On March 18, 1990, two men in police uniforms entered an art museum in Boston. They performed the largest fine art theft in the history. 13 paintings of world famous artists were stolen that day.
To this day, their frames remain empty on the walls of the museum.
Now, 1990 also saw the dawn of another kind of robbery. Storing data on the internet is one of the greatest technological advancements and we have all enjoyed it immensely.
It came at a price though…
Since the advent of the global network, robberies have become much more subtle, as these comprehensive data breach statistics curated by Hosting Tribunal can tell you.
The modern ways of stealing are harder to track and can affect a lot more people.
Let’s look at some quick data breach facts first:
- 42% of data breaches are caused by hackers or criminals.
- 86% of all cyber attacks in the world occur in the US.
- In H1 2018, 4.5 billion records were compromised.
- In 2019 companies will spend more than $124 billion on information security.
- In 2018, the average cost of a data breach incident went as high as $3.86 million.
- 30% of all large data breaches occur in hospitals.
- 139 days is the average time to discover a data breach.
- 3.3 billion records were compromised by data breaches in H1 2018.
Cybersecurity issues are as real as physical thefts.
Today we ask:
How much do you know about data breach statistics?
Table of Contents
Different Types of Data Breaches and Their Impact
- Identity theft – the leading type of data breaches since 2013. 83% of all stolen records in 2018 involved identity theft. (Source: Gemalto Breach Level Index)
- Cyber attack – There is a new cyber attack every 39 seconds. (Source: University of Maryland)
- Employee negligence – 34% of companies see employee negligence as the biggest liability against data breaches. (Source: EY)
- Outdated security controls – 39% of companies say that less than 2% of their IT workforce is focused on cybersecurity. (Source: EY)
- Unauthorized access – 88% of professionals claim they need to improve their ability to identify and cut unauthorized access. (Source: IBM-Ponemon Institute)
Data Breaches Risks and Impact Stats
- 30% of companies have at least 1,000 folders accessible to the public. (Source: Varonis)
- Small businesses constitute 58% of all data breach victims. (Source: Verizon)
- In 2017, 36% of all compromised data was in the form of names, birthdays, and gender. (Source: Varonis)
- In 2018, more than 70 million records were either accessed or stolen, due to poorly configured S3 buckets. (Source: Symantec)
- Human error is the reason behind 27% of all data breaches. (Source: IBM-Ponemon Institute)
- 49% of companies plan to expand their cloud security budget in the next year. (Source: Cybersecurity Insiders)
- In 2018, supply chain attacks increased by 78%. (Source: Symantec)
- 93% of all malware comes from emails. (Source: Verizon)
- In the research industry, a breach might be contained in 53 days. Healthcare is at the top of the list – with 103 days to contain a breach. (Source: Varonis)
Cost of Data Breaches for Companies
- In 2018, the US suffered 1,244 cyber attacks. That led to over 446.5 million exposed files. (Source: Statista)
- In 2018, the global cost per data breach was estimated at $3.86 million. (Source: IBM-Ponemon Institute)
- A massive data breach with 1 million affected records has an average total cost of $40 million. (Source: IBM-Ponemon Institute)
- The overall cost of a data breach for a company may come down by 50% if the process of detecting the breach is automated. (Source: IBM-Ponemon Institute)
- The average cost per data breach has increased by 6.4% between 2017 and 2018. (Source: IBM-Ponemon Institute)
- After a data breach, hospitals spend 64% more on advertising for the next two years. (Source: Health IT Security)
- The highest costs per data breach are in Healthcare – $408 per record. (Source: Hipaa Journal)
- The average cost per stolen or lost record in a data breach is $148. (Source: IBM-Ponemon Institute)
- The biggest component in a data breach cost is the lost business cost. (Source: IBM-Ponemon Institute)
- The cost of lost business after a cyber attack in a US organization can reach $4.2 million. (Source: IBM-Ponemon Institute)
- A strong incident response team has the most positive effect on data breach cost. (Source: IBM-Ponemon Institute)
- If the company has invested in an incident response team, that can lead to up to $14 savings per breached record. (Source: IBM-Ponemon Institute)
- Target paid $19 million because of a data breach in 2013. (Source: Fortune)
Data Breach Preventions Stats
- Implementing a biometric system to improve automated detection is among the latest trends – 63% of companies have already done it, or plan to do it in the near future.(Source: Veridium)
- In 2018, 17% of IT security specialists said information security accounts for the largest budget increase. (Source: Zdnet)
- In 2018, 80% of companies plan on expanding their security budget. (Source: Zdnet)
- More than 65% of businesses don’t have cybersecurity insurance. (Source: Hashed Out)
Biggest Data Breaches by Categories
Hearing about a new data breach today is like just another day on the internet!
