Average cost of data breach climbed to record $4.45 million last year, research finds

UnitedHealth Group now estimates that the cyberattack on its Change Healthcare business unit earlier this year will cost the company between $2.3 billion and $2.45 billion. The damage to its reputation and the economic fallout to its clients may be incalculable.

The company is not alone, as the cost of data breaches has reached record levels. IBM Security analyzed the rising expense associated with cyberattacks in its Cost of a Data Breach Report 2023.

“Globally, the average cost of a data breach rose to $4.45 million, a $100,000 increase from 2022,” the report said. “This represents a 2.3% increase from the 2022 average cost of $4.35 million. Since 2020, when the average total cost of a data breach was $3.86 million, the average total cost has increased 15.3%.”

Among the report’s key findings:

• Slightly more than half of organizations plan to increase security investments as a result of a breach. The top areas identified for additional investments included incident response planning and testing, employee training and threat detection and response technologies.
• Extensive security AI and automation has a $1.76 million impact on reducing costs and minimizing time to identify and contain breaches. Organizations that used these capabilities extensively within their approach experienced, on average, a 108-day shorter time to identify and contain the breach.
• Only one-third of companies discovered a data breach through their own security teams, highlighting a need for better threat detection. Two-thirds of breaches were reported by a benign third party or by the attackers themselves. When attackers disclosed a breach, it cost organizations nearly $1 million more.
• Not involving law enforcement in a ransomware attack costs organization $470,000 more. Although 63% of respondents said they involved law enforcement, the 37% that didn’t paid 9.6% more and experienced a 33-day longer breach lifecycle.
• Since 2020, health care data breach costs have increased 53.3%. The highly regulated health care industry has seen a considerable rise in data breach costs over that time period. For the 13th year in a row, the health care industry reported the most expensive data breaches, at an average cost of nearly $11 million.
• Eighty-two percent of breaches involved data stored in the cloud, whether in public, private or multiple environments. Attackers often gained access to multiple environments, with 39% of breaches spanning multiple environments and incurring a higher-than-average cost of $4.75 million.

Related: UnitedHealth sued by providers, pharmacy group over massive Change data breach

The report concluded with four recommendations: Build security into every stage of software development and deployment, and test regularly; modernize data protection across the hybrid cloud; use security AI and automation to increase speed and accuracy; and strengthen resiliency by knowing the attack surface and practicing incident response.