Data is rapidly becoming one of the most valuable assets in the modern world. The digital giants that monopolize data are arguably the most powerful companies in the world, prompting ongoing conversations about anti-trust legislation and digital privacy.
Despite the overwhelming value controlled by these entities, as we'll see, even companies such as Facebook are vulnerable to the byproduct of the rapid move to digitization – the data breach epidemic.
More and more companies are experiencing devastating security breaches.
Data breach statistics show us that cybercriminals are sophisticated and highly motivated by the rewards that come from financial and personal data.
It's also apparent that most companies are not prepared in the event of a data breach, despite them becoming more common.
We've compiled 116 data breach statistics for 2020 that covers types of data breaches, industry trends, risks, costs, as well as how to prevent them. We hope this will help you understand the importance of data security and why so many companies are allocating more of their budgets to preventing data breaches.
What is a Data Breach?
The U.S. Department of Justice defines a breach as “the loss of control, compromise, unauthorized disclosure, unauthorized acquisition, access for an unauthorized purpose, or other unauthorized access, to data, whether physical or electronic.” Data breaches, according to a recent study by IBM and the Ponemon Institute, have an average cost of nearly $4 million globally.
Data breaches commonly involve financial information like credit card or bank account details, protected health information (PHI), personally identifiable information (PII), trade secrets, or intellectual property. Other terms for data breaches include unintentional information disclosure, data leak, cloud leak, information leakage, or a data spill.
While the first you may think of when you hear data breach is a situation involving cybercriminals and sophisticated cyber attacks, careless disposal of computer equipment, human error, or a poorly configured S3 bucket are also common causes.
Read our full post on data breaches to learn more.
The Origin of Data Breaches
Data breaches have gained notoriety as businesses of all sizes are increasingly reliant on digital data, cloud computing, and a mobile workforce.
Not only have the number of records containing sensitive data increased, so has the average organization's attack surface. Sensitive data is stored in local machines, enterprise databases, cloud servers, and third-parties vendors.
This is why preventing data breaches through attack surface management and vendor risk management has become a top priority for CISOs and senior management including at the Board level.
With that said, data breaches didn't start when organizations began to store their data digitally. In fact, data breaches have existed for as long as individuals and companies have maintained records.
According to the Office of Inadequate Security website, in 1984 the global credit information corporation known as TRW (now called Experian) was hacked and 90 million records were stolen.
Before computing became common, a data breach could be something as simple as viewing an individual's medical details without authorization or finding sensitive documents on a desk instead of in a drawer.
However, the introduction of general data protection laws and data breach notification laws now means that regulatory and reputational costs are significantly higher than in the past.
Laws and regulations like HIPAA, PCI-DSS, GDPR, CCPA, FIPA, the SHIELD Act, and LGPD have created guidelines for organizations handling certain types of sensitive information.
While these regulations provide a framework for required safeguards, storage, use, and handling of sensitive information, they don't stop all data breaches from occurring.
These regulations provide a framework for the required safeguards, storage, and use practices for handling sensitive information, but these rules don’t exist in all industries, nor do they definitively stop data breaches from occurring.
Because of this, most information about the number of data breaches and their impact focus on the period between 2005 to the present. Largely due to the advancement of technology and the proliferation of electronic data, which have greatly increased the total number of individuals impacted.
Today's data breaches often impact millions - even billions - of individuals.
How Do Data Breaches Occur?
Data breaches occur when cybercriminals are able to gain unauthorized access to sensitive data. This can be achieved through physical access, or by bypassing security controls remotely.
Cybercrime is a profitable industry that continues to grow, largely due to the distributed nature of the Internet and the ability to attack targets outside of their jurisdiction, which makes policing it difficult.
While most data breaches are attributed to cyberattacks or malware, common cyber threats include insider leaks, identify theft, payment card fraud, loss or theft of physical assets, misconfiguration, and human error.
Ten common ways that data breaches can occur:
- Vulnerabilities: An exploit takes advantage of software bugs or vulnerabilities to gain unauthorized access to a system or its data. Vulnerabilities are found by criminals and cybersecurity researchers alike and it's often a race to see who can find them first. Cybercriminals want to find vulnerabilities to exploit and install malware. Researchers want to find and report vulnerabilities to hardware and software manufacturers to have them patched. Cybercriminals may even package up multiple exploits into automated exploit kits to make it simple for criminals with no technical knowledge to take advantage of common vulnerabilities. Read our full post on vulnerabilities to learn more.
