Data breaches impacting millions of people seem to be happening on a daily basis. (A recent report claimed a typical “hacking activity” attack occurs every 39 seconds, affecting one in three Americans each year.)
Data equals money, which spurs the data breach attacks by the bad guys. But, how much do data breaches cost companies and individuals? Why aren’t companies ready for these breaches? Who is vulnerable, and is there anything a person can do to help protect their personal and financial data?
In this article, I’ll be sharing information about the history of data breaches, how data breaches happen, the probability of your information being included in a breach, and much more. I’ll also share some interesting (and disturbing) information about data leaks, as well as how users can help protect themselves from a data breach.
A Brief History of Notable Data Breaches
While many may think of data breaches as a relatively recent problem (most public information on data breaches only goes back to 2005), in truth, they’ve been happening for many years.
Back in 1984, global credit information provider TRW (now known as Experian) was hacked, resulting in 90 million records being stolen. In 1986, Revenue Canada was hit by hackers, resulting in bad guys accessing 16 million records.
2005 marked the first data breach that compromised more than 1 million records when DSW Shoe Warehouse had 1.4 million credit card names and numbers stolen in March 2005.
In January of that same year, the first data breach affecting a college occurred, when George Mason University had the names, photos, and Social Security numbers of 32,000 students and faculty breached.
In June 2005, hackers accessed approximately 40 million credit card accounts from payment processor CardSystems Solutions.
How Do Data Breaches Happen?
When large corporations have sensitive data exposed, it is generally due to negligence by whoever is in charge of protecting the data, hacking incidents by bad actors, or both. Let’s take a look at the four main ways data breaches occur.
Malware can be defined as any software package designed to harm computer files or systems, or to steal information by reading the computer’s files or by monitoring keystrokes by the computer user.
Ironically, one popular way for malware to infect a computer or mobile device is to masquerade as an alert “warning” the user of malicious software allegedly attempting to infect their computer. If the user is fooled by the “warning,” and allows the downloading of the malicious software, it can steal information, encrypt files, or otherwise hijack computer functions.
Malware can hit your computer system if you visit hacked websites (you’ve likely seen alerts that you need to update your Flash Player software – never click those), download infected files, or open phishing emails.
Individuals and businesses are both common targets of this type of software.
Ransomware is a form of malware that infects a computer or an entire network of computers using the same methods described in the Malware section above.
Ransomware will gain remote access to vital files, preventing them from being accessed by encrypting the files. A “ransom” is then demanded (usually in the form of cryptocurrency) to unlock the files. However, payment of the ransom does not ensure that the files will be unlocked.
The common targets for this type of data breach are businesses of any size. City government systems have recently become popular targets of ransomware attacks.
Arguably, one of the most common ways the bad guys instigate data breaches is by sending fraudulent emails that appear to be from reputable sources – such as from business partners, other departments, or bosses – which contain malicious links or attachments that, when clicked, can infect a computer or network.
Phishing attacks can be used to launch ransomware attacks, or to launch data attacks where sensitive financial or other confidential information is stolen.
Individuals and businesses of any size are common targets for this type of breach.
Denial of Service (DoS)
Denial of Service (DoS) attacks are when a bad actor attempts to overwhelm a targeted network or website with an unservable amount of information requests, flooding the target until it is overloaded.
These types of cyberattacks are usually launched against high-profile sites or services, such as those provided by banks or other financial institutions. They are intended to prevent the targeted systems from fulfilling some or all legitimate requests.
Bad actors will launch a DoS attack to divert a defender’s attention away from an information security breach attempt – somewhat like how a magician will direct your attention to one side of the stage while he performs his “magic” on the other side of the stage.
If a DoS attack can down an intrusion prevention system for a short period of time, that might be just enough time for the bad actor’s data breach to take place.
What Is the Average Cost of a Data Breach?
There is no denying that data breaches are costly for the businesses that are hit by them. When considering the costs inflicted by a data leak, we must consider both direct and indirect costs.
Direct expenses include a ransom if one is paid, the hiring of forensic experts, customer support, and potential settlements which can also include the cost of offering free credit monitoring subscriptions.
Indirect expenses can include the loss of customers, as well as the cost of advertising and public relations to attempt to restore a company’s reputation with its current and potential customers. Also, many companies that hadn’t invested in data breach “crash teams” and other preventative measures will finally invest in such measures.
A Comparitech report claimed that in 2019, finance and payment companies saw the largest drop in their share performance following a data breach. Overall prices fell 7.27% on average after a breach.
While the average cost of a data breach runs $3.9 million, healthcare is the hardest-hit industry financially, with the average cost of a data breach hitting $6.45 million.
Data collected by Juniper Research indicates cybercrime cost businesses over $2 trillion in total in 2019. The average cost per lost or stolen record is $150.
