As more and more companies experience crippling security breaches, the wave of compromised data is on the rise. Data breach statistics show that hackers are highly motivated by money to acquire data, and that personal information is a highly valued type of data to compromise. It’s also apparent that companies are still not prepared enough for breaches even though they are becoming more commonplace.
We’ve compiled 98 data breach statistics for 2021 that also cover types of data breaches, industry-specific stats, risks, costs, as well as data breach defense and prevention resources. Hopefully, this will help organizations understand the importance of data security and how to better allocate their security budgets.
Download the data breach stats!
For more in-depth security insights check out our data breach whitepapers.
What is a Data Breach?
A data breach is any incident where confidential or sensitive information has been accessed without permission. Breaches are the result of a cyberattack where criminals gain unauthorized access to a computer system or network and steal the private, sensitive, or confidential personal and financial data of the customers or users contained within.
The U.S. Department of Justice defines a breach as “the loss of control, compromise, unauthorized disclosure, unauthorized acquisition, access for an unauthorized purpose, or other unauthorized access, to data, whether physical or electronic.”
Common cyber attacks used in data breaches are:
The Origin of Data Breaches
Although data breaches seem more prevalent nowadays due to cloud computing and increased digital storage, they have existed as long as companies have maintained confidential information and private records. However, publicly disclosed data breaches increased in frequency in the 1980s and awareness of data breaches grew in the early 2000s.
According to the Office of Inadequate Security website, in 1984 the global credit information corporation known as TRW (now called Experian) was hacked and 90 million records were stolen. In 1986, 16 million records were stolen from Revenue Canada.
Most public information on data breaches only dates back to 2005. In 2020, surveys showed that over half of Americans were concerned about data breaches in natural disasters and personal safety as a result of the pandemic. Data breaches today tend to impact millions of consumers in just one attack on a company.
How Do Data Breaches Occur?
A data breach occurs when a cybercriminal infiltrates a data source and extracts confidential information. This can be done by accessing a computer or network to steal local files or by bypassing network security remotely. While most data breaches are attributed to hacking or malware attacks, other breach methods include insider leaks, payment card fraud, loss or theft of a physical hard drive of files and human error. The most common cyber attacks used in data breaches are outlined below.
Ransomware is software that gains access to and locks down access to vital data. Files and systems are locked down and a fee is demanded commonly in the form of cryptocurrency.
- Common Target: Enterprise companies and businesses
Malware, commonly referred to as “malicious software,” is a term that describes any program or code that harmfully probes systems. The malware is designed to harm your computer or software and commonly masquerades as a warning against harmful software. The “warning” attempts to convince users to download varying types of software, and while it does not damage the physical hardware of systems, it can steal, encrypt or hijack computer functions.
Malware can penetrate your computer when you are navigating hacked websites, downloading infected files or opening emails from a device that lacks anti-malware security.
- Common Target: Individuals and businesses
Phishing scams are one of the most common ways hackers gain access to sensitive or confidential information. Phishing involves sending fraudulent emails that appear to be from a reputable company, with the goal of deceiving recipients into either clicking on a malicious link or downloading an infected attachment, usually to steal financial or confidential information.
- Common Target: Individuals and businesses
Denial of Service (DoS)
Denial of Service is a cyber-attack in which the perpetrator seeks to make a machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting services of a host connected to the Internet. It is typically accomplished by flooding the targeted machine or resource with superfluous requests in an attempt to overload systems and prevent some or all legitimate requests from being fulfilled.
- Common Target: Sites or services hosted on high-profile web servers such as banks
Recent Data Breaches + Statistics
With 3,950 confirmed data breaches in 2020, we’ve outlined some of the most recent and impactful security breaches of the year. This data indicates the recency and widespread impact data breaches are having on compromising sensitive information.
- On January 22, 2020, a customer support database holding over 280 million Microsoft customer records was left unprotected on the web (IdentityForce).