- Ransomware attacks: Ransomware is a type of malicious software, or malware, designed to deny access to a computer system or data until a ransom is paid. Ransomware spreads through phishing emails, malvertising, visiting infected websites, or by exploiting vulnerabilities. One famous example of ransomware is the WannaCry ransomware. Read our full post on ransomware to learn more.
- SQL injection (SQLI): A form of cyber attack that exploits a weakness in an SQL database of an insecure website to get the website to give access to information in its database without authorized access. SQLI attacks are unsophisticated and require minimal technical knowledge. Like automated exploit kits, cybercriminals often automate SQL injections.
- Spyware: Spyware is malware that infects your computer or network to steal personal information, Internet usage, or any other sensitive data it can acquire. You might install spyware by downloading an email attachment or by what seems to a benign application (bundleware). Alternatively, spyware can be installed on your computer as a secondary infection from a Trojan horse. Once spyware is installed, all your data is send back to the command and control servers run by the cybercriminals. Read our full post on spyware here.
- Phishing: Phishing attacks are a form of social engineering that aims to manipulate emotions or trick you into revealing sensitive information like usernames or passwords. A typical phishing attack is a spoofed (fake) email that looks like it's coming from the CEO of the company you work for. The email will contain aggressive or demanding language and require action like logging into a web page, verifying a payment, or making a purchase. Clicking any links in the email or downloading any attachments could result in your login credentials being stolen or the installation of spyware in a malware attack as mentioned above. SMS and social media attacks are becoming increasingly common too. More targeted forms of phishing are calling whaling attacks or spear phishing. Read our full guide on phishing.
- Insecure passwords: Passwords that are easy to guess, such as dictionary words or common passwords, make it easy for cybercriminals to gain access to sensitive information. Your organization should enforce secure passwords and multi-factor authentication for any systems that contain sensitive information. To learn more about what makes a password secure, see our password security checklist.
- Broken or misconfigured access controls: Even the best passwords and cybersecurity can be undone by poor configuration. For example, your organization may enforce secure passwords and two-factor authentication but have a poorly configure S3 bucket that is open to anyone on the Internet without a password. Check your S3 permissions or someone else will. If you're not secure by design, a cybercriminal using a few Google searches could find misconfigured folders and steal data.
- Physical theft: Criminals may steal your computer, smartphone or hard drive to gain access to your sensitive data that is stored unencrypted.
- Denial of service (DoS): Occurs when a machine or network resource unavailable to its intended users caused by temporarily or indefinitely disrupting services of a host connected to the Internet. This is typically achieved by flooding the targeted machine or resource with fake requests in attempt to overload the system and prevent some or all legitimate requests from being received.
- Third-party vendor breaches: Criminals can target third-party business partners or service providers to gain access to large organizations that may have sophisticated cybersecurity standards internally but a poor third-party risk management framework.
Historical Data Breach Statistics
The most well-known security incidents were recorded from 2005 onwards. This is because the Privacy Rights Clearinghouse recorded known data breaches in 2005. Since then over 9,000 have been recorded, however the actual number of data breaches is likely much higher as they source most of their data from state Attorney Generals and the U.S. Department of Health and Human Services. These sources only focus on incidents involving U.S. citizens.
Below we have provided a list of data breach statistics that led up to and launched the age of the data breach.
- In the early 1970s, the first known computer virus, the Creeper virus, was detected on ARPANET, a US military computer network that was the forerunner to the Internet (Viruslist.com)
- The Privacy Rights Clearinghouse began its chronology of data breaches in 2005. (Symantec)
- The DSW Shoe Warehouse became the first data breach over one million records. (NBC)
- Dongfan ''Greg'' Chung was charged with the longest insider attack which occurred from 1976 to 2006 and resulted in the theft of $2 billion worth of aerospace documents from Boeing. (FBI)
- The first recorded mention of phishing is found in the hacking tool AOHell (according to its creator) in 1995, which included a function for attempting to steal the passwords or financial details of America Online users. (Mercury News)
- 25% of data requiring security was unprotected in 2015. (Statista)
- In September 2017, Equifax, one of the three largest consumer credit reporting agencies in the United States, announced that its systems had been breached and the sensitive personal data of 148 million Americans had been compromised. The data compromised included names, home addresses, phone numbers, dates of birth, social security numbers, and driver’s license numbers. (Los Angeles Times).
