Updated in February 2021.

Living in the modern world means integrating technology into almost every aspect of our lives. Our relationship with technology makes us highly susceptible to hacking.

This vulnerability extends from our phones, personal and work computers, transportation, banks, and credit card purchases to every smart device in our homes and workplaces.

Why are Data Breaches and Cybersecurity Breaches a Growing Concern?

Internet users and consumers might not be concerned enough about the threat of hacking, but we are far from safe. It is estimated that there is a hacking attack every 39 seconds.

Large companies and federal departments such as The US Office of Personnel Management (OPM), Anthem Blue Cross, Yahoo, Uber, Quora, Facebook, Cathay Pacific, Marriott International, Equifax, LinkedIn, etc. have all experienced cyber threats in the past few years. No one is immune.

The complexity and frequency of data breaches are increasing. Many major breaches attacked high profile companies in the US, Europe, and Australia. To counter this, new legislation was introduced in affected countries, aimed at changing the rules related to threat time frames and user notification.

This article presents a comprehensive picture of cybercrimes and data breaches, something which affects customers, social network users, and companies alike. Information is presented in a series of points, covering the most critical cybersecurity statistics for 2019-21.

data breach stats

Costs of a Data Breach

A single data breach can have immense implications on a business. Enterprises lose billions in attacks and subsequent lawsuits. A smaller sized-company could be put out of business due to a single breach.

Below are some statistics that show how costly data breaches are:

  • The average cost of a data breach currently sits at $3.86 million. That number rises to $8.64 million if you only analyze the USA. [IBM]
  • Worldwide cybercrime costs will hit $6 trillion annually by the end of 2021. That number will rise to $10.5 trillion annually by 2025. [Cybersecurity Ventures]
  • Remote work increased the average breach cost by $137,000. [IBM]
  • The average cost per lost or stolen record per individual is $146. [IBM]
  • The average ransomware payment rose 33% since 2020 and now sits at $111,605. [Fintech News]
  • By the end of 2021, ransomware damages will reach a total of $20 billion, 57x greater than the damages in 2015. On average, there is a ransomware attack on a business every 11 seconds in 2021. [Arcserve]
  • The average price for a Business Email Compromise hack is $24,439 per case. [Verizon]
  • The average cost of a malware attack sits at $2.6 million. [Accenture]
  • In 2020, phishing accounted for 1 in every 4.200 emails. Every minute, companies lose $17,700 due to a phishing attack. [Symantec]
  • The average cost of information loss, the most expensive aspect of a cyber attack, is $5.9 million. [Accenture]

Data Breach Numbers and Risks

The 2019 Thales Data Threat Report – Global Edition issued by Zurich Insurance, found that rapid digitalization and the Internet of Things has expanded the connectivity of the developed world and its infrastructure.

To keep up with rapidly developing technologies, many companies are investing in their service usability. Chasing greater competitiveness, they are migrating to cloud or multi-cloud environments quickly. This can make data very difficult to secure, states the Threat Report.

Most organizations are finding it hard to control security breaches and implement strong safety measures. It’s even harder for smaller and mid-sized companies who, due to budget constraints or lack of staff, are more vulnerable to attack. Here are the data breach statistics that put the current cybersecurity landscape into perspective:

data breach statistics
  • Over 95% of all data breaches are a result of a human error. [Cybint]
  • Phishing attacks account for over 80% of all reported security incidents. [CSO Online]
  • Data breaches compromised 36 billion records in the first half of 2020. [RiskBased]
  • Over 30% of all data breaches involve an internal actor. [Verizon]
  • Healthcare organizations were the target of 15% of all breaches in 2020, while the financial industry and the public sector suffered 10% and 16% of breaches respectively. [Verizon]
  • In 47% of all financial breaches, the victim is a bank. [Fortunly]
  • Increasingly more malware attacks (25.7%) are targeting global financial services and banks. [Intsights Cyber Intelligence]
  • Companies in the United States have the highest risk of data breaches. [Statista]
  • Almost 41% of US-based companies allow employees unrestricted access to sensitive data. [Varonis]
  • 88% of businesses with over 1 million folders do not limit employee access to company files. [Varonis]
  • The number of reported cybercrimes accounts for only 10-12% of the actual number of cyber attacks. [FBI IC3]
  • Personal data was the target in 58% of breaches in 2020. [Verizon]
  • Organizations with up to 250 employees have the highest malicious email rate (1 in 323). [Symantec]
  • A typical user has a 27.9% chance of experiencing a data breach that could affect a minimum of 10,000 records. [Security Intelligence]
  • 68% of business leaders think their cybersecurity risks are growing in 2021. [Accenture]
  • An average IoT device experiences 5,200 breach attempts every month. [Symantec]