Let’s do a 2019 recap of the data breach statistics from the last 15 years.
Aadhaar (Indian identity database)
- India’s national ID database has suffered several data breaches so far.
- More than 1.1 billion citizens have Aadhar ID cards. That’s more than 90% of the population.
- In March 2018, a breach was discovered – it had compromised every account in the database.
- The time and date of the breach remain unknown.
- The leaked information contains data such as names of residents, their 12-digit ID numbers, and bank account numbers.
Australian Immigration Department
(Source: The Guardian)
- The 9th meeting of the G20 world leaders took place in Australia, November 15-16, 2014.
- Some personal info of the G20 world leaders leaked from the Australian government.
- It was an email sent by mistake to a member of the football committee of the Asian Cup.
- The blunder revealed passport numbers, visa details, and other personal info on political leaders such as Barack Obama and Angela Merkel.
California Department of Child Support Services
- In 2012, 800,000 child support records were lost.
- 4 computer storage devices were stolen during transportation.
- Users were at risk of identity theft. Personal information like social security numbers and addresses was revealed.
21st Century Oncology
- The 21st Century Oncology data breach from October 2015 affected the confidentiality of over 2.2 million patients’ personal records.
- Personal information like social security numbers, physicians, diagnoses, treatments, as well as insurance was breached.
- The breach was announced 5 months after the hacking. The FBI was involved in the investigation.
Accendo Insurance Co.
(Source: Data Breaches)
- In 2011 Accendo Insurance Company suffered a data breach.
- 175,000 members were affected – their date of birth, the medications they were taking, and their member ID were exposed.
(Source: Digital Sentinel)
- The second largest health insurance company in the US was breached in January 2015.
- 78.8 million customers and employees were affected in the Anthem data breach.
- The company publicly admitted about the cyber attack 20 days after it occurred.
- The compromised data included medical IDs, social security numbers, and physical addresses.
Tech and Web
- Between 2013 and 2016, there were several Yahoo data breaches.
- In 2013, all 3 billion user accounts were compromised.
- In 2014, yet another data breach affected over 500 million user accounts.
- Both security breaches were made public in 2016.
- Because of the breach, Yahoo’s sale price fell by $350 million.
- In 2017, Verizon acquired Yahoo for $4.48 billion. Verizon’s offer before the information of the breaches became public, was $4.8 billion. (For reference: Facebook acquired Instagram in 2012 for $1 billion, and WhatsApp in 2014 for $19 billion.)
- According to statistics, Yahoo’s data breach was the largest data breach until 2018.
- Yahoo received a $35 million fine for not reporting the massive data breach.
- In 2004, AOL suffered an extensive data breach.
- It was reported that the breach was an inside job.
- A former America Online software engineer stole 92 million screen names and email addresses and sold them to an online marketer.
- The AOL data breach was one of the biggest data breaches in history.
- In September 2018, Facebook’s database was breached.
- More than 50 million accounts were compromised because of poor security.
- The social network suffered another data breach as recently as March 2019. This time there were considerably more than 50 million. The latest Facebook data breach exposed more than 540 million user accounts.
- In 2011 there was a data breach in Sony’s video game network.
- The data of 77 million accounts was affected by the Sony data breach.
