The global average cost of a data breach leaped by 10% compared to the previous reporting period, hitting US$4.88 million, according to the 19th annual Cost of a Data Breach Report from IBM, which covers the period from March 2023 to February 2024.
That’s a whopping 26.4% higher than the US$3.86 million reported in the 2018 edition, just six years ago, and 39.4% higher than in 2014.
“The report highlights trends I have been concerned about since the second half of 2023 when we started seeing organizations cut security staffing and budget,” said David Shipley, CEO and co-founder of Beauceron Security. “These are predictable outcomes of the combination of an out-of-control cybercrime wildfire combined with cutbacks both in cyber fire prevention and firefighting.”
Of the 604 organizations that took part of the study, 70% experienced a significant or very significant disruption to business resulting from a breach.
Regional costs
Leading the pack for the 14th year (and not in a good way) was the US, whose average breach cost was $9.36 million. While it was a small decline from 2023’s $9.48 million, it still outstripped the rest of the world by more than half a million dollars per breach. The Middle East, which considered Saudi Arabia and the United Arab Emirates for the report, was number two of the 16 countries and regions surveyed, at $8.75 million, up from 2023’s $8.07 million. It is important to note that the number of organizations surveyed from each country can vary considerably, for example there were 39 respondents from the Middle East and 71 from the US.
The UK was no. 7 on the list with $4.53 cost, ASEAN (which considered Singapore, Indonesia, Philippines, Malaysia, Thailand and Vietnam for the report) no. 12 with $3.23, Australia followed with $2.78 and India was no. 15 with $2.35.
For the second year in a row, Brazil took the crown as the country with the lowest cost per breach, at $1.36 million (though up by 11.5%, from $1.22 million in 2023).
Damages vary by attack type and skills shortage
The type of attack influenced the financial damage, the report noted. Destructive attacks, in which the bad actors delete data and destroy systems, cost the most: $5.68 million per breach ($5.23 million in 2023). Data exfiltration, in which data is stolen, and ransomware, in which data is encrypted and a ransom demanded, came second and third, at $5.21 million and $4.91 million respectively.
However, noted Fritz Jean-Louis, principal cybersecurity advisor at Info-Tech Research Group, sometimes attackers combine their tactics. “Double extortion ransomware attacks are a key factor that is influencing the cost of data breaches,” he said in an email. “Since 2023, we have observed that ransomware attacks now include double extortion attacks. In this type of attack, data is exfiltrated prior to being encrypted. By doing this, cybercriminals are able to hold the organization hostage for the stolen data and also expect payment for providing a decryption key. This often results in higher payments being requested by cyber criminals and causing higher recovery fees and longer business disruptions.”
The report also highlighted a strong link between a shortage of skilled security workers and higher costs of data breaches. In 2024, 53% of organizations reported a skills shortage, compared to 42% in 2023. And they’re paying the price: the cost of a breach in these organizations was $5.74 million in 2024, 7.1% higher than the 2023 figure, and $860,000 higher than the global average breach cost.
Breaches by industry
Although healthcare remains the industry with the highest cost per breach by far, at $9.77 million, it has made some progress. The cost per breach fell 10.6% compared to 2023. It was one of four sectors out of 17 who managed to shave the cost of each breach; the others were research (down 2.5%), education (down 4.3%), and public sector (down 2%).
The least expensive breaches in both 2023 and 2024 were at organizations in the public sector, retail, education, research, and hospitality, although retail suffered a 17.5% cost increase in 2024, and hospitality’s cost per breach leaped by 13.7%.
It’s interesting to note that in 2016, education was second only to healthcare in cost per breach.
Attackers chase PII, IP, anonymized customer data and corporate data
It’s probably no surprise that personally identifiable information (PII) was by far the main type of data snatched during breaches. In 2024, 48% of compromised records were customer PII (in 2023, it was 52%). Employee PII was second in 2023, at 40%, dropping to third (37%) in 2024. It swapped places with intellectual property (IP); 47% of stolen records were IP in 2024, compared to 34% in 2023.