Business Continuity Plan

Having a Business Continuity Plan (BCP) is critical in case of a data breach. A plan outlines the type of data being stored, where it’s stored, and what the potential liabilities of recovery actions. AON’s 2019 Cyber Security Risk Report discovered that most organizations do not have a BCP.

The usual cause of a breach is criminal activity or human error, or a mix of both. But the most common cause is the failure of organizations to prepare and do assessments in advance to identify weaknesses. Taking care of weak passwords, improper configuration, untrained staff, and outdated OSs can all prevent attacks.

Incident Response

A BCP requires an effective cyber incident response plan. This refers to an organized approach that addresses, manages, and rectifies the damages in the aftermath of a cyber-attack or data breach.

  • More than 77% of companies do not have an incident response plan. [Cybint]
  • The average lifecycle of a data breach (from identification to containment) in 2020 was 280 days. [IBM]
  • In 2020, the average time organizations took to discover a data breach was 207 days. [IBM]
  • Companies that contain a data breach in less than 30 days save over $1 million annually. [IBM’s Ponemon Institute]

Largest Data Breaches in History

The number of data breaches has been steadily increasing since 2013, with an estimated 14,717,618,286 cases where data has been either stolen or lost. Below are some of the most prominent examples of data breaches recorded in recent years.

  • Target in 2013: The data breach was carried out via malicious software installed on machines used by customers to pay with their cards. A total of 110 million Target accounts were compromised. [Forbes]
  • E-Bay in 2014:The data breach was carried out using stolen login credentials from a small number of employees. A total of 145 million eBay accounts were compromised. [Business Insider]
  • Anthem Inc. in 2015: The data breach was carried out by hackers after they infiltrated the company server. A total of 37.5 million personally identifiable records of customers were stolen. [Threatpost]
  • Yahoo! in 2013/2014: One of the most significant data breaches occurred in 2013-2014, where Yahoo’s 3 billion accounts got compromised. It was a coordinated attack by an organized, unidentified cyber-criminal organization. [REUTERS]
  • AOL in 2003: An estimated 92 million customer accounts were compromised after Jason Smathers, a 24-year-old AOL software engineer, caused the security breach. [WIRED]
  • Quora in 2018: The data breach was caused due to unauthorized access by a malicious third party. One hundred million user accounts were compromised. [Quora]
  • Facebook in 2018: This data breach was caused after hackers exploited a vulnerability in Facebook’s “View As” code. They were left with 50 Million compromised accounts. [The Guardian]
  • Marriott International in 2014/2018: The breach occurred due to unauthorized access to the guest’s information database. As a result, over 500 million user accounts were compromised. [Forbes]
  • Uber in 2016: Attackers, in this case, obtained credentials and accessed Uber’s cloud servers. They then got access to sensitive user information. As a result, more than 57 million users and driver accounts were compromised. [TechCrunch]
  • Equifax in 2017: The data breach occurred as a result of a vulnerability in the open-source software used to access its servers. As a result, the personal information of 143 million consumers was exposed. [Forbes]
  • Aadhar Data breach in 2018: The Indian Government’s national ID database, which stores “Aadhar” information, succumbed to a cyber-attack in March 2018. The personal data of over 1.5 billion Indian citizens, including phone numbers, addresses, ID numbers, etc., were left exposed on the web. Experts have labeled this as one of the worst data breaches of all time. [TechCrunch]
  • Marriott International in 2020: A security breach affected data of more than 5.2 million hotel guests of Marriott International. [Marriott]
infographic of big data breaches
Statistics provided by Ana Bera, co-founder of safeatlast.co

Click here to see the full infographic!

We’re experiencing exponential growth of the cloud and IoT applications, such as connected health devices, house or child monitoring equipment, and smart cars. This growth is giving birth to new forms of cybercrime since more devices are now hackable.

