Average Cost of a Data Breach Rises to $4.88M; Falls to $9.77M in Healthcare
The average cost of a data breach has risen to $4.88 million with the highest breach costs at critical infrastructure entities. The costliest breaches were at healthcare organizations. Healthcare data breach costs fell by 10.6% year-over-year from $10.93 million in 2023 to $9.77 million in 2024. The reduction in costs was not enough for healthcare to lose its place at the top of the list of the costliest breaches, a position the sector has held since 2011.
Cost of a Data Breach (2018-2024). Source: IBM
The 10% increase in average data breach costs was the largest annual increase since the pandemic, with the rise attributed to increasingly disruptive cyberattacks and higher post-breach customer support costs. The disruption caused is extending the after-effects of breaches, with a full recovery taking longer than 100 days for most breached organizations, although only 12% of breached organizations were able to fully recover. According to IBM, in 2024, 70% of breached organizations reported suffering significant or very significant disruption due to a breach. 63% of breached organizations reported passing on data breach costs to customers, up from 57% last year.
This is the 19th year that IBM has released its annual Cost of a Data Breach Report, which is based on independently conducted research by the Ponemon Institute. The IBM 2024 Cost of a Data Breach Report is based on a study of 604 organizations in 17 industries and 16 countries/regions that suffered a data breach between March 2023 and February 2024. In addition to the survey, interviews were conducted with 3,556 security and C-suite business leaders who had firsthand knowledge of data breaches at their organizations. The breaches ranged from 2,100 to 113,000 compromised records, with mega data breaches of 1 million+ records treated separately. IBM reports that even the smallest mega breaches saw costs of 9 times the global average.
The biggest contributory factors to the double-digit increase in data breach costs were increasing costs of lost business, operational downtime, and post-breach response, which are up 11% year-over-year. Other factors that contributed significantly to the rise in costs were customer loss, manning customer service helpdesk, and increases in regulatory fines. These costs alone reached an average of $2.8 million, the highest they have been in the past 6 years.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
One of the main problems faced by organizations is the cyber skills shortage. More than half of breached organizations had severe security staff shortages and the problem is getting worse, with a double-digit skills gap increase (26.2%) in since 2023. The lack of skilled staff is pushing data breach costs higher, adding an average of $1.76 million to data breach costs. One of the main ways that organizations are addressing the skills gap with the continuing global cybersecurity skills shortage is by using Gen AI security tools to increase productivity and efficiency.
Biggest data breach costs. Source: IBM
Organizations are increasingly leveraging AI and automation across their security operations centers. 2 out of 3 surveyed organizations said they are leveraging AI, a 10% increase from 2023. AI and automation tools have a major impact on breach costs. When they were extensively deployed across prevention workflows, including attack surface management (ASM), redteaming, and posture management, they resulted in average breach cost savings of $2.2 million. Employee training was also vital for reducing costs, especially for preventing and responding to phishing attempts, followed by Security Information and Event Management (SIEM), incident response planning, and encryption.
“Businesses are caught in a continuous cycle of breaches, containment and fallout response. This cycle now often includes investments in strengthening security defenses and passing breach expenses on to consumers – making security the new cost of doing business,” said Kevin Skapinetz, Vice President, Strategy and Product Design, IBM Security. “As generative AI rapidly permeates businesses, expanding the attack surface, these expenses will soon become unsustainable, compelling business to reassess security measures and response strategies. To get ahead, businesses should invest in new AI-driven defenses and develop the skills needed to address the emerging risks and opportunities presented by generative AI.”
This year’s report looked at several new areas, one of which is data located in unmanaged locations (shadow data), which is much harder to track and safeguard. Data stored across environments accounted for 40% of breaches, and those breaches took longer to identify and contain and resulted in a 16% increase in breach costs compared to data contained in a single environment.
The Federal Bureau of Investigation (FBI) encourages victims of cyberattacks and data breaches to notify their local FBI field office quickly after an attack and the assistance provided can be invaluable. This year, IBM looked at the costs of data breaches at organizations that had notified law enforcement. On average, organizations that brought in law enforcement saved an average of $1 million in data breach costs, not including any ransom paid. In addition to those cost savings, 63% of organizations that involved law enforcement were able to avoid paying a ransom. Law enforcement involvement shortened the average time to identify and contain a breach from 297 to 281 days.
The highest breach costs were for malicious attacks by insiders, which cost an average of $4.99 million, with business email compromise ($4.88 million), phishing ($4.88 million), stolen or compromised credentials ($4.81 million) and social engineering ($4.77 million) also having higher breach costs. The most common initial access vector was stolen credentials, which were used for access in 16% of breaches. These attacks took the longest to identify and contain (292 days). Phishing attacks took an average of 261 days to identify and contain, and social engineering attacks took an average of 257 days.
Breach costs were much higher ($5.53 million) when the breach was disclosed by the attacker. In these attacks, the damage had already been done and the attacker had achieved their objectives. These attacks typically involve extensive data theft and data encryption. These attacks took longer to detect and contain (289 days), although there was a significant shortening of the time from last year (320 days). Overall, the time to identify and contain a breach fell to a 7-year low of 258 days from an average of 277 days in 2023.
