The Cost of a Data Breach in 2024

Like 2023, headlines also witnessed scary stories of data breaches in 2024. The National Public Data (NPD) data breach was probably the biggest one of the real-world data breaches in 2024 that triggered 2.9 billion records lost. The information lost was nicknames, social security numbers, and Personally Identifiable Information (PII). 

‍

How much does a data breach cost a company? Modern businesses regardless of size and industry have endured substantial monetary impact from notorious data breaches. According to the IBM Cost of Data Breach Report 2024, the global average cost of a data breach in 2024 spiked 10% over the previous year, reaching $4.88 million, the biggest jump since the COVID-19 outbreak. It was $4.45 million in 2023. The cost increased due to business disruption, post-breach customer support, and remediation. In addition, 35% of confidential data breaches involved shadow data stored in unmanaged data sources. 

‍

Most of the global organizations were not prepared enough to thwart cybersecurity threats and attacks. As a result, threat actors inflicted regulatory, financial and reputational damage on their targets. As per Security Magazine’s key findings, Business Email Compromise (BEC) and ransomware attacks were the leading causes as they accounted for 53% of claims of attacks. Other common attack vectors include: 

• Human error (75%)
• Social engineering (44%)
• Cloud misconfiguration (12%)
• Insider attacks (7%)
• Stolen devices or sensitive data stolen (6%)
• Physical security compromise (6%)

‍

According to Dr. Larry Ponemon, the Chairman and Founder of the Ponemon Institute, a research think tank dedicated to advancing privacy, data protection, and information security, “When companies had an insider threat, in general, they were much more costly than external incidents. This was largely because the insider that is smart has the skills to hide the crime, for months, for years, sometimes forever.” 

‍

[fs-toc-h2]Short-Tail and Long-Tail Costs of Data Breaches

‍

When a security incident occurs, the misfortune begins, and affected organizations have to suffer financial repercussions in terms of the overall costs. Data breaches with low impact can be resolved with short-tail costs while bigger data breaches involve costs that will continue to add up over time, known as long-tail.

‍

Short-Tail Costs

‍

Short-tail costs are immediate and upfront expenses that start right in the aftermath of a data breach. These costs can last for a few weeks to months. 

First of all, the breached organizations will initiate a robust Incident Response Plan (IRP). Security Operation Center (SOC) analysts will determine the cause of the incident. Customers, shareholders, or other stakeholders will be notified. These immediate actions incur the following costs: 

• IRP costs 
• Regulatory penalties 
• Fees paid to the legal counsel 
• Expenses of court 
• Costs associated with forensic investigations 

‍

Long-Tail Costs 

‍

Long-tail costs are ongoing or long-term costs of data loss due to a breach. These costs can last for years, depending on damage caused by a data breach. Typically, long-tail costs include: 

• Long-term legal costs, including legal fees and legal settlements 
• Costs of disaster recovery 
• Decreased employee morale 
• Reputational damage
• Lost business opportunities
• Customer attrition and loss 
• The cost associated with restoring disrupted operations 
• The costs of cybersecurity awareness and employee training 

‍

[fs-toc-h2]Average Costs of Data Breaches Associated with Regions

‍

According to IBM’s in-depth analysis, in 2024, the average cost of cybersecurity breaches in the United States (US) was the highest – around $9.36 million. It was followed by the Middle East ($8.75M), Benelux ($5.90M), Germany ($5.31M), Italy ($4.73M), Canada ($4.66M), the United Kingdom ($4.53M), and more. The US has been on top of the list for fourteen years. The following diagram demonstrates the data breach cost comparison of the affected countries between 2023 to 2024, starting from the highest breach costs. 

‍

[fs-toc-h2]The Cost of Data Breaches by Industry

‍

Healthcare is the most affected industry by data breaches worldwide. Other vulnerable industries in terms of data breaches include finance, pharmaceuticals, technology, professional services, and energy. 

The cost of data breaches in the healthcare industry fell by 10.6% year on year from $10.93 million in 2023 to $9.77 million in 2024. Although you notice a little bit of cost reduction, healthcare is still at the top of the list of the costliest data breaches. 

‍

The following table shows the graphical representation of data breaches that impacted different highly regulated industries in 2023 and 2024. 

‍

Apart from healthcare, all the other industries reflect a significant increase in the average cost of cyber attacks from 2023 to 2024. The reasons behind the increasing costs are lost business, operational downtime, regulatory fines, post-breach response, and trust deficit.

‍

Post-data breach costs involve expenses of setting up credit monitoring services and call centers for impacted customers. 

‍

According to HIPAA Journal, data breach costs are increasing by leaps and bounds due to a lack of skilled staff, which contributes an average of $1.76 million to overall breach costs. 

‍

[fs-toc-h2]Reputational Damage to the Brand

‍

When a data breach occurs, the victim organization loses its public image and trustworthiness. The tarnished reputation causes a deficit of customer trust and spoils relationships with investors, partners, and other affected parties. 

‍

Reputation damage is one of the biggest costs of a breach. Allie Mellen, senior analyst at Forrester, tells CSO, “Ultimately, customer trust is very easy to break and very difficult to build.” 

‍

IBM’s Cost of Data Breach Report 2024 also reveals that lost business costs include revenue loss on account of system downtime and the costs of reputational damage and lost customers. 

‍

[fs-toc-h2]Increased Costs Due to Strict Regulations

‍

Organizations must prevent data breaches to ensure compliance with cybersecurity regulatory standards, including: 

• The General Data Protection Regulation (GDPR)
• National Institute of Standards and Technology (NIST) 
• The Payment Card Industry Data Security Standard (PCI DSS)
• International Standard Organization (ISO)
• The Health Insurance Portability and Accountability Act (HIPAA) 
• Sarbanes-Oxley Act

The cost of non-compliance is very high. The GDPR imposes a fine of 20 million euros or 4% of an organization’s annual turnover in case of a failure to comply with the customer PII protection regulations. 

‍

In 2024, Meta had to pay Texas $1.4bn for unlawful biometric data capture. Allegedly, Texas Attorney General Ken Paxton revealed that Meta obtained data without Texas’s consent and breached Texas’ Deceptive Trade Practices Act and the Capture or Use of Biometric Identifier (CUBI) Act. 

‍

[fs-toc-h2]The Way Forward

‍

Cybersecurity teams across the globe are consistently understaffed. Organizations are facing data breaches due to skills gaps, severe staffing shortages, and a lack of trained security staff and appropriate cybersecurity solutions like Managed Detection and Response (MDR). 

‍

As a result, the cost of security breaches was very high in 2024. This article explored the short- and long-tail costs of data breaches, average breach costs by regions and industries, reputational damage to the brand, and higher costs due to strict regulations. 

‍

[fs-toc-h2]Astro Information Security’s MDR Services to Counter Cyber Risks

‍

The data breach cost is a significant challenge organizations are facing in today’s threat landscape. Therefore, businesses must protect their brand and digital assets to avoid costs associated with data breaches. To this end, Astro Information Security’s MDR services provide you with 24/7/365 continuous monitoring, proactive threat hunting, direct call-in support, and continuous protection with the help of AI and automation tools as well as our experts’ oversight.