- On February 20, 2020, Over 10.6 million hotel guests who have stayed at the MGM Resorts have had their personal information posted on a hacking forum (IdentityForce).
- On April 14, 2020, the credentials of over 500,000 Zoom teleconferencing accounts were found for sale on the dark web (IdentityForce).
- On July 20, 2020, An unsecured server exposed the sensitive data belonging to 60,000 customers of the family history search software company, Ancestry.com (IdentityForce).
- On August 20, 2020, Researchers at Comparitech uncovered an unsecured database with 235 million Instagram, TikTok, and YouTube user profiles exposed online belonging to the defunct social media data broker, Deep Social (IdentityForce).
- On November 5, 2020, a database for Mashable.com containing 1,852,595 records of staff, users, and subscribers data was leaked by hackers (IdentityForce).
- On December 10, 2020, an undisclosed number of users of the audio streaming service, Spotify, have had their passwords reset after a software vulnerability exposed account information (IdentityForce).
- On February 18, 2021, the California Department of Motor Vehicles (DMV) alerted drivers they suffered a data breach after billing contractor, Automatic Funds Transfer Services, was hit by a ransomware attack (IdentityForce).
COVID-19 Specific Data Breaches
2020 was a year like no other with COVID-19 severely impacting industries in every corner of the globe. This opened the pathway for cybercriminals who were able to target vulnerable victims in the healthcare industry, as well as those who were unemployed or remote workers. Here are a few of the most impactful data breach statistics related to the pandemic.
- Remote work during COVID-19 increased data breach costs in the United States by $137,000 (IBM).
- 54% of organizations required remote work in response to COVID-19 (IBM).
- 76% of participants said remote work would increase the time to identify and contain a data breach (IBM).
- Estimates show there have been as many as 192,000 coronavirus-related cyberattacks per week in May 2020 alone, a 30% increase compared to April (Unisys).
- In 2020, 98% of point of sale data breaches in the accommodation and food services industry were financially motivated (Verizon).
- Confirmed data breaches in the healthcare industry increased by 58% this year (Verizon).
- Web application breaches account for 43% of all breaches and have doubled since 2019 (Verizon).
- 33,000 unemployment applicants were exposed to a data security breach from the Pandemic Unemployment Assistance program in May (NBC).
- A data breach of the federal disaster loan applications impacted 8,000 small business owners exposing their applications (U.S. PIRG).
- Scams increased by 400% over the month of March, making COVID-19 the largest-ever security threat (ReedSmith).
Breaches by the Numbers
There are many factors to consider when preparing for and managing a data breach, like the amount of time it takes to respond to a data breach and the reputational impact it has on your company. Read below to see how breaches happen, average response times and other crucial information.
How Breaches Happen
- An average of 4,800 websites a month are compromised with form-jacking code (Symantec).
- 34% of data breaches in 2018 involved internal actors (Verizon).
- 71% of breaches are financially motivated (Verizon).
- Ransomware accounts for nearly 24% of incidents where malware is used (Verizon).
- 95% of breached records came from the government, retail, and technology in 2016 (Tech Republic).
- 36% of external data breach actors in 2019 were involved in organized crime (Verizon).
Average Response Time and Lifecycle
- The average time to identify a breach in 2020 was 228 days (IBM).
- The average time to contain a breach was 80 days (IBM).
- Healthcare and financial industries spent the most time in the data breach lifecycle, 329 days and 233 days, respectively (IBM).
- The data breach lifecycle of a malicious or criminal attack in 2020 took an average of 315 days (IBM).
- 48% of malicious email attachments are Microsoft Office files (Symantec).
- From 2016 to 2018, the most active attack groups targeted an average of 55 organizations (Symantec).
- The global number of web attacks blocked per day increased by 56.1% between 2017 and 2018 (Statista).
- The number of data breaches in the U.S. has significantly skyrocketed within the past decade from a mere 662 in 2010 to over a thousand by 2020 (Statista).
