What rhymes with peach, costs companies millions of dollars every year, and has, historically, been the bane of some of the world’s most well-known entrepreneurs – from Bill Gates to Mark Zuckerberg? If you answered “data breaches,” you got the punchline spot on.
But if a data breach is the joke, well – it’s not a very funny one.
Data breaches are incidents where hackers gain unauthorized access to sensitive, protected, or confidential information. Hackers can then use this data for insidious purposes – such as phishing attacks and scams – or simply sell it to the highest bidder.
Understanding what data breaches are – and the trends surrounding them in 2023 – is vital. Because even though data breaches can (and, as we’ll see, do) affect the world’s biggest brands, they can affect anyone – even the website builder you use, or your own ecommerce website.
That’s why we’ve pulled together our top 15 data breach statistics from the last couple of years. We’re breaking down how many businesses have experienced data breaches, how much those breaches cost – and how this toll varies across different industries. Plus the companies – including Yahoo!, Microsoft, and Facebook – which have suffered high-profile data breaches.
Ready to explore our top data breach statistics for 2023? Read on!
Dive into the top five data breach statistics your organization needs to know about in 2023:
- 45% of US businesses have experienced a data breach.
- 19% of data breaches occurred due to a compromise with a business partner or third-party relation.
- In 2022, the average total cost of a data breach in the US was $9.44 million.
- 88% of companies now classify cybersecurity a business risk (Gartner, 2022).
- According to Surfshark, the US experiences the most data branches of any country, with 214.4 million users affected in 2021. (Iran, with 156.1 million breached users in 2021, came second.)
Which type of cyber attack is most likely to lead to a data breach? Which US state is the most breached in recent history – and how long does a data breach take to clean up?
Find out with our top five general data breach statistics below:
- 36% of all data breaches involved phishing (Verizon, 2022).
- A 2022 IBM report revealed that, at 295 days, phishing-related breaches took the third-longest mean time to identify and contain.
- California is the most breached state in US history – and by a long way! A Comparitech study unearthed 1,777 data breaches and a whopping 5.6 billion records exposed in the 15-year period between 2005 and 2020. (New York, with 863 breaches and 295 million records exposed came second; Texas third.)
- According to a 2022 KPMG survey of senior risk executives, 62% of companies in the Americas experienced a data breach or cyber incident in 2021.
- On average, it takes 287 days to identify and contain a major data breach.
How much does a data breach cost an organization per record – and in total? Are the costs of data breaches to companies decreasing over time – or going the other way? And how does remote working affect any of it?
Find out with our data breach cost statistics below.
- According to a 2021 Symantec Security report, ransomware payments – those made to hackers by companies and individuals to regain forcibly seized control of their data – jumped 171% from 2020. (The highest payout totaled $10 million.)
- In 2021, cybercrime cost a staggering $6 trillion.
- Per record, a data breach costs $210 on average. For healthcare breaches, this more than doubles to $429. (Zippia, 2023).
- According to IBM, data breaches in which remote work was a factor cost businesses, on average, $1.07 million more than where remote work wasn’t a factor.
- As reported by Astra Security, the average cost of a data breach increased from $4.24 million in 2021 to $4.35 million in 2022 – a rise of 2.6% in just one year.
We’ve seen, on average, how much data breaches can cost companies.
Now, let’s take a look at the cases of some of the world’s biggest organizations, the biggest breaches that befell them – and how they attracted all the headlines.
For all the wrong reasons!
Yahoo! 2013 and 2014 Data Breaches
When it comes to avoiding data breaches, Yahoo! doesn’t have the best record.
In August 2013, the popular email provider was hacked, and in a big way. Thieves stole names, email addresses, phone numbers, birthdays. Not to mention hashed passwords, and security questions – and answers.
And it gets worse. Because, in late 2014, Yahoo! was targeted again – with hackers using manufactured web cookies to falsify login credentials, giving them access to any and all Yahoo! accounts – without a password.