Firms in the United States had the highest average total cost of a data breach in 2019, with an average cost of $8.19 million.
The American Journal of Managed Care reports that hospitals spend 64% more annually on advertising in the two years following a data breach.
Data Breach Statistics, Facts, and Figures
1. 49% of U.S. Companies Surveyed Have Been Hit With a Data Breach
International Data Corporation’s 2020 Thales Data Threat Report includes data from 1,200 executives from nine countries, all representing a wide range of industries.
The survey found that just under half of all U.S. companies have discovered that they are the victims of their data being compromised. The actual number of companies affected could be higher, as many data breaches go undetected for long periods.
2. Hackers Attack Every 39 Seconds on Average
A Clark School study showed that on average, hackers attack a computer with internet access every 39 seconds. The study profiled “brute force” hackers that use software-aided techniques to attack large groups of computers at once.
While TV and films depict hackers manually attempting to break into computers and networks, in reality, hackers use automated scripts that probe thousands of computers at once, looking for vulnerabilities.
3. 26% of U.S. Companies Have Admitted to a Data Breach Sometime in the Last Year
The Thales Data Threat Report sourced above found that almost one-third of U.S. companies admitted to having suffered a data breach. The actual number of affected firms could be much higher, as they simply may not have yet discovered that they have been hit.
4. Over One-Quarter of All Data Breaches Involved Small Business Victims
Verizon’s 2020 Data Breach Investigations Report analyzed over 40,000 security incidents, including more than 2,000 confirmed data breaches. Its findings showed that 28% of attacks affected small businesses.
5. 50% of Organizations Spend a Mere 6% to 15% of Their Security Budget on Data Security
The Thales Data Threat Report also revealed that half of the organizations surveyed spent a mere 6% to 15% of their security budget on securing their sensitive data. Doesn’t seem like nearly enough security spending, right?
6. Cloud Storage Data Breaches Are Becoming Commonplace
The Sophos 2020 Threat Report reveals that human error is an increasing problem as cloud storage data breaches are becoming more common. Small misconfigurations in cloud storage systems can leave the system open to potentially costly security breaches.
As cloud storage systems and cloud services become more complex, and companies move between systems frequently, a small mistake by an administrator can accidentally leave an entire database open to the public.
7. 22% of All Data Breaches Involve Phishing Attacks
The Verizon 2020 Data Breach Investigations Report discovered that almost one-fourth of all data breaches involved phishing attacks. 37% entailed hacking incidents, while 17% involved malware.
8. More Than Half of All Data Breaches Are Not Discovered Until Months Later
Just because a company hasn’t reported that they’ve been a victim of a data breach, doesn’t mean that they’re breach-free. The Verizon study discovered that 60% of companies take months to discover a breach. So, by the time they send out that apologetic email informing you of a breach, your sensitive data may already be making the rounds.
9. 4,800 Websites Per Month Are Injected With Formjacking Code
Formjacking is to a website what a credit card skimmer is to a gas pump. A site infected with formjacking code captures your data as an online order form is submitted and sends it to the bad guys that infected the site.
Roughly 4,800 websites are infected with formjacking code per month. More than 3.7 million formjacking attacks were attempted in 2018.
While many companies may have strong cybersecurity, attackers have found a way around this by infecting the sites of those companies’ suppliers, and partners, allowing them to transmit the virulent codes along with legitimate orders.
10. Overall Ransomware Attacks Are Down, But Enterprise Numbers Are Rising
Symantec reports that the overall number of ransomware attacks is down 20%. However, the number of enterprise attacks is increasing.
11. Your Personal Data is Valuable on the Black Market
Why are bad actors so anxious to breach data? Because they can make a nice piece of change from it, that’s why. The Symantec report offers a look at what various bits of stolen information can bring on the black market.
Stolen medical records are worth $0.10 to $35.00, retail shopping accounts can go for $0.50 to $99.00, and mobile phone accounts can bring in $15.00 to $25.00. Meanwhile, a full ID package (name, address, phone number, Social Security number, email address, and bank account numbers) can go for as much as $100 on the black market.
12. The Average Data Breach Costs $3.9 Million
IBM’s 2019 Cost of a Data Breach Study conducted interviews with over 3,200 executives from over 500 companies worldwide that had experienced a data breach sometime within the previous 12 months.
The survey showed that the average cost globally was $3.9 million, while the average cost of a data security breach was $8.2 million in the United States. Costs included lost business, notification costs, and more.
13. Data Breaches Cost an Average of $1.42 Million in Lost Business
The IBM study showed that of the $3.9 million that the average data breach costs a business, lost business is responsible for $1.42 million of those costs, or 36.2%.
14. There Were Over 1,800 Confirmed Data Breaches in 2022
A PCMag report showed that there were 1,802 data breaches during 2022, down slightly from the 1,862 reported in 2021. Unfortunately, the number of victims in the 2022 breaches was much higher, hitting over 422 million, up from 294 million victims in 2021.
