22% involved a form of phishing. [Verizon]

The motivation behind cybercrime remains financial gain and has remained the dominant motivator behind cyberattacks, at a rate of 88.1%. Cyberattacks as a form of technology warfare have been rising recently, up to 4% as of January 2019, when only a month earlier, in December 2018, the rate was 2% according to Privacy Affairs. Governments and non-government organizations have taken part in cyber warfare, and that rate should continue to grow as technologies become more integrated into the public’s lives.

C-suite and Cybersecurity

  • According to a recent survey carried out on C-suite users, a total of 53% of respondents indicated “cybercrime and data breaches” as the number one concern when it comes to cybersecurity. [IBM Study]

Increased attacks on Service Providers

Attacks on service providers such as Yahoo, AML, etc. have seen a stark rise in the last 6 or 7 years.

  • Yahoo faced the worst service provider attack with instances affecting 3 million, 500 million, and 200 million user accounts in 2013, 2014, and 2016 respectively. [NYTimes]

Organizational vulnerabilities

  • Both medium and small-scale organizations are losing an estimated $120,000 on average due to service denial attacks. Another figure indicated that enterprises could lose more than $2 million in total, due to denial of service attacks. [Security Intelligence]

Third-party/Supply-chain risk

  • Most data breaches are caused by malicious activities outside the entity, as a study found that it accounts for 56% of total data breaches in 2018. Malicious insiders account for only 7% of the violations. [Statista]
  • Intrusions caused by Phishing attacks have affected 82% of manufacturers in the U.S, which also covers the industrial supply chains present in the manufacturing sectors. [phishing box]
  • Almost 59% of UK and US-based companies who have used a third-party service have experienced data breaches. Of them, a measly 16% of them think that the third party’s risk management system was effective enough in 2020. [Business Wire]

Skills Shortage in CyberSecurity

The overall level of skills when it comes to Cybersecurity measures has not matched up to the required standards.

  • Over 54% of the world’s organizations have experienced some sort of significant cyber-attack in the past year. [IBM]
  • 38% of global organizations claim that they can handle a sophisticated cyber-attack. [IBM]
  • In 2018-2019, almost 53 percent of organizations reported a problematic shortage of cybersecurity skills. [Security Intelligence]
  • More than 70% of security executives believe that their budgets for the fiscal year 2021 will shrink. [Mckinsey]

Trends in HIPAA Data Breaches

  • The healthcare industry has the highest average data breach cost ($7.13 million). [IBM]
  • In America, the total number of medical records that have been exposed throughout 2019 amounts to a total of 38 Million. [HIPAA JOURNAL]
  • The U.S. Department of Health and Human Services experienced 52 data breaches in October 2019 alone. [HIPAA JOURNAL]
  • In 2020, there was a 58% increase of confirmed data breaches in the healthcare industry. [Verizon]
  • In September 2020 alone, 9.7 million healthcare records were the target of 83 successful breaches. [HIPAA JOURNAL]
  • More than 93% of all healthcare entities were victims of a breach attempt in the past three years. [Herjavec Group]
  • 2015 remains the worst year for data breaches in this sector, with two instances exposing 78.8 million and 11 million customers, respectively. [appknox]

Cybersecurity Spending

As the threat of cybersecurity intensifies, the overall amount spent on cybersecurity has been increasing since 2015.

  • In 2020, almost fifty-two percent of companies believed that cloud computing is a priority for cybersecurity investment.  [Safe At Last]
  • Cloud computing providers will spend more on security spending by 57%. The other areas that will see more development are IoT, mobile computing, cybersecurity analytics, and robotic process automation. [Forrester]
  • By 2023, businesses are expected to spend $12.6 billion on cloud security tools, that’s more than double from the $5.6 billion spent in 2018. [Forrester]
  • By the end of 2021, 100% of large companies globally will have a CISO (Chief information security officer) position. [Cybersecurity Ventures]

data breaches stats

Prevention and the Future

The modern, inter-connected world is increasingly falling under threat from growing instances of cybercrimes. Many large companies have fallen prey to such elaborate cybercrime schemes and have lost millions on lawsuits to recover the situation.

In 2018 alone, data breaches affected 45.9% of businesses, 29.2% of medical and healthcare institutions, 10.9% of banking, credit or financial institutions, and 8% of government or military associated companies and departments. [Digital Information World]

The number of data breaches per year in the United States has gradually increased since 2014: [Statista]

  • 783 cases in 2014
  • 781 cases in 2015
  • 1093 cases in 2016
  • 1579 cases in 2017
  • 1244 cases in 2018

When it comes to 2019, however, the numbers have skyrocketed.

  • There were more than 3800 reported cases of breaches in 2019. [Forbes]
  • Compared to the first six months of 2018, there has been a 54% increase in the number of reported breaches. [TechRepublic]
  • These breaches exposed records which were 52% more than that of 2018. [Risk Based Security]

The largest data breaches in 2019:

  • A total of 620 million accounts suffered a data breach in 2019, from a total of 16 websites. [Forbes]
  • Websites such as Dubsmash, Armor Games, ShareThis, Whitepages and 500px were among those affected. [IT Governance UK]

Prevention is always better than cure and is most applicable when dealing with cybercrimes. With different forms of cybersecurity, ranging from malware, phishing, denial of service, SQL injection, Zero-day exploits, DNS tunneling, and others, the need for effective cybersecurity measures is of utmost priority.

Cybersecurity measures range from simple to complex. Necessary preventive measures such as password protection and authentication, are not enough to prevent more elaborate and complex cyber threats that are faced by companies today.

From a business perspective, data breaches can never be ignored, and appropriate measures must be taken by the companies, something which is lacking as of now. As hackers find more elaborate ways to breach security, countermeasures need to be in place. The only way to tackle such threats is to develop sophisticated security techniques, as well as to educate users and employees about the dangers of the different forms of cybersecurity threats prevalent currently.

Here are some industry trends and predictions to watch for in 2021 and beyond:

  • Remote workers will be the prime target for cybercriminals as employees continue to work from home.
  • Cloud breaches will increase as a side effect of remote workforces.
  • The cybersecurity skills gap will continue to be an issue for companies trying to prevent data breaches.
  • The increased bandwidth of connected devices will make IoT devices more vulnerable to cyberattacks.

If left untreated, cybercrimes and data breaches can hamper the reputation of a company, assets, finances, and even their existence, which means there will be no future if you don’t start prevention now. Find out more on how to secure your data in the cloud, by connecting with one of our experts.

Key Takeaways for Statistics on Data Breaches

  • As an increasingly large number of systems and processes go online, customers, businesses, and governments become more vulnerable to cybercrime and attacks.
  • To counter the threat of cybercrime, organizations must increase their investments in cybersecurity and deploy them correctly. Also, to train their workforce regularly.
  • Outside comparing the numbers of attacks in 2019, what’s evident is that the variety and severity of cyberattacks are on the rise.
  • Plan and prepare by updating your OS regularly. Train employees on the dangers of social engineering. Disallow the downloading of unfamiliar apps from unknown sources.
  • If a cyberattack does occur and hackers demand payment, by not reporting it and giving in, will be the easy way out. Hackers will come back for more if they can profit. To avoid future cyberattacks means reporting crimes to the authorities and refusing to pay. This will make future attacks less likely.