- Two-thirds of the people online have had their records stolen or compromised by bad actors by 2018. (CSIS)
- Identity theft is the most common type of data breach incident, accounting for 59 percent of all global data breach incidents in 2016. (Statista)
- Over the past ten years, over 300 data breaches have involved the theft of 100,00 or more records. (Forbes)
- In 2019, the United States had 1,473 reported data breaches involving 164.68 million exposed records. (Statista)
- In the first six months of 2019, more than 3,800 publicly disclosed breaches exposed over 4 billion records. (Forbes)
- The World Economic Forum believes that large-scale cyber attacks are the fifth biggest risk facing our world. (World Economic Forum)
Biggest Data Breaches Statistics
Data breaches are becoming more common and more damaging and some of the most recent data breaches have been the largest recorded. Here's a look at the largest data breaches in history.
- Yahoo holds the record for the largest data breach with an estimated 3 billion user accounts impacted. An investigation revealed that users' passwords in clear text, payment card data and bank information were not stolen. (The New York Times)
- Aadhaar, India's biometric database, which contains the personal data of almost every citizen (~1.1 billion people) was exposed in a security breach. (The Washington Post)
- First American Corporation leaked approximately 885 million sensitive customer financial records. (KrebsOnSecurity)
- Verifications.io exposed data across 763 million records including email address, name, gender, IP address, phone number and other personal information. (Data Breach Today)
- In 2019, Facebook had 540 million user records exposed on the Amazon cloud server. (UpGuard)
- Yahoo announced in 2014 that the account information of at least 500 million users was stolen, including names, email addresses, telephone numbers, birth dates, encrypted passwords and, in some cases, security questions by what was believed to be a "state-sponsored actor". (The New York Times)
- In November 2018, Marriott International announced that hackers had stolen data about approximately 500 million Starwood hotel customers. (The New York Times)
- In October 2016, hackers collected 20 years of data and 412.2 million accounts from six databases that included names, email addresses and passwords for The Adult Friend Finder Network. (The Washington Post)
- In June 2013, ~360 million Myspace accounts were compromised by a Russian hacker, but the incident was not disclosed until 2016. (TechCrunch)
- In June of 2018, Florida-based marketing and data aggregation firm Exactis exposed a database containing nearly 340 million records on a publicly accessible server. (Wired)
- In May of 2018, social media giant Twitter notified 330 million users of a glitch that stored passwords unmasked in an internal log, making all user passwords accessible to the internal network. (CBS)
Read our post on the 36 biggest data breaches of all time.
Recent Data Breaches and Statistics
With over 2,000 confirmed data breaches in 2019 and hundreds in 2020, we've outlined some of the most recent and impactful data breaches over the last two years. This data indicates recency as well as impactful data breaches that have compromised sensitive information.
- On February 26, 2020, it was revealed that Clearview AI, a facial-recognition company that contracts with powerful law-enforcement agencies had its entire client list and over 3 billion photos stolen. (Daily Beast)
- On February 20, 2020, UpGuard researchers disclosed that a collection of data sets detailing the purchasing habits and consumer behavior of over 120 million Americans had been secured. (UpGuard)
- On January 27, 2020, a popular fraud bazaar known as Joker's Stash began selling credit card data that included more than 30 million card accounts stolen from fuel and convenience chain Wawa Inc. (KrebsOnSecurity)
- On January 21, 2020, a public-facing database containing names, including previous aliases, past and present home addresses, phone numbers, email addresses, names of relatives, and ages of approximately 56 million US residents was discovered on a server with a Chinese IP address and linked to the web-hosting company Alibaba, located in Hangzhou, China. (NJCCIC)
- On May 24, 2019, online graphic design tool Canva suffered a data breach that impacted 137 million users. The exposed data included email addresses, names, usernames, cities, and passwords stored as bcrypt hashes. (Canva)
- In July 2019, Capital One revealed that more than 100 million customer accounts, credit card applications, and Social Security Numbers were stolen. (CNN)
- In January 2019, a bug gave hackers access to millions of Fortnite accounts, at the time the game had 200 million users and 80 million of whom were active each month. (The Washington Post)
Data Breaches by the Numbers
There are many factors to consider when assessing the cybersecurity risk of data breaches, as well as how to prepare for and manage an ongoing data breach, much of which should be accounted for in an incident response plan. Read below to see how frequently breaches happen, the average response time, and other important information.