Rounding out the top five data types were anonymized customer data and other corporate data, in 4th and 5th positions respectively in 2023. They switched places in 2024.
A new category was added in 2024: shadow data. Shadow data is data that is stored in unmanaged data sources, and 35% of breaches involved it. Worse, its theft, said the report, correlated to a 16% higher cost per breach.
“Researchers found storing data across environments proved to be a common storage strategy, accounting for 40% of breaches,” the report noted. “These breaches also took longer to identify and contain. In contrast, data stored in just one type of environment was breached less often, whether that environment was public cloud (25%), on premises (20%) or private cloud (15%).”
“This risk of shadow data will become even more elevated in the AI era, with data serving as the foundation on which new AI-powered applications and use-cases are being built,” added Jennifer Kady, vice president, security at IBM. “Gaining control and visibility over shadow data from a security perspective has emerged as a top priority as companies move quickly to adopt generative AI, while also ensuring security and privacy are at the forefront.”
Initial attack vectors and root causes
The top cause of data breaches was stolen or compromised credentials, highlighting the need for stronger authentication. Second was that old standard, phishing, followed by cloud misconfiguration.
Sadly for companies, 45% of breaches in 2024 were caused by IT failure or human error. Malicious insider attacks may have only accounted for a small proportion of attacks, but they were by far the most expensive, at $4.99 million in 2024.
“Over the past few years, we’ve continued to see stolen credentials rise as a top attack vector, and also one of the most costly,” Kady said. “Unfortunately, this trend is cyclical – with more data breaches, more passwords and credentials become available on the dark web, making it easier for attackers to simply “log in” using valid credentials, rather than hack in using more complicated methods — making modern, identity-based detection and response a critical area of investment for security teams.
“Another misconception we’re hearing is that many security leaders think that even if credentials or PII is stolen, encryption is fail-safe that will ultimately protect their data. But with quantum technology rapidly evolving, we can’t rely on encryption alone — so companies’ investments in protecting their sensitive data and PII now will pay off significantly in the quantum era.”
Law enforcement involvement
In 2023 and 2024, respondents were quizzed about the impact law enforcement involvement had on the cost of ransomware attacks. The report found that, in 2024, 52% of ransomware victims called in law enforcement, and of those, 63% avoided paying a ransom. They also ended up saving almost $1 million (excluding any ransom paid) compared to those who did not involve law enforcement, with breach costs of $4.38 million ($4.64 million in 2023). The average cost of a breach without law enforcement involvement in 2024 was $5.37 million ($5.11 million in 2023).
Law enforcement involvement also sped up the identification and containment of a ransomware attack, cutting it from 297 to 281 days on average.
Security AI and automation
The report noted that, in 2024, the average cost saving per breach for organizations using security AI and automation tools was $2.22 million, up from $1.76 million in 2023.
“While data breach costs have continued to rise over the majority of the history of this report, we’ve also seen adoption and investment in key security technologies and approaches improving,” Kady said. “More and more organizations are adopting AI and automation-based security approaches focused on speeding response times — which is one of the top factors linked to reducing data breach costs,” she added. “Additionally, more organizations are investing in incident response practices – not only from a technical standpoint, but also adopting more formal playbooks for the entire business to know their role in responding to an incident.”
What needs to happen
The changing security landscape means companies need to revise their strategies. “Today’s IT landscape that security professionals are tasked with protecting is exponentially larger and more complex than what we were facing even 10 years ago – with the unprecedented ease and speed at which employees are standing up new applications and cloud resources,” Kady said. “The report findings emphasize the criticality of these issues, with 40% of breaches involving data stored across multiple environments, and 35% involving shadow data.”
Sustained investment in cybersecurity within organizations as well as national and international efforts and funding to combat organized cybercrime is what is needed according to Shipley. “We also need executive and security leaders to ignore overhyped AI tooling in favour of the basics (identity, assets, and security culture) through investments in people, process, culture, and technology.”