- All sorts of information were accessed – from email addresses and birth names to logins, usernames, and security questions.
- This was one of the largest ever security cyber break-ins.
- More than 500,000 Google+ users were exposed in 2018.
- The Google data breach was not reported by the company. The Wall Street Journal posted excerpts from an inter-company memo that exposed information about the breach.
- Google + was launched in 2011. In 2015 it had 111 million subscribers.
- In November 2018 Google discovered a bug that affects the personal information of 52 million users.
- The Google+ social network is to be shut down as a project effective in August 2019.
- The 2014 eBay data breach compromised the account information of 145 million users.
- The breach occurred in the period February – March 2014 but was detected as late as May 2014.
- The cyber attack occurred after the login information of 3 corporate employees was hacked.
- The hackers had full access to the eBay database for 229 days.
- In May 2016, the social network MySpace suffered one of the largest data breaches in history.
- The usernames of almost 120 million users were stolen, as well as 69 million secondary passwords.
- This is one of the biggest data breaches to this day.
- Initially, the official report claimed only 6.5 million accounts were breached during the LinkedIn data breach.
- Later on, the full extent of the damage done revealed that the 2012 LinkedIn hack led to unauthorized entities having access to 117 million account usernames and passwords. #LeakedIn
(Source: Data Breach Today)
- 14 million users accounts were hacked.
- The breach occurred in 2012 on Battle.net.
- User information like email passwords cryptographically scrambled passwords and authentication information was accessed.
- The 2014 Uber data breach affected only 50,000 accounts. It was because of poor security.
- However, there was another security breach in 2016 which was a big one: it affected 50 million riders and 7 million drivers.
- It also included around 600,000 drivers licenses.
Washington State University
(Source: Health in Security)
- The Washington State University data breach occurred in 2017.
- The stolen items were several hard-drives containing personal records and health data.
- More than 1.2 million individual records were stolen.
- The WSU started a $4.7 million lawsuit in 2019.
Blank Media Games
- In 2018 Blank Media Games suffered a major cyber attack.
- The browser-based RPG Town of Salem was exposed to hacking.
- 7.6 million accounts were compromised.
- The 2017 Equifax data breach affected 143 million consumers.
- This identity theft occurred due to poor security.
- The breach was discovered on July 29 but was reported in September.
- The information that was affected included birth dates, social security numbers, physical addresses, and driver’s license numbers.
- In 2009, cybercriminals stole the user details of 130 million customers.
- The breach cost the company $140 million in breach-related expenses.
- The company is one of the big processors of Visa, Master Card, Discover Financial, and American Express.
- In March 2012 Global Payments announced unauthorized access in their database.
- The company claimed less than 1.5 million accounts were affected.
My Fitness Pal
- The popular nutrition app owned by Under Armor was breached in February 2018.
- The attack was not discovered until March 25.
- About 150 million user accounts were affected.
- The hackers, responsible for the Under Armor data breach, had access to social security and driver’s license numbers.
- The question-and-answer website suffered a cyber attack in November 2018.
- One of the big data breaches in recent years led to 100 million compromised and stolen user accounts.
- The affected data included usernames, email addresses, and encrypted passwords.
(Source: The Globe and Mail)
- Even the number 1 Fortune 500 company of 2018 was not immune to cyber attacks.
- In 2015 the Canadian branch of the company suffered a data breach that affected the accounts of 1.3 million customers.
- Target’s data breach in 2013 was one of the largest in the retail industry.
- The cyber attack on Target affected 41 million customers and their card accounts.
- The information leak was made possible through the use of malware.
- The consequence: the retail giant had to pay an $18.5 million data breach settlement.
- The affected customers also received free credit monitoring services.
- The home improvement supplies giant Home Depot suffered a big data breach in September 2014.
- 56 million cards compromised because of the hacking.
Saks, Lord & Taylor
- The Fifth Avenue chain store suffered a cyber attack which affected the payment systems of the store.
- 5 million credit cards were compromised in 2018.
Airlines, Hotels, and Restaurants
- In 2018, Marriott International suffered a massive data breach.