- The average size of a data breach is 25,575 records. (IBM)
- The average time to identify a security breach is 279 days. (IBM)
- There were 31,107 incidents of reported cybercrime in 2018 in the U.S., in 2018, the last year for which U.S. law enforcement agencies have information. (GAO)
- Inadvertent breaches from human error and system glitches were still the root cause for nearly half (49 percent) of data breaches. (IBM)
- The average time to contain a data breach once identified is 73 days. (IBM)
- The total number of breaches in 2019 was 1,473, up from 1,257 the year before. 164.6 million records were exposed last year. (IDC)
- 780,000 records are lost to hacking each day. (McAfee)
- Office applications accounted for 72.85% of exploited applications worldwide in the third quarter of 2019. (Statista)
- There was a 186% increase in the number of U.S. residents impacted by health data breaches in 2019. (Statista)
- 95 percent of breached records came from three industries in 2016: Government, retail, and technology. (Tech Republic)
- The total number of breaches in 2019 was 1,473, up from 1,257 the year before. 164.6 million records were exposed last year. (ITRC)
- 36% of breaches were in the medical or healthcare industry in 2019. (ITRC)
- The financial sector experienced 137 breaches in 2018 that exposed 1.7 million accounts (SANS)
Cost of a Data Breach Statistics
According to the 2019 Cost of Data Breach Report from Ponemon Institute and IBM Security, the global average cost of a data breach has grown by 12 percent in the last five years to $3.92 million. This was driven by the multi-year financial impact of breaches, increased regulation, and the difficult process of resolving cyber attacks.
These costs come in the form of direct and indirect expenses. Direct expenses include digital forensics, attack surface monitoring software, third-party risk management software, hotline support, monitoring subscriptions, and potential settlements. Indirect costs can include in-house data breach investigations, customer churn, and reputational damage. See just how expensive the total cost of a data breach is below.
- The average cost of a data breach globally is $3.92 million. (IBM)
- The United States has the highest cost of a data breach at $8.19 million. (IBM)
- The wealthier a country, the greater its losses to cybercrime is likely to be. (CSIS)
- Healthcare organizations have the highest average industry cost at $6.45 million. (IBM)
- Close to $600 billion, nearly one percent of global GDP is lost to cybercrime each year (McAfee)
- The average cost per lost record is $150. (IBM)
- Experts agree that by the year 2020, the average cost of a data security breach for a major business would be over $150 million. This estimate is due to the higher level of digitalization and connectivity that the world has experienced over the last few years. (BigCommerce)
- Share prices of breached companies hit a low point approximately 14 market days following a breach. Share prices fall 7.27% on average, and underperform the NASDAQ by -4.18%. (Comparitech)
- The average price for a Business Email Compromise hack is $24,439 per case. (Verizon)
- The average cost of lost business for organizations in the 2019 study was $1.42 million, which represents 36 percent of the total average cost. (IBM)
- While less expensive than malicious attacks, system glitches and human error breaches are still costly, with an average loss of $3.24 million and $3.5 million respectively. (IBM)
- Breaches caused customer turnover of 3.9% in 2019. (IBM)
- The total cost of a data breach for the largest organizations (more than 25,000 employees) averaged $5.11 million, which is $204 per employee. (IBM)
- The impact of a data breach is disproportionately larger for smaller organizations between 500 and 1,000 employees at an average cost of $2.65 million, or $3,533 per employee. (IBM)
- If a third party caused the data breach, the cost increased by more than $370,000, for an adjusted average total cost of $4.29 million. (IBM)
- Malwaredata breaches are the most expensive at $2.6 million, followed by web-based attacks and denial of service attacks (Accenture)
- For 2018, the cost of downtime associated with internet service outages caused by DDoS attacks was $221,836.80 (NETSCOUT)
- Extensive use of encryption, data loss prevention, threat intelligence sharing, and integrating security into the software development process (DevSecOps) were all associated with lower-than-average data breach costs. Among these, encryption had the greatest impact, reducing breach costs by an average of $360,000. (IBM)
- Organizations who conducted extensive testing of an incident response plan had an average total cost of a breach that was $1.23 million less than those that neither had an incident response team or tested their incident response plan ($3.51 million vs. $4.74 million). (IBM)
- Hospitals spend 64% more on advertising after a data breach. (American Journal of Medical Care)
Data Breach Risk Statistics
The cost of a data breach statistics above highlights the value of investing in information security. See the data breach risk statistics below to understand the effects, motivations, and cause of these damaging attacks.