- Office applications were the most commonly exploited applications worldwide in Q3 of 2018 (Statista).
- There was an 80% increase in the number of people affected by health data breaches from 2017 to 2019 (Statista)
- By stealing only 10 credit cards per website, cyber criminals earn up to $2.2 million through formjacking attacks (Symantec).
Cost of a Data Breach
It’s no secret that data breaches are costly for a business. To calculate the average cost of a data breach, security institutes collect both the direct and indirect expenses suffered by the breached organization.
Direct expenses include forensic experts, hotline support and providing free credit monitoring subscriptions and potential settlements. Indirect costs include in-house investigations and communication, as well as customer turnover or diminished client acquisition rates due to companies’ reputations after breaches. See just how expensive it is to experience a breach and what elements cause the cost to rise.
- Healthcare is the most expensive industry for a data breach at $7.13 million (IBM).
- The global average cost of a data breach is $3.86 million (IBM).
- The average cost per lost or stolen record in a data breach is $150 (IBM).
- A breach lifecycle under 200 days costs $1 million less than a lifecycle over 200 days (IBM)
- 39% of costs incurred more than a year after the data breach (IBM).
- In 2020, the country with the highest average total cost of a data breach was the United States at $8.64 million (IBM).
- A mega breach of 1 million to 10 million records has an average total cost of $50 million, a growth of 22% from 2018 (IBM).
- A mega breach of 50 million records has an average total cost of $392 million, a growth of almost 12% from 2018 (IBM).
- Hospitals spend 64% more annually on advertising over the two years following a breach (American Journal of Managed Care).
Data Breach Risk
IBM’s Cost of a Data Breach Report found that the average total cost of a data breach is $3.86 million and moving in an upward trend. This data, in particular, validates the reason to invest in preventative data security. See the data breach risk statistics below to help quantify the effects, motivations and causes of these damaging attacks.
- A financial services employee has access to 11 million files (Varonis).
- The average distributed denial-of-service (DDoS) attack grew to more than 26Gbps, increasing in size by 500% (Nexusguard).
- In the first quarter of 2020, DDoS attacks rose more than 278% compared to Q1 2019 and more than 542% compared to the last quarter (Nexusguard).
- 9,637 attacks were between 10Mbps and 30Mbps (Nexusguard).
- Over 64% of financial service companies have 1,000+ sensitive files accessible to every employee (Varonis).
- On average, 50% of user accounts are stale (Varonis).
- 58% of companies found over 1,000 folders that had inconsistent permissions (Varonis).
- Only 5% of a company’s folders are protected (Varonis).
- 38% of all users sampled have a password that never expires (Varonis).
- 28% of data breach victims are small businesses (Verizon).
- . Over 80% of breaches within Hacking involve Brute force or the Use of lost or stolen credentials. (Verizon).
- A cyberattack occurs every 39 seconds (University of Maryland).
- The larger the data breach, the less likely the organization will have another breach in the following two years (IBM).
- 23% of data breaches are caused by human error (IBM).
- 62% of breaches not involving an error, misuse, or physical action involved the use of stolen credentials, brute force, or phishing (Varonis).
In the rapidly evolving field of data security, it’s vital that business owners stay informed of all potential issues. Below are the projected cybersecurity incidents that may occur in the coming years.
- It is estimated that a business will fall victim to a ransomware attack every 11 seconds by 2021 (Herjavec Group).
- Cybercrime is estimated to cost the world $10.5 trillion annually by 2025 (Cybersecurity Ventures).
- Attackers will zero in on biometric hacking and expose vulnerabilities in touch ID sensors, facial recognition and passcodes (Experian).
- Skimming isn’t new but the next frontier is an enterprise-wide attack on a national network of a major financial institution, which can cause millions in losses (Experian).
- A major wireless carrier will be attacked with a simultaneous effect on both iPhones and Android, stealing personal information from millions of consumers and possibly disabling all wireless communications in the United States (Experian).
