Data breach costs keep going up, and consumers are likely paying for them.
The average cost of a data breach rose to an all-time high of $4.4 million this year, according to the IBM Security report released Wednesday. That marked a 2.6% increase from a year ago and a 13% jump since 2020.
More than half of the organizations surveyed acknowledged they had passed on those costs to their customers in the form of higher prices for their products and services, IBM said.
The annual report is based on an analysis of data breaches experienced by 550 organizations around the world between March 2021 and March 2022. The research, which was sponsored and analyzed by IBM, was conducted by the Ponemon Institute.
The cost estimates are based on immediate expenses like ransoms paid and costs for investigating and containing the breach. Other costs include regulatory fines and lost sales that can show up years later. On average, those polled said they accrued just under half of the costs related to a given breach more than a year after it occurred.
Case in point, T-Mobile said Friday it would pay $500 million to settle a class action lawsuit filed by customers over a data breach revealed nearly a year ago that exposed the personal information of an estimated 76.6 million people.
Pending judicial approval that could come before the end of the year, T-Mobile will pay $350 million to settle the customers’ claims and an additional $150 million to upgrade its data protection. The breach, disclosed in August, exposed information such as customer names, Social Security numbers, phone numbers, addresses and dates of birth.
Many of the highest-cost breaches analyzed in the IBM study involved critical infrastructure within the financial services, industrial, technology, energy, transportation, communication, healthcare, education and public-sector industries.
Those breaches had an average cost of $4.8 million, about $1 million more than the average cost paid by organizations outside of critical infrastructure, IBM said.
Part of that stems from the particularly high costs of health care industry breaches. Healthcare, which is considered to be critical infrastructure, had the highest average per-breach cost of $10.1 million, up from $9.2 million in 2021.
Critical infrastructure has become an increasingly tempting target for both nation-state attackers and cybercrime gangs in recent years. Last year, ransomware attacks against Colonial Pipeline and meat processor JBS USA shut down both companies for days, even though they both paid the equivalent of millions of dollars in ransom to get their data unlocked.
The shutdowns sparked panic buying among consumers, causing both gasoline and meat prices to spike in parts of the US.
Cybersecurity and government officials also warn that the risk of cyber attacks against critical infrastructure in the US and other countries supporting Ukraine could increase if Russia’s war against that country continues to drag on.
Eleven percent of the data breaches analyzed in this year’s study stemmed from ransomware attacks, up from 7.8% in 2021. Almost a fifth of the breaches were the result of stolen or compromised credentials. Another 16% stemmed from phishing attacks.