- The Starwood hotel in the US was affected due to the hacking.
- 50 million unencrypted passwords were stolen. (Some say more than 500 million customers were affected…)
(Source: Business Insider)
- In March 2018, a large data breach in the airline’s security was discovered.
- Personal information of 9.4 million passengers was accessed.
- The company stated that 860,000 passport numbers and 245,000 Hong Kong ID numbers were accessed during the breach.
- The Mexican grill restaurant suffered a payment card security breach in April 2017.
- The Chipotle data breach affected most of the company’s 2,250 restaurants.
- The stolen information included account numbers and internal verification codes.
- In 2016 the US telecom conglomerate became a victim of cyber-crime.
- The contact information of 1.5 million customers was put on sale, due to the Verizon data breach.
(Source: Data Breach Today)
- In 2013 the telecom company became a victim of an inside job data breach.
- 2 million user accounts in Germany were compromised.
Experian T-Mobile US
- The Experian data breach was hacked in 2015.
- The cybercriminals accessed 15 million user accounts.
- The data breach claimed personal information, even personal records from the US government.
- In 2016, one of UK’s biggest mobile companies became a victim of a cyber attack.
- The private information of 6 million customers of Three Mobile became accessible.
- About 130,000 customer records were compromised.
- UK’s National Crime Agency arrested three people for the cybercrime.
- In 2010, the US Army suffered a massive data breach.
- Around 400,000 classified documents were posted on Wikileaks.
- The massive leak of American military documents exposed confidential information from the Iraq and Afghanistan wars.
US Department of Defence
- The US Department of Defence was breached on October 4, 2018.
- Out of roughly 2 million employees, “only” 30,000 employee records were accessed.
- The compromised personal information contained travel records.
US Department of Veteran Affairs
- In 2006, the data of more than 26 million US veterans was stolen.
- The issue of data security occurred due to stolen equipment.
- This affected both non-active and active military officers. The stolen data consisted of family information, social security numbers, and disability records.
US Office of Personnel Management
- The OPM data breaches from 2014 and 2015 were caused by malware and by allowing a hacker in the physical building of the Office.
- The number of stolen records is estimated to be no less than 21.5 million.
- The stolen documents had a high clearance level and contained information about foreign contacts and psychological information.
- The theft remained undetected for a year.
Responsible and Irresponsible Companies in the Times of Data Breaches
Data breaches alone are nasty enough. They can become even more dangerous if companies fail to inform their users and decide to keep the information for themselves.
Time is a key factor after a cyber attack has occurred. Every time a personal user account is breached, the user must be informed immediately.
As we will see in a moment, though, that almost never happens…
Here is a list that will shed some light on the response times for various data breaches:
Companies which Informed Their Customers Swiftly
- Sony – After the Sony PlayStation data breach, the company took less than a week to inform its customers about the attack.
- Target – The company did an amazing job with the detection of the data breach. It took them 16 days to detect and 20 days to inform the customers.
- Facebook – Super professional in how quickly they informed the public. Not that professional, considering the breach happened because they had been storing hundreds of thousands of user IDs and passwords in plain text for years before the incident.
Companies that Took Forever to Inform Customers
- Yahoo! – With the pending sale to Verizon, the company decided to remain quiet and keep its sale price.
- Uber – The company informed the public almost 1 year after the incident of 2016.
- Marriott – It took 2 months to inform customers their accounts have been attacked.
So, here we are, guys.
Now we have seen the ugly face of Cyber Attack Cerberus, and what he is capable of.
And he seems to know what he’s doing out there, terrorizing the village…
After all, if we just google how many data breaches took place in just 2018, we’ll come up with the mindblowing number of 945. Cerberus isn’t for the faint of heart.
Still, data breach statistics do have some good news to tell us. Namely, those companies are having more and more success in stopping those attacks. Their incentive is two-fold – they appreciate having their customers’ trust… as well as paying less money in case settlements.
Whatever the reason for this progress – we, the users, will take it.