- A cloud vendor will suffer a breach, compromising the sensitive information of hundreds of Fortune 1000 companies (Experian).
- The online gaming community will be an emerging hacker surface, with cybercriminals posing as gamers and gaining access to the computers and personal data of trusting players (Experian).
Historical Data Breach Statistics
Some of the biggest data breaches recorded in history were from 2005 or later. Once governments and businesses moved from paper to digital, data breaches became more commonplace.
In 2005 alone there were 136 data breaches reported by the Privacy Rights Clearinghouse and more than 4,500 data breaches have been made public since then. However, it is fair to believe the actual number of data breaches is likely higher since some of the data breaches that the Privacy Rights Clearinghouse reports on have unknown numbers of compromised records. The 2014 Verizon Data Breach Investigation alone reported on 2,100 data breaches where 700 million records were exposed.
Below we have provided a list of data breach statistics that led up to and launched the age of data infiltration.
- The first computer virus, known as “The Creeper,” was discovered in the early 1970s (History of Information).
- In 2005 the Privacy Rights Clearinghouse began its chronology of data breaches (Symantec).
- 2005 is the year the first data breach (DSW Shoe Warehouse) exposed more than 1 million records (Symantec).
- The largest insider attack occurred from 1976 to 2006 when Greg Chung of Boeing stole $2 billion worth of aerospace documents and gave them to China (NBC).
- AOL was the first victim of phishing attacks in 1996 (Phishing).
- As of 2015, 25% of global data required security but was not protected (Statista).
- In 2017, one of the three major U.S. credit reporting agencies Equifax exposed 145.5 million accounts including names, Social Security numbers, dates of birth, addresses, and, in some cases, driver’s license numbers of American consumers (Symantec).
- Social media data breaches accounted for 56% of data breaches in the first half of 2018 (IT Web).
- Over the past 10 years, there have been 300 data breaches involving the theft of 100,000 or more records (Forbes).
- The United States saw 1,244 data breaches in 2018 and had 446.5 million exposed records (Statista).
- Data breaches exposed 4.1 billion records in the first six months of 2019 (Forbes).
- As of 2019, cyber-attacks are considered among the top five risks to global stability (World Economic Forum).
Largest Recorded Data Breaches
Data breaches are becoming more and more common and some of the most recent data breaches have been the largest on record to date. Here’s a look at the largest data breaches in history.
- Yahoo holds the record for the largest data breach of all time with 3 billion compromised accounts (Statista).
- In 2019, First American Financial Corp. had 885 million records exposed online including bank transactions, social security numbers and more. (Gizmodo)
- In 2019, Facebook had 540 million user records exposed on the Amazon cloud server (CBS).
- In 2018, Marriott International data breach affected roughly 500 million guests (New York Times).
- In 2016, for reasons of poor security, Adult Friend Finder Network was hacked exposing 412 million users private data (Zero Day).
- Experian-owned Court Ventures sold information directly to a Vietnamese fraudster service involving as many as 200 million records (Forbes).
- In 2017, data of almost 200 million voters leaked online from Deep Root Analytics (CNN).
- In 2014, Ebay was hacked, accessing 145 million records (Yahoo).
- In 2008 and 2009, Heartland Payment Systems suffered a data breach resulting in the compromise of 130 million records (Tom’s Guide).
- In 2007, the security breach at T.J. Maxx Companies Inc. compromised 94 million records (Information Week).
- In 2015, Anthem experienced a breach that compromised 80 million records (Anthem).
- In 2013, Target confirmed a breach that compromised 70 million records (KrebsOnSecurity).
Data Breach Prevention
There are also proactive approaches security professionals can take in order to lower their chances of experiencing a breach. Identifying cybersecurity risks to your data can be a good place to start. See how companies are shifting their budgets and priorities to protect their assets and customers from cyberattacks.
- 63% of companies have implemented a biometric system or plan to onboard one (Veridium).
- 17% of IT security professionals reported information security as the largest budget increase for 2018 (ZDNet).
