X

Average Data Breach Costs Hit a Record $4.4 Million, Report Says

Bree Fowler Senior Writer
Bree Fowler writes about cybersecurity and digital privacy. Before joining CNET she reported for The Associated Press and Consumer Reports. A Michigan native, she's a long-suffering Detroit sports fan, world traveler, wannabe runner and champion baker of over-the-top birthday cakes and all-things sourdough.
Expertise cybersecurity, digital privacy, IoT, consumer tech, smartphones, wearables
Bree Fowler
3 min read
gettyimages-1301821105

Data breaches keep coming and keep getting more expensive. 

Getty

What's happening

The average cost of a data breach rose to $4.4 million this year, according to a new report from IBM Security.

Why it matters

More than half of the companies surveyed for the report admitted to passing on those higher costs to customers in the form of higher prices.

Data breach costs keep going up, and consumers are likely paying for them.

The average cost of a data breach rose to an all-time high of $4.4 million this year, according to the IBM Security report released Wednesday. That marked a 2.6% increase from a year ago and a 13% jump since 2020.

More than half of the organizations surveyed acknowledged they had passed on those costs to their customers in the form of higher prices for their products and services, IBM said.

The annual report is based on an analysis of data breaches experienced by 550 organizations around the world between March 2021 and March 2022. The research, which was sponsored and analyzed by IBM, was conducted by the Ponemon Institute.

The cost estimates are based on both immediate and longer-term expenses. While some costs like the payment of ransoms and those related to investigating and containing the breach tend to be accounted for right away, others such as regulatory fines and lost sales can show up years later. On average, those polled said they accrued just under half of the costs related to a given breach more than a year after it occurred. 

Case in point, T-Mobile said Friday it would pay $500 million to settle a class action lawsuit filed by customers over a data breach revealed nearly a year ago that exposed the personal information of an estimated 76.6 million people.

Pending judicial approval that could come before the end of the year, T-Mobile will pay $350 million to settle the customers' claims and an additional $150 million to upgrade its data protection. The breach, disclosed in August, exposed information such as customer names, Social Security numbers, phone numbers, addresses and dates of birth.

Many of the highest-cost breaches analyzed in the IBM study involved critical infrastructure within the financial services, industrial, technology, energy, transportation, communication, healthcare, education and public-sector industries.

Those breaches had an average cost of $4.8 million, about $1 million more than the average cost paid by organizations outside of critical infrastructure, IBM said.

Part of that stems from the particularly high costs of health care industry breaches. Healthcare, which is considered to be critical infrastructure, had the highest average per-breach cost of $10.1 million, up from $9.2 million in 2021. 

Critical infrastructure has become an increasingly tempting target for both nation-state attackers and cybercrime gangs in recent years. Last year, ransomware attacks against Colonial Pipeline and meat processor JBS USA shut down both companies for days, even though they both paid the equivalent of millions of dollars in ransom to get their data unlocked. 

The shutdowns sparked panic buying among consumers, causing both gasoline and meat prices to spike in parts of the US.

Cybersecurity and government officials also warn that the risk of cyber attacks against critical infrastructure in the US and other countries supporting Ukraine could increase if Russia's war against that country continues to drag on.

Eleven percent of the data breaches analyzed in this year's study stemmed from ransomware attacks, up from 7.8% in 2021. Almost a fifth of the breaches were the result of stolen or compromised credentials. Another 16% stemmed from phishing attacks.