According to IBM, reaching an all-time high, the cost of a data breach averaged $4.35 mln in 2022. This figure represents a 2.6% increase from last year, when the average cost of a breach was $4.24 mln. The average cost has climbed 12.7% from $3.86 mln.
83% of organizations studied have experienced more than one data breach, and just 17% said this was their first data breach.
60% of organizations studied stated that they increased the price of their services or products because of the data breach.
Average total cost of a data breach
Critical infrastructure organizations included those in the financial services, industrial, technology, energy, transportation, communication, healthcare, education and public sector industries.
The average cost of a data breach for critical infrastructure organizations studied was $4.82 mln — $1 mln more than the average cost for organizations in other industries.
28% experienced a destructive or ransomware attack, while 17% experienced a breach because of a business partner being compromised.
Breaches at organizations with fully deployed security AI and automation cost $3.05 mln less than breaches at organizations with no security AI and automation deployed.
Average per record cost of a data breach
This 65.2% difference in average breach cost — between $3.15 mln for fully deployed versus $6.20 mln for not deployed — represented the largest cost savings in the study.
Companies with fully deployed security AI and automation also experienced on average a 74-day shorter time to identify and contain the breach, known as the breach lifecycle, than those without security AI and automation — 249 days versus 323 days.
Average cost of a data breach by industry
The use of security AI and automation jumped by nearly one-fifth in two years, from 59% in 2020 to 70% in 2022.
TOP 5 countries and regions for the highest average cost of a data breach were the United States at $9.44 mln, the Middle East at $7.46 mln, Canada at $5.64 mln, the United Kingdom at $5.05 mln and Germany at $4.85 mln.
The United States has led the list for 12 years in a row. Meanwhile, the country with the fastest growth rate over last year was Brazil, a 27.8% increase from $1.08 mln to $1.38 mln.
Eleven percent of breaches in the study were ransomware attacks, an increase from 2021, when 7.8% of breaches were ransomware, for a growth rate of 41%. The average cost of a ransomware attack went down slightly, from USD 4.62 million in 2021 to USD 4.54 million in 2022. This cost was slightly higher than the overall average total cost of a data breach, USD 4.35 million.
Use of stolen or compromised credentials remains the most common cause of a data breach.
Stolen or compromised credentials were the primary attack vector in 19% of breaches in the 2022 study and also the top attack vector in the 2021 study, having caused 20% of breaches. Breaches caused by stolen or compromised credentials had an average cost of USD 4.50 million.
These breaches had the longest lifecycle — 243 days to identify the breach, and another 84 days to contain the breach. Phishing was the second most common cause of a breach at 16% and also the costliest, averaging USD 4.91 million in breach costs.
Just 41% of organizations in the study said they deploy a zero trust security architecture. The other 59% percent of organizations that don’t deploy zero trust incur an average of USD 1 million in greater breach costs compared to those that do deploy.
Among critical infrastructure organizations, an even higher percentage of 79% doesn’t deploy zero trust.
These organizations experienced on average USD 5.40 million in breach costs, more than USD 1 million higher than the global average.
When remote working was a factor in causing the breach, costs were an average of nearly USD 1 million greater than in breaches where remote working wasn’t a factor — USD 4.99 million versus USD 4.02 million. Remote work-related breaches cost on average about USD 600,000 more compared to the global average.
45% of breaches in the study occurred in the cloud. Yet breaches that happened in a hybrid cloud environment cost an average of USD 3.80 million, compared to USD 4.24 million for breaches in private clouds and USD 5.02 million for breaches in public clouds.
The cost difference was 27.6% between hybrid cloud breaches and public cloud breaches. Organizations with a hybrid cloud model also had shorter breach lifecycles than organizations that solely adopted a public or private cloud model.
Data breach FAQ
What is a data breach?
A breach is defined as an event in which an individual’s name and a medical record, a financial record or both, or debit card are potentially put at risk. These records can be in electronic or paper format. Breaches included in the study ranged from 2,200 to 102,000 compromised records.
What is a compromised record?
A record is information that identifies the natural person or individual whose information has been lost or stolen in a data breach. Examples include a database with an individual’s name, credit card information and other personally identifiable information (PII) or a health record with the policyholder’s name and payment information.
How do you collect the data?
Our researchers collected in-depth qualitative data through over 3,600 separate interviews with individuals at 550 organizations that suffered a data breach between March 2021 and March 2022. Interviewees included IT, compliance and information security practitioners familiar with their organization’s data breach and the costs associated with resolving the breach. For privacy purposes, we didn’t collect organization-specific information.
How do you calculate the average cost of a data breach?
We collected both the direct and indirect expenses incurred by the organization. Direct expenses included engaging forensic experts, outsourcing hotline support and providing free credit monitoring subscriptions and discounts for future products and services. Indirect costs included in-house investigations and communication, and the extrapolated value of customer loss resulting from turnover or diminished customer acquisition rates.
How does benchmark research differ from survey research?
The unit of analysis in the Cost of a Data Breach Report was the organization. In survey research, the unit of analysis is the individual. We recruited 550 organizations to participate in this study.
Can the average per record cost be used to calculate the cost of breaches involving millions of lost or stolen records?
The average cost of data breaches in our research doesn’t apply to catastrophic or mega data breaches, such as Equifax, Capital One or Facebook. These events aren’t typical of the breaches many organizations experience. To draw useful conclusions in understanding data breach cost behaviors, we targeted data breach incidents that didn’t exceed 102,000 records.
Why did you use simulation methods to estimate the cost of a mega data breach?
The sample size of 13 companies that experienced a mega breach was too small to perform a statistically significant analysis using activity-based cost methods. To remedy this issue, we deployed Monte Carlo simulation to estimate a range of possible, meaning random, outcomes through repeated trials.
In total, we performed more than 150,000 trials. The grand mean of all sample means provided a most likely outcome at each size of data breach, ranging from 1 million to 60 million compromised records.
Are you tracking the same organizations each year?
Each annual study involves a different sample of companies. To be consistent with previous reports, we recruit and match companies each year with similar characteristics such as the company’s industry, headcount, geographic footprint and size of data breach. Since starting this research in 2005, we have studied the data breach experiences of 5,027 organizations.
Edited by Nataly Kramer