15. Which Sectors Were Hit With the Most Data Breaches in 2022?
The most popular targeted sectors for data security breaches in 2022 were the government, financial, and retail sectors, with close to 600 breaches in Finance and Insurance, close to 550 breaches in Healthcare and Social Assistance, and a little over 500 in the Public Administration field.
16. The Largest Single Data Breach in 2022 Involved the Data of 69 Million Nickelodeon Neopets Customers
Nickelodeon Neopets is a popular virtual pet website that allows users to create and care for digital pets called “Neopets.” It was disclosed in Summer 2022 that attackers gained access to the Neopets IT systems during the period of January 3, 2021 to July 19, 2022. The breach (of data related to about 69 million Neopet customers) was only exposed when a hacker offered to sell a Neopets database for four bitcoins.
17. Companies With an Incident Response Team Reduce the Average Cost of a Data Breach by $360,000
The previously-mentioned IBM study showed that companies that employed an incident response team could reduce the average cost of a data breach by around 9%. The average savings were $360,000 from an average data breach cost of $3.92 million.
18. 51% of Companies Leave Over 100,000 Sensitive Folders Open to All Employees
The 2019 Varonis Global Data Risk Report took a close look at the extent and associated risk of the exposure of critical and sensitive information internally in companies.
It showed that the number of folders left open for anyone in the company to view amounted to 22% of all folders. 51% of companies surveyed have more than 100,000 folders left open to all employees.
The study also found that 17% of all sensitive files (health records, credit card information, and information regulated according to GDPR, PCI, or HIPAA rules) were accessible by all employees.
19. The Number of Exposed Personally Identifiable Information Records Dropped 41% from 2018 – But…
The Identity Theft Resource Center (ITRC) reports that in 2019, publicly-available data breach disclosures containing personally Identifiable Information were down by 41%. However, that doesn’t sound as impressive when you find out that in 2018 the number was up an incredible 127% from the previous year.
20. Human Error Was the Cause of 24% of Data Breaches in 2019
While cybercriminals usually commit data breaches, IBM reports 24% of all breaches could have been avoided, down slightly from 27% in 2018.
Human error as the root cause of a breach can include employees that fall for phishing attacks or have their devices infected, lose their devices, or have them stolen.
What Are The Chances That My Data Will Be Included in a Data Breach?
Since data breaches affect one in three Americans each year, you have a very good chance that at least some of your sensitive data will be included in a data breach.
Visit the “Have I Been Pwned?” website to check to see if you have an account that has been compromised in a data breach. Enter your email address and the website will tell you if you’ve been “pwned.” You can also click the “Notify Me” link to be notified when your account has been compromised in a data breach. (Did you notice I said “when,” not “if”?)
How Can Companies Manage Data Breach Risks?
First off, companies need to develop a breach-readiness strategy. They must develop and document a data breach response strategy.
Then, they must assemble an incident response team that will delegate all of the responsibilities in the role each employee is responsible for in case of a data breach. Companies must also not be reluctant to invest in cybersecurity services and tools.
Cybersecurity Risk Mitigation
Companies that are looking to mitigate their cybersecurity risks from data breaches must break down the process into three components. First, they must put threat prevention in place.
- Threat Mitigation: It is vital that policies and best practices are put into place to protect corporate networks, applications, and data from being accessed by bad actors.
- Threat Identification: The powers that be must be willing to spend the money to put into place the security tools and management processes required to identify and defend against security threats.
- Threat Remedies: There must be in place strategies and tools that reduce the impact of active security threats that may get past the corporate security defenses.
Intellectual Property Breaches
Not all breaches involve data like credit card or account information. Many involve the theft of intellectual property. These thefts can impact a company’s product and services’ competitiveness, future revenues, and even the long-term future of the firm. Although intellectual property breaches happen on a regular basis, they are seldom reported to the public.
How Can I Safeguard My Personal Data Against Data Breaches?
While you can’t do anything to prevent corporate data breaches, there are several ways to protect yourself against the consequences of such breaches.
- Use strong and unique passwords: If you only use strong passwords and never reuse a password, you will protect yourself from one of the main consequences of a data breach. If someone has your login information for one site, they are likely to try that combination on other sites. If you make sure to use unique passwords, they will not be successful. Always use a long string of letters, numbers, and symbols for your password. If you find it to be a chore to remember passwords for each website, use a password manager, which will remember all of your passwords, requiring only a single password to access the information. Password managers can also generate and store unique passwords.
- React immediately to warnings: When you hear about a data breach on the news or receive a notification from a company that you have an account with, react immediately, changing your password as quickly as possible. Also, check with the company as to what sensitive data was leaked. If it involves your banking or credit card information, contact your bank or credit card issuer immediately.
