Why It Matters
Data breaches have become one of the most costly and common business risks. The average cost of a data breach reached $4.88 million in 2024 (IBM Cost of a Data Breach Report), and the frequency continues to increase. Beyond financial loss, breaches destroy customer trust, trigger regulatory investigations, and in severe cases lead to class-action lawsuits and executive terminations.
Types of Data Breaches
By Method
- Cyberattack โ hacking, malware, ransomware, SQL injection, zero-day exploits
- Social engineering โ phishing, pretexting, business email compromise
- Insider threat โ malicious employees or contractors stealing data
- Human error โ emailing data to wrong recipient, misconfigured cloud storage, lost devices
- Physical breach โ stolen laptops, break-ins, unauthorized access to server rooms
- Third-party breach โ a vendor or supplier is compromised, exposing your data
By Data Type
- Personal data โ names, addresses, emails, phone numbers (triggers GDPR)
- Financial data โ credit cards, bank accounts, payment information (triggers PCI DSS)
- Health data โ medical records, prescriptions, insurance (triggers HIPAA)
- Credentials โ usernames, passwords, access tokens
- Intellectual property โ trade secrets, proprietary code, research
- Government/classified โ national security information
The Numbers
- Average cost: $4.88 million per breach globally (IBM, 2024)
- Average time to identify: 194 days
- Average time to contain: 64 days
- Breaches involving stolen credentials: 16% of all breaches
- Most expensive sector: Healthcare ($9.77 million average)
- Cost savings with incident response team: $2.66 million less per breach
Notification Obligations
| Regulation | To Whom | Deadline | Trigger |
|---|---|---|---|
| GDPR | Supervisory authority | 72 hours | Risk to individuals |
| GDPR | Affected individuals | Without undue delay | High risk to individuals |
| HIPAA | HHS + individuals | 60 days | Breach of unsecured PHI |
| NIS2 | National CSIRT | 24h (early warning), 72h (full) | Significant incident |
| CCPA | Affected consumers | Expeditiously | Breach of unencrypted PI |
| SEC Reg S-P | Affected individuals | 30 days | Sensitive customer info |
Response Steps
- Contain โ isolate affected systems, revoke compromised credentials
- Assess โ determine scope, data involved, number of individuals affected
- Notify โ regulatory authorities and affected individuals within required deadlines
- Investigate โ root cause analysis, forensic examination
- Remediate โ patch vulnerabilities, strengthen controls
- Learn โ post-incident review, update incident response plan
Key Regulation
- GDPR Articles 33โ34 โ breach notification obligations
- HIPAA Breach Notification Rule โ healthcare breach reporting
- US state breach notification laws โ all 50 states have breach notification laws
- NIS2 Article 23 โ cybersecurity incident reporting