Show Notes

Follow on LinkedIn: www.linkedin.com/company/idtheftcenter/
Follow on Twitter: twitter.com/IDTheftCenter 

Show Transcript

The Cost of Doing Breaches

Welcome to the Identity Theft Resource Center’s (ITRC) Weekly Breach Breakdown for July 29, 2022.  Each week, we look at the most recent events and trends related to data security and privacy. In our last episode, we looked at how the Law of Supply & Demand impacted the going rate for stolen personal information in identity marketplaces. Supply is up, demand is steady, so prices are generally down. Inflation has not yet found its way into the illicit identity marketplaces. This week, we look at the other side of that equation – the cost of a data breach for the organizations that lose control of personal and business information. Think of it as The Cost of Doing Breaches.

IBM Releases Cost of a Data Breach Report

This week, for the 17th year, IBM released its flagship report, and, to no one’s surprise, the average cost of a data breach is up around the world. The global average cost for a data breach in 2021 was $4.35 million, an all-time high and a nearly three (3) percent increase over 2020. However, that is just the global average, not the United States (U.S.).

The Cost of a Data Breach in the U.S. is Higher Than Around the World 

When you bring the figure home to the U.S., it jumps to $9.44 million, also a year-over-year increase. That average data breach represents a compromise of a little over 100,000 records. When you consider the costs of a “mega” breach of more than one million records, the cost increases to $49 million for up to ten (10) million records. That’s actually a slight decrease in costs year-over-year.

Factors That Drive Up the Cost of a Data Breach

If an organization is considered part of the critical infrastructure, the average cost goes up by $1 million. If the breach resulted from a phishing attack, add another $500,000 in costs. 

Other Highlights from The Report

  • Healthcare organizations, which are considered critical infrastructure, lead the list of industries with the highest cost of a data breach for the 12th consecutive year.
  • How long did it take for organizations to discover, stop and remediate a breach in 2021? On average, 277 days; ten (10) fewer days than in 2020. That means if a breach started on January 1, it would not be fully contained until October 4.
  • If the root cause of the breach was stolen or compromised credentials (login and password), the time to contain the breach was 327 days, two months longer than the average.
  • Ransomware attacks took 49 days longer to contain. However, organizations that paid a ransom had lower breach costs than those that didn’t pay a ransom. That’s also excluding the ransom payment itself.
  • For the first time in at least six years, “lost business” wasn’t the largest share of data breach costs. Lost business costs decreased by almost 11 percent, including business disruption and revenue losses from system downtime, cost of lost customers and acquiring new customers, and reputation losses and diminished goodwill.
  • “Detection and escalation” moved into the top cost of a data breach slot after an increase of 16 percent. These costs include forensic and investigative activities, assessment and audit services, crisis management, and communications to executives and boards.
  • For 83 percent of the organizations studied in the IBM report, the breach in 2021 was not the first breach the business had suffered.

Contact the ITRC

If you want to learn about data breach trends in the first half of this year, download our full H1 2022 Data Breach Analysis from our website at www.idtheftcenter.org/publications.

If you think you have been the victim of a data breach or other identity crime, visit our website www.idtheftcenter.org. You can speak with an expert advisor on the phone (888.400.5530), chat live on the web, or exchange emails during our normal business hours (Monday-Friday, 6 a.m.-5 p.m. PST). 

Next month, we will publish a new report for the first time that looks at overall identity trends, followed in September by our Consumer Aftermath Report that dives into the identity impacts on individuals. In October, we will publish our impact report on small businesses.

Be sure to join us next week for another episode of the Weekly Breach Breakdown.