Share this article on:
The 2020 Cost of Data Breach Report from IBM Security has been released and reveals there has been a slight reduction in global data breach costs, falling to $3.86 million per breach from $3.92 million in 2019 – A reduction of 1.5%.
There was considerable variation in data breach costs in different regions and industries. Organizations in the United States faced the highest data breach costs, with a typical breach costing $8.64 million, up 5.5% from 2019.
COVID-19 Expected to Increase Data Breach Costs
This is the 15th year that IBM Security has conducted the study. The research was conducted by the Ponemon Institute, and included data from 524 breached organizations, and 3,200 individuals were interviewed across 17 countries and regions and 17 industry sectors. Research for the report was conducted between August 2019 and April 2020.
The research was mostly conducted before the COVID-19 pandemic, which is likely to have an impact on data breach costs. To explore how COVID-19 is likely to affect the cost of a data breaches, the Ponemon Institute re-contacted study participants to ask their views. 76% of respondents believed the increase in remote working would increase the time taken to identify and contain a data breach and 70% said remote working would increase the cost of a data breach. The average cost increase due to COVID-19 was calculated to be $137,000.
Healthcare Data Breaches are the Costliest
Healthcare data breaches were the costliest to resolve. The average cost of a healthcare data breach is $7.13 million globally and $8.6 million in the United States. The total cost of a data breach may have fallen across all regions and industry sectors, but healthcare data breach costs have increased by 10.5% year-over-year.
The global average cost of a breach per record is $146, which increased to $150 per record when PII was breached, and $175 per record where PII was breached in a malicious attack.
It took an average of 280 days to detect and contain a breach, and 315 days to detect and contain a malicious attack, with each increasing by 1 day from 2019. In the United States it took an average of 186 days to identify a data breach and 51 days to contain the attack. Healthcare industry data breaches took the longest to identify (236 days) and contain (93 days) – 329 days.
The costs of a data breach are spread over several years, with 61% of costs experienced in the first year, 24% in the second year, and 15% in the third year and beyond. In highly regulated industries such as healthcare, the percentages were 44% (year 1), 32% (year 2), and 21% (year 3+).
For the third year, IBM Security calculated the costs of mega data breaches – those involving more than 1 million records. A breach of 1 million to 10 million records cost an average of $50 million, breaches of 10 million to 20 million records cost an average of $176 million, and a breach of 50 million records was calculated to cost $392 million to resolve.
Most Common Causes of Malicious Data Breaches
Malicious attacks were the most numerous and were most due to cloud misconfigurations and compromised credentials, with each accounting for 19% of breaches. Vulnerabilities in third-party software was cited as the breach cause in 16% of incidents, following by phishing (14%), physical security compromises (10%), malicious insiders (7%), system errors and other misconfigurations (6%), and business email compromise attacks (5%). Breaches involving compromised credentials were the costliest, followed by breaches due to vulnerabilities in third-party software and cloud misconfigurations.
53% of attacks were financially motivated, 13% were attributed to nation state hacking groups, and 13% were caused by hacktivists. The threat actors behind 21% of the breaches were unknown. Financially motivated attacks were the least expensive, with a global average cost of $4.23 million and the most expensive were attacks by nation state hackers, which cost an average of $4.43 million. The average cost of a malicious attack was $4.27 million. Destructive data breaches involving ransomware cost an average of $4.4 million and destructive malware, including wipers, cost an average of $4.52 million.
In healthcare, 50% of data breaches were due to malicious attacks, 23% were due to system glitches, and 27% were caused by human error.