- 80% of organizations planned to increase security spending for 2018 (ZDNet).
- It is predicted that global cybersecurity spending will exceed $1 trillion cumulatively from 2017 to 2021 (Cybersecurity Ventures).
- Worldwide, IT security spending in 2019 was projected to grow 8.7% over 2018’s figure (Gartner).
- For the first time since 2013, ransomware declined, down 20% overall, but up 12% for enterprises (Symantec).
- Budget allocation to hardware-based security services, which generally lack both portability and the ability to effectively function in virtual infrastructure, has fallen from 20% in 2015 to 17% with a further predicted decline to 15.5% in 2019 (451 Research).
- MSSPs, which can replicate certain security operational functions, saw modest budget allocation growth at the end of 2017 to 14.7%, but security professionals expect that stake to grow to 17.3% by 2019 (451 Research).
Data Breach Defense + Prevention Resources
Companies need to examine lessons from the GDPR and update their data governance practices as more iterations are expected in the coming years. It’s crucial to properly set permissions on files and remove stale data.
Keeping data classification and governance up to par is instrumental to maintaining compliance with data privacy legislation like HIPAA, SOX, ISO 27001 and more. Today, modern solutions offer great protection and a more proactive approach to security to ensure the safety of sensitive information.
The following resources offer additional information on the improvement of data protection and tips for data breach prevention.
- Varonis Red Alert Data Breach Report
- Varonis 2021 Financial Data Risk Report
- Verizon’s Data Breach Investigations Report (DBIR)
- IBM’s 2020 Cost of a Data Breach Report
- DataLossDB, maintained by the Open Security Foundation
- Ponemon Institute
- Data Breach Risk Calculator
- Identity Theft Resource Center
- RiskBased Mid-Year Data Breach Report
Data Breach Insurance Types
In order to mitigate the risk that comes along with data loss, many companies are now purchasing data breach insurance to support their data breach prevention and mitigation plans. Data breach insurance helps cover the costs associated with a data security breach. It can be used to support and protect a wide range of components, such as public relations crises, protection solutions and liability. It may also cover any legal fees accumulated from the breach.
Common types of data breach insurance are:
With many different kinds of consequences that occur due to a data breach, significant time and money will be spent to recover. From recovering data and notifying stakeholders, first-party insurance covers the following:
- Investigating costs
- Notifying all affected parties
- Fielding inquiries
- Tools to help affected parties
Third-party insurance is primarily used by contractors and IT professionals to lessen their liability. The covered expenses may include things such as the following:
- Lawyers’ fees
- Judgments and liability
- Other court costs such as witness fees, docket fees, etc.
Data Breach Statistics FAQs
Below are some of the most frequently asked questions about data breaches with answers supported by data breach statistics and facts.
How many data breaches occur?
A: The Privacy Rights Clearinghouse keeps a chronology of data and public security breaches dating back to 2005. The actual number of data breaches is not known. The Privacy Rights Clearinghouse estimated that there have been 9,044 public breaches since 2005, however more can be presumed since the organization does not report on breaches where the number of compromised records is unknown.
What was the biggest data breach in history?
A: Yahoo holds the record for the largest data breach of all time with 3 billion compromised accounts (Statista).
How many data breaches were there in 2020?
A: There were 3,950 confirmed data breaches in 2020 (Verizon).
How much does a data breach cost?
A: As of 2020, the average total cost of a data breach is $3.86 million (IBM).
What is the average size of a data breach?
A: 25,575 records (IBM).
Regardless of industry, there’s no question that data security and defense is highly valuable for companies in the digital economy we live in. Assess your business’s cybersecurity risk to make company-wide changes and improve overall security behavior.
Avoid being a data breach statistic by doing everything possible to protect your business from experiencing a breach. For more information on data security platforms learn how data protection solutions could positively impact your business.
Rob Sobers is a software engineer specializing in web security and is the co-author of the book Learn Ruby the Hard Way.