- Use a VPN: A Virtual Private Network (VPN) will encrypt your internet connection, preventing your online activities from being monitored. This comes in especially handy if you do online shopping or banking on unprotected public WiFi hotspots on a regular basis.
- Use Two Factor Authentication (2FA): Use two-factor authentication to protect your logins. Even if a bad guy gets their hands on your login and password, they can’t complete a login without the second part of the login identification, which is usually sent via email or text, or requires a code generated by an app or keyfob.
- Monitor your accounts on a regular basis: Make sure to always check your monthly statements from your bank, credit card companies, and other financial institutions. Sign up for identity protection services for additional data protection and to be notified if new accounts are opened in your name.
- Stick to secure websites: Only use websites that are trusted and secure. (Their website address will begin with “https://”.) This is especially important when you’re banking, shopping online, or paying bills.
- Be alert for phishing emails: While you should always be alert for data breach notifications, don’t fall for phishing emails that try to trick you into furnishing your login information. Don’t click links or open attachments in an email. Instead, go directly to the company’s website to change your password.
As we’ve seen, the online world continues to be a dangerous place, with a new data breach being announced seemingly every day. While you shouldn’t allow these data breach stats, facts, and figures to deter you from conducting business online, it should make you more security-conscious.
Data Breach FAQs
What Was the Largest Data Breach in History?
The largest reported data breach in history occurred for three years (2013 to 2016), when Yahoo! had the records of 3 billion user accounts breached. Later on, it was re-estimated that 1 billion user accounts had been affected. Then, following involvement by the United States Federal Bureau of Investigation (FBI), it was determined that all 3 billion Yahoo! accounts had been compromised in the three-year-long breach.
What Can I Do About Data Breaches?
While users are heavily dependent on companies to protect their data, there are some things you can do to safeguard your information.
Use strong and unique passwords. Password reuse is dangerous. Make sure your password is a combination of upper and lower-case characters, symbols, and numbers. Make sure to use a password manager. Password managers will generate and save secure, non-repeated passwords. In the case of a data breach, change your account password as soon as you are informed about the breach.
If your credit card or banking information has been exposed, immediately get a new account number. Make sure to stay alert for phishing calls, emails, and texts designed to steal more login or account information by using the data exposed in the data breach. Don’t click any links in emails or text messages. Instead, manually enter a known-good URL to visit a website, then contact customer service from the link on the website.
How Do Data Breaches Happen?
A data breach is when a bad actor infiltrates a target’s network, putting the victim’s data at risk. Data breaches can be local – doing something as simple as copying networked files to a USB stick or external hard drive – although most are due to hackers bypassing network security remotely, using social engineering, or a security flaw in unpatched operating systems or applications.
How Are Data Breaches Found Out?
Ideally, a data breach should be detected internally, but sadly third parties remain the main method of data breach detection. The 2017 Verizon Data Breach Investigation Report lists fraud protection, law enforcement, and third parties as the main sources of data breach detection, outnumbering internal detection methods at a nearly three-to-one rate.
Internally detecting a data breach should be as simple as putting a monitoring or auditing system in place, which would detect anything that isn’t “normal” data access. However, in many cases, a data breach is discovered by an outside firm, such as the Sonic credit card database breach that was discovered by the company’s credit card processor.
When Did Data Breaches Start?
“Data breaches” have been around as long as paper. (A “data breach” back then would consist of a bad actor making off with a file folder full of printed documents.) However, the first major “modern” data breach took place in March 2005, when 1.4 million credit card records were stolen from DSW Shoe Warehouse.
In June 2005, some 40 million credit card accounts were exposed from payment card processor CardSystems Solutions.
Did Bank of America Have a Data Breach in 2020?
Bank of America Corporation disclosed an April 22 data breach that affected clients that had applied for the U.S. Small Business Administration’s Paycheck Protection Program (PPP). The breach allowed other SBA-authorized lenders and their vendors to view Bank of America clients' information.
While Bank of America didn’t disclose exactly how many clients were affected by the breach, over 305,000 PPP relief applications have been processed by Bank of America with the SBA.
- A Brief History of Notable Data Breaches
- How Do Data Breaches Happen?
- What Is the Average Cost of a Data Breach?
- Data Breach Statistics, Facts, and Figures
- What Are The Chances That My Data Will Be Included in a Data Breach?
- How Can Companies Manage Data Breach Risks?
- Cybersecurity Risk Mitigation
- Intellectual Property Breaches
- How Can I Safeguard My Personal Data Against Data Breaches?
- In Closing
- Data Breach FAQs
- What Was the Largest Data Breach in History?
- What Can I Do About Data Breaches?
- How Do Data Breaches Happen?
- How Are Data Breaches Found Out?
- When Did Data Breaches Start?
- Did Bank of America Have a Data Breach in 2020?