- 71% of breaches are financially motivated. (Verizon)
- 16% of data breaches involved Public sector entities. (Verizon)
- 43% of data breaches involved small businesses. (Verizon)
- Phishing attacks grew by 250% over the course of 2018. (SANS)
- Organized crime groups were behind 39% of breaches. (Verizon)
- 23% of breaches involved nation-state or state-affiliated actors. (Verizon)
- Nearly a quarter of data breaches are caused by human error. (IBM)
- 33% of data breaches involved social engineering. (Verizon)
- Data breaches 51% of data breaches originate from malicious cyber attacks. (IBM)
- 953,800 web attacks were blocked each day in 2018. (Statista)
- In 2018, the first DDoS attack above 1 Tbps in size occurred, and a few days later, a 1.7 Tbps attack occurred. (NETSCOUT)
- Training employees how to recognize and defend against cyber attacks is the most underspent sector of the cybersecurity industry. (Herjavec Group)
- Attacks against SaaS services were up from 13% in 2017 to 41% in 2018. (NETSCOUT)
- 66% of organizations say it's difficult to retain cybersecurity talent. (ISACA)
- Criminals can earn $2.2 million per month by stealing 10 sets of credit card details from each compromised site. (Symantec)
- 4,800+ unique websites are compromised by formjacking each month. (Symantec)
- 24% of data breaches are caused by human error. (IBM)
- 67% of all breaches are caused by credential theft, errors, and social engineering. (Verizon)
- 58% of breaches involve personal data, almost double from a year ago. (Verizon)
- 43% of breaches involve web application, twice as much as last year. (Verizon)
- 27% of malware breaches involve ransomware. (Verizon)
- 17% of breaches resulted from errors, double the amount from the previous year. (Verizon)
- 70 million records were stolen or leaked from poorly configured S3 buckets. (Symantec)
- Supply chain attacks grew by 78% in 2018. (Symantec)
- A cyberattack occurs every 39 seconds. (University of Maryland)
Projections for Data Breaches
Data security is a rapidly evolving field, it's vital to stay informed about potential data loss issues. Below are some cybersecurity projects that could occur in the coming years.
- 29.6% of companies will experience a data breach in the next two years. (IBM)
- The costs associated with deepfake scams are going to exceed $250 million in 2020. (Forrester Research)
- A business will fall victim to a ransomware attack every 11 seconds in 2021. (Herjavec Group)
- Global spending on cybersecurity will exceed $1 trillion cumulatively for the 5 year period from 2017-2021. (Herjavec Group)
- Cybercrime to cost $6 trillion by 2021. (Herjavec Group)
- A top cloud vendor will suffer a data breach compromising the sensitive information of hundreds of Fortune 1000 companies. (Experian)
- Attackers will focus on biometric hacking and exposing vulnerabilities in touch ID sensors, facial recognition, and passcodes. (Experian)
- Data privacy concerns will lead one in five enterprise customers to safeguard their data from AI. (Forrester Research)
- 69% of security professionals agree that staying ahead of attackers is a constant battle and the cost is unsustainable. (Accenture)
- A major wireless carrier will be attacked, stealing personal information from millions of consumers and possibly disabling all wireless communications in the United States. (Experian)
- Skimming isn’t new but the next frontier is an enterprise-wide attack on a national network of a major financial institution, which can cause millions in losses. (Experian)
- Games will be used to gain access to computers and personal data of trusting players. (Experian)
- A growing pool of insecure IoT devices suggests that IoT botnets will continue to thrive. At the same time, protecting public and open recursive DNS resolvers from abuses that amplify attack traffic is becoming an impossible mission, while easy access to DDoS-for-hire services allows relative novices to launch massive attacks very cost effectively. (Nexusguard)
Data Breach Insurance Types
In order to reduce the cybersecurity risk that comes along with data loss, many companies are now investing in data breach insurance. Data breach insurance can help cover the costs associated with breaches.