That means that – despite Yahoo! initially reporting that 1 billion accounts had been compromised, in fact every single account on the platform was hacked. And, in 2017, Yahoo! duly disclosed that hackers stole data from not one, but 3 billion user accounts.
Yahoo? We’re not so sure…
Microsoft 2021 Data Breach
In January 2021, hackers discovered four “zero-days” – a kind of software vulnerability that can leave it open to exploitation and attack – in Microsoft Exchange Servers. Swiftly pouncing on the gap in Microsoft’s digital defenses, hackers managed to gain full access to the affected servers – and all the user email addresses, account passwords, subject lines, and email contents they housed.
When Microsoft publicly acknowledged the breach in March 2021, estimates suggested that around 250,000 servers – 30,000 of those belonging to organizations in the US, and 7,000 to the companies in the UK – were impacted, and across 150 countries.
Facebook 2021 Data Breach
In April 2021 – just three months after the walls of Microsoft’s servers were breached – a similar thing happened to a company with a similarly high profile…
Facebook. And, according to a spokesperson for the social network, the breach was a long time coming. Facebook had been experiencing smaller data breaches since 2013. But in 2019, several security issues were beginning to simmer and fester below the surface.
For one, the company was storing Facebook and Instagram account IDs and passwords in plaintext files – leaving them vulnerable. For another? Facebook’s employees had access to 600 million user accounts. On top of all this, two Facebook apps – developed by third parties – failed to protect the 540 million user records under its stewardship.
The result? Hackers, tampering with Facebook’s API (Application Programming Interface), stole the names, phone numbers, and user IDs of over half a billion Facebook users – in addition to another 300 million of the social platform’s users back in 2019.
When it comes to data breaches, not all industries are equal. In fact, as data from Statista shows, some sectors represent the most lucrative opportunities for hackers and cyber attackers; and, as such, are disproportionately represented in the data.
The graph below shows the average cost of a data breach, by industry, from May 2020 to March 2022. (The data is worldwide – the figures in million US dollars.)
A financially damning data breach, of course, isn’t what the doctor ordered. But unfortunately for the healthcare sector, it’s exactly what they’ve been getting.
The healthcare industry is, by far, the most financially affected by data breaches. As of 2022, the average cost of a data breach for healthcare organizations was an incredible $10.1 million – up from $9.23 million in 2021.
Data breaches are the next-most expensive for businesses in the financial sector. In 2020, data breaches cost financial organizations an average of $5.72 million each. With this number having risen to $5.97 million in 2022, Wall Street needs to become Fire-Wall Street to avoid further leaks to its data (and its coffers).
In 2021 and 2022, data breaches were also highly costly for the pharmaceuticals, technology, and energy industries, respectively. While, at the opposite end of the rankings, data breaches in the media, hospitality, and public sector cost its organizations, on average, the least.
As we’ve seen from these data breach statistics, data breaches have the potential to cost businesses – and big. And not in financial terms alone, either. Because the impact of a severe data breach spans damage to a business’ reputation and brand, as well as to the size – and loyalty – of its customer base.
The bad news? That these data breaches aren’t reserved for the big fish – for the Microsofts, the Facebooks, and the Yahoo!s of this world – but for all businesses and websites. (Including yours!) The good news, though, is that there’s plenty you can do to secure your website – and stop data breaches before they have the chance to dismantle all your business’ hard work.
To learn more about safeguarding your business’ – and your customers’ – data on your online, store, explore our in-depth guide to ecommerce security. If you experience problems with your site, it can be worrying, but it doesn’t always mean you’ve been hacked – check out our guide on how to check if your website is down (and what to do about it!) for steps to follow when things go wrong.
If you want to see more statistics on this topic, check out our report on cybersecurity statistics to learn more about the numbers behind online attacks in 2023.
The only newsworthy data breach involving a website builder are the repeated cyber attacks, from the same set of hackers, on GoDaddy. Reports claim that these data breaches have led to the compromise of data belonging to more than one million of GoDaddy’s users.