The rise of the cloud is also influencing cyberattack trends. In only 2 years, the total data stored in the cloud – which includes everything from public clouds operated by third-party vendors, government-owned clouds, social media companies, and private clouds – will be a hundred times greater than today.

Here are the most interesting (and alarming) data breach trends in recent years:

  • Since COVID-19, the FBI announced a 300% increase in reported cybercrimes. [IMCGrupo]
  • Attacks related to COVID-19 are responsible for a 238% rise in attacks on banks in 2020. [Fintech News]
  • An estimated 4,000,000 DDoS attacks were reported monthly in the last few years. [Caliptix Security]
  • By 2023, the total number of DDoS attacks across the world will hit 15.4 million. [Cisco]
  • Cloud-based cyber attacks grew 630% between January and April 2020. [Fintech News]
  • Only 12% of breaches target public cloud environments. 37% of decision-makers believed that heightened security made the migration to the public cloud vital to future success. [Forrester]
  • The top malicious email attachment types are .doc and .dot (37%). The next highest is .exe (19.5%). [Symantec]
  • Over 94% of all malware deliveries go through emails. [CSO Online]
  • In 2020, 65% of criminal groups relied on spear-phishing as the primary infection tactic. [Symantec]
  • Organizations reporting phishing and social engineering attacks are increasing by 16% every year. [Accenture]
  • In 2020, 45% of all breaches featured hacking, 17% used malware, and 22% involved a form of phishing. [Verizon]
  • In 2020, 86% of all breaches were financially motivated. Only 10% were motivated by cyber espionage. [Verizon]

Cyberattacks as a form of technology warfare have been rising recently, up to 4% according to Privacy Affairs. Governments and non-government organizations have taken part in cyber warfare, and that rate should continue to grow as technologies become more integrated into the public’s lives.

C-suite and Cybersecurity

  • According to a recent survey carried out on C-suite users, a total of 53% of respondents indicated “cybercrime and data breaches” as the number one concern when it comes to cybersecurity. [IBM Study]

Increased attacks on Service Providers

Attacks on service providers such as Yahoo, AML, etc. have seen a rise in recent years. Yahoo faced the worst service provider attack with instances affecting 3 million, 500 million, and 200 million user accounts in 2013, 2014, and 2016 respectively. [NYTimes]

Organizational vulnerabilities

  • Both medium and small-scale organizations are losing an estimated $120,000 on average due to service denial attacks. Enterprises could lose more than $2 million in total due to denial of service attacks. [Security Intelligence]
  • Around 25% of consumers across the USA, UK, France, and Germany would abandon a product or service in case of a single ransomware-related service disruption, failed transaction, or instance of inaccessible data. [Arcserve]

Third-party/Supply-chain risk

  • Supply chain attacks grew by 78% in 2019. [Symantec]
  • Most data breaches (56%) are caused by malicious activities outside the entity. Malicious insiders account for only 7% of the violations. [Statista]
  • Intrusions caused by phishing have affected 82% of manufacturers in the U.S, which also covers the industrial supply chains present in the manufacturing sectors. [phishing box]
  • Almost 59% of UK and US-based companies who have used a third-party service have experienced data breaches. Only 16% of them think that the third party’s risk management system was effective enough in 2020. [Business Wire]

Skills Shortage in CyberSecurity

The overall level of skills when it comes to Cybersecurity measures has not matched up to the required standards.

  • Over 54% of the world’s organizations have experienced some sort of significant cyber-attack in the past year. [IBM]
  • Only 38% of global organizations claim that they can handle a sophisticated cyber-attack. [IBM]
  • In 2019 and 2020, almost 53 percent of organizations reported a problematic shortage of cybersecurity skills. [Security Intelligence]
  • The healthcare industry has the highest average data breach cost ($7.13 million). [IBM]
  • In 2019, a total of 38 million medical records were exposed across the USA. [HIPAA JOURNAL]
  • In 2020, there was a 58% increase of confirmed data breaches in the healthcare industry. [Verizon]
  • In September 2020 alone, 9.7 million healthcare records were the target of 83 successful breaches. [HIPAA JOURNAL]
  • More than 93% of all healthcare entities were victims of a breach attempt in the past three years. [Herjavec Group]
  • The U.S. Department of Health and Human Services experienced 52 data breaches in October 2019 alone. [HIPAA JOURNAL]
  • 2015 remains the worst year for data breaches in this sector, with two instances exposing 78.8 million and 11 million customers, respectively. [appknox]

Cybersecurity Spending

As the threat of cybersecurity intensifies, the overall amount spent on cybersecurity has been increasing since 2015.