If you intend to invest in cybersecurity insurance, consider investing in a security ratings tool first as many cyber insurers use these tools to assess the risk of underwriting and to better price their insurance policies as they help insurers gain visibility into the security posture of those they insure. Read our post on security ratings for more information.
There are two common types of data breach insurance:
- First-party insurance: Covers things like investigation costs, notifying impacted parties, fielding inquiries, and tools to help affected parties.
- Third-party insurance: Used by contractors and IT professionals to lessen their personal liability. Covers expenses like lawyers' fees, settlements, judgments and liability, and other court fees.
Below are a few statistics highlighting the growing necessity for cyber insurance.
- Cyber risk is the number one concern for risk managers in the United States. (Actuary)
- 75% of organizations globally have purchased cyber liability insurance. (Statista)
- The value of cyber insurance premiums worldwide is expected to be $20 billion in 2025. (Statista)
- 64% of large entities who purchased cyber insurance in the United States in 2018 did so for risk transfer. (Statista)
How to Prevent Data Breaches
Data breaches occur when information security and data security are compromised, resulting in sensitive information, personal information or other sensitive data being exposed, copied, transmitted, viewed, stolen or used by people with unauthorized access.
Cyber attacks, social engineering and phishing, ransomware and other types of malware, physical theft of hard drives, slow vulnerability assessment, and patching cadence, bad information security policies, poor security awareness training, and a lack of general cyber security measures can all result in data loss and data breaches.
This is why many organizations are investing in preventative measures to prevent data breaches, like attack surface management and third-party risk management.
Learn more about where companies are investing with these statistics.
- 63% of organizations that have experienced a data breach are implementing biometric authentication. (Veridium)
- 80% of organizations planned to increase their security spending in 2018. (451 Research)
- 7 percent cited information security as the largest budgetary increase area in 2018. (451 Research)
- Worldwide information security spending to exceed $124 billion in 2019. (Gartner)
- Global IT Spending Forecast to Total $3.9 Trillion in 2020. (Gartner)
- U.S. President’s Budget Includes $18.8 Billion in Cyber Security Funding for FY 2021. (Whitehouse)
- Information security spending forecast to surpass $151 billion in 2023. (IDC)
- Costs associated with insider threat prevention and investigations increased by 60% since 2017. (Ponemon Institute)
Data Breaches Statistics FAQs
Below are the most frequently asked questions about data breaches supported by statistics.
How Many Data Breaches Have Occurred?
The Privacy Rights Clearinghouse keeps a database of security breaches impacting Americans since 2005, which includes 9,016 breaches. The real number is likely magnitudes higher as their data doesn't include unreported breaches or breaches that don't involve U.S. citizens.
What Was the Biggest Data Breach?
Yahoo disclosed that a breach in August 2013 by a group of hackers had compromised 1 billion accounts. In this instance, security questions and answers were also compromised, increasing the risk of identity theft. The breach was first reported by Yahoo while in negotiations to sell itself to Verizon, on December 14, 2016, and forced all affected users to change passwords, and to reenter any unencrypted security questions and answers to make them encrypted in the future.
However, by October of 2017, Yahoo changed the estimate to 3 billion user accounts. An investigation revealed that users' passwords in clear text, payment card data, and bank information were not stolen. Nonetheless, this remains one of the largest data breaches of this type in history.
To learn about the other large data breaches, read our post on the biggest data breaches of all time.
How Many Data Breaches Were There in 2019?
The Verizon Data Breach Investigation Report 2020 analyzed 3,950 confirmed breaches from 2019. (Verizon)
What is the Average Cost of a Data Breach?
The average cost of a data breach in 2019 was $3.92 million. (IBM) Read our post on the average cost of a data breach for more in-depth analysis.
How Much Does a Data Breach Cost Per Record?
The average cost per lost record is $150. (IBM)
What is the Average Size of a Data Breach?
The average size of a data breach is 25,575 records. (IBM)