A Look at Data Breach Statistics in 2020

2020 has proved to be a challenging year from all points of view. With the health crisis brought on by the COVID-19 pandemic disrupting the worldwide economy and crippling both large and small businesses, cybersecurity may have been the last thing on anyone’s mind. However, cybercriminals took advantage of the chaos to increase phishing scams and malware cyberattacks, cashing in on the relaxation of security measures. As a consequence, 2020 has been a stellar year for data breaches and regulatory fines.

The rushed adoption of widespread remote work policies in all sectors created large gaps in data security measures which resulted in an increase in cybercrime and data breaches. According to cybersecurity company Malwarebytes’ Enduring from Home: COVID-19’s Impact on Business Security report, remote workers became the source of nearly 20% of cybersecurity incidents in 2020. Among the companies that answered their survey, 24% also faced unexpected expenses directly linked to malware attacks and a higher number of data breaches due to work from home.

The report also showed a worrying trend among remote workers of using their personal devices instead of their company-issued ones. 27.7% of respondents said they used their personal devices more than their work computers, with a further 31.2% admitting they sometimes used personal devices for work and checking business emails. Only 39.1% strictly used only work-issued devices to perform their duties.

Cybersecurity risks and information security threats associated with remote work were an increased likelihood of cybercrime due to unsecure internet connections, devices being exposed to access from unauthorized individuals, the difficulty of managing devices using remote work resources, and a decrease in the effectiveness of IT support carried out remotely.

Cost of a data breach

According to the IBM and the Ponemon Institute Cost of a Data Breach report 2020, which interviewed 3200 IT and security professionals working for 524 organizations in 17 countries and regions, the global average cost of a data breach reached $3.86 million/breach in 2020.

Companies in the United States had the highest average total cost at $8.64 million/breach, followed by the Middle East at $6.52 million/breach. Lost business continued to be the biggest contributing cost factor, accounting for 39.4% of the average cost of a data breach, and included business disruption and revenue loss from system downtown, loss of existing and new customers as well as reputational damage.

The healthcare industry continued to average the highest security breach costs of any industry, reaching $7.1 million/breach, a 10.5% increase from last year. The energy sector overtook the financial industry, reaching the second-highest data breach cost with $6.39 million/breach, registering a worrying 14.1% increase from 2019. The finance sector came in third, with $5.85 million/breach, recording a small 0.2% decrease from the previous year.

The reaction time to security breaches also varied greatly by industry, with healthcare organizations taking 329 days on average to identify and contain a breach, while financial institutions only took 233 days.

Customers’ personally identifiable information (PII) which includes sensitive data such as credit card numbers, addresses and phone numbers, was compromised in 80% of all security breaches, making it the type of data most often lost or stolen. Personal data was also the costliest type of data compromised in a data breach, averaging $150/data record.

Main causes of data breaches

The IBM and Ponemon Institute’s report also showed that 52% of all data breaches were caused by cybercriminals, with a further 25% by system glitches and 23% by human error.

Compromised credentials and cloud computing misconfiguration were responsible for 19% of malicious data breaches, with third-party software vulnerabilities accounting for another 16%. Human error was also not the only way employees contributed to security breaches. Malicious insiders were the root cause of 7% of data breaches, while social engineering and phishing attacks that targeted employees directly accounted for a further 17%.

Employees were also shown to be more negligent in some sectors than in others. At the top of the list was the entertainment industry where 34% of all security breaches were caused by careless employees, followed by the public and consumer products sectors where human error accounted for 28% of data breaches. In the healthcare sector, despite heavy regulations, employee negligence was responsible for 27% of all data breaches.

GDPR fines keep increasing

While the enforcement of some data protection regulations, such as HIPAA in the United States, have been relaxed because of the pandemic, European data protection agencies have continued their work unhindered. This year has brought a number of record fines due to non-compliance with the European Union’s General Data Protection Regulation (GDPR). To date, 281 fines have been issued this year, amounting to over $190 million.

Google was the worst hit, with its appeal of France’s Data Protection Authority CNIL’s $59 million fine being dismissed by the country’s highest court and the Swedish Data Authority slapping the tech giant with another $8.2 million fine for its failure to comply with an individual’s right to be forgotten.

In October 2020, the second-largest GDPR fine ever imposed, of approximately $41 million, was issued by the Data Protection Authority of Hamburg, Germany to clothing retailer H&M for recording meetings with employees during which sensitive information was disclosed and then sharing them internally among managers.

British Airways was fined $26 million for its failure to prevent a data breach that affected 400,000 customers due to poor security measures. Marriott meanwhile was hit with a $24 million fine for the spectacular breach that affected 83 million guest records which included sensitive data such as payment card information and passport numbers. The data breach investigation showed that the security incident was a consequence of Marriott’s lack of due diligence after acquiring the Starwood Group which was at the root of the incident.

Reducing data breach costs

Incident response plans were the biggest cost saver when it came to the average cost of a data breach. Businesses that had appointed an incident response team and extensively tested their incident response plan had an average data breach cost of $3.29 million/breach, while those that didn’t have either of them had an average cost of $5.29 million/breach, an impressive $2 million difference.

Data loss prevention is also a key factor in cost-saving, helping companies save on average approximately $165,000/data breach through the direct protection of sensitive data. Extensive encryption can reduce data breach costs by a further $237,000.