  • In 2020, almost 52% of companies believed that cloud computing is a priority for cybersecurity investment.  [Safe At Last]
  • Cloud computing providers will spend 57% more on security in 2021. The other areas that will see more development are IoT, mobile computing, cybersecurity analytics, and robotic process automation. [Forrester]
  • By 2023, businesses are expected to spend $12.6 billion on cloud security tools. That’s more than double from the $5.6 billion spent in 2018. [Forrester]
  • By the end of 2021, 100% of large companies globally will have a CISO (Chief information security officer) position. [Cybersecurity Ventures]
  • The worldwide information security market will reach $170.4 billion in 2022. [Gartner]
  • The USA allocated $18.78 billion for cybersecurity spending in 2021. [Atlas VPN]
  • Only a mere 10% of IT security budgets allocated by companies go towards smart device security. [Gartner]
  • More than 70% of security executives believe that their budgets for the fiscal year 2021 will shrink. [Mckinsey]
data breaches stats

Prevention and the Future

The modern, inter-connected world is increasingly falling under threat from growing instances of cybercrimes. Many large companies have fallen prey to elaborate cyber schemes and have lost millions on lawsuits.

The number of data breaches per year in the United States has gradually increased since 2014: [Statista]

  • 783 cases in 2014
  • 781 cases in 2015
  • 1093 cases in 2016
  • 1579 cases in 2017
  • 1244 cases in 2018

When it comes to 2019, however, the numbers have skyrocketed.

  • There were more than 3800 reported cases of breaches in 2019. [Forbes]
  • Compared to the first six months of 2018, there was a 54% increase in the number of reported breaches. [TechRepublic]
  • Breaches exposed 52% more records than in 2018. [Risk Based Security]

The largest data breaches in 2019:

  • A total of 620 million accounts suffered a data breach in 2019, from a total of 16 websites. [Forbes]
  • Websites such as Dubsmash, Armor Games, ShareThis, Whitepages and 500px were among those affected. [IT Governance UK]

Here are some industry trends and predictions to watch for in 2021 and beyond:

  • The cybersecurity skills gap will continue to be an issue for companies trying to prevent data breaches.
  • Remote workers will be the prime target for cybercriminals as employees continue to work from home.
  • Cloud breaches will increase as a side effect of remote workforces.
  • The increased bandwidth of connected devices will make IoT devices more vulnerable to cyberattacks.

Prevention is always better than cure and is most applicable when dealing with cybercrimes. With different forms of cyberattacks, ranging from malware, phishing, denial of service, SQL injection, Zero-day exploits, DNS tunneling, and others, the need for effective cybersecurity measures is of utmost priority.

Cybersecurity measures range from simple to complex. Necessary preventive measures such as password protection and authentication, are not enough to prevent more elaborate and complex cyber threats that are faced by companies today.

From a business perspective, data breaches can never be ignored, and appropriate measures must be taken by the companies, something which is lacking as of now. As hackers find more elaborate ways to breach security, countermeasures need to be in place. The only way to tackle such threats is to develop sophisticated security techniques, as well as to educate users and employees about the dangers of the different forms of cybersecurity threats prevalent currently.

If left untreated, cybercrimes and data breaches can hamper the reputation of a company, assets, finances, and even their existence, which means there will be no future if you don’t start prevention now. Find out more on how to secure your data in the cloud, by connecting with one of our experts.

Key Takeaways for Statistics on Data Breaches

  • As an increasingly large number of systems and processes go online, customers, businesses, and governments become more vulnerable to cybercrime and attacks.
  • To counter the threat of cybercrime, organizations must increase their investments in cybersecurity.
  • The variety and severity of cyberattacks are on the rise.
  • Train employees on the dangers of social engineering. Disallow the downloading of unfamiliar apps from unknown sources.
  • If a cyberattack does occur and hackers demand payment, by not reporting it and giving in, you take the easy way out. Hackers will come back for more if they can profit off of you. Report crimes to the authorities and refuse to pay. This will make future attacks less likely.