This story originally appeared on Beyond Identity and was produced and distributed in partnership with Stacker Studio.
Data breaches are more costly for these 10 industries
The cost of data breaches around the world is growing. The global average cost of a data breach in 2021 totaled $4.24 million, according to IBM research. Data breaches result from unintended leaks or targeted cybercrimes where an unauthorized person accesses, transmits, or steals sensitive information.
To understand the cost of failures in data security, Beyond Identity collected research from IBM Security’s Cost of a Data Breach Report 2021. This study looked at 537 data breaches across 17 industries and countries. IBM’s data excluded larger and smaller data breaches. In the study, researchers looked at breaches that exposed between 2,000 and 101,000 records.
The cost of a breach was calculated based on four categories of spending: detection and escalation, notification, post-breach response, and lost business. If the average value of a data breach in 2021 was the same for two industries, the one with the larger year-over-year change was ranked higher.
A February 2022 study from ThoughtLab found the average number of these incidents increased by 15.1% in 2021. Anyone from lone hackers to national governments can perpetrate these attacks. In March 2021, Microsoft intercepted a hacker group attempting to infiltrate their popular mail and calendar program Exchange. They suspected a state-sponsored hacker group from China, which immediately led to an emergency warning from the U.S. government to improve its cybersecurity.
Confidential data compromised during these incidents included personally identifiable information, corporate data, and intellectual property. IBM reported that compromised credentials caused 20% of the data breaches. Some malicious groups create breaches to use the information in other criminal activities such as credit card fraud and identity theft. It takes 287 days on average to identify and contain a breach.
Increased remote work is contributing to rising data breach costs, and organizations that haven’t adopted cybersecurity measures are more vulnerable to such incidents. During the pandemic, cybercrime expanded from targeting individuals and small businesses to major corporations and infrastructure. There was a 10% increase from 2020 to 2021 in the average cost of a data breach to industries in many major countries, per IBM.
Read on to learn about the top 10 industries that faced serious financial damages because of data breaches.
#10. Transportation
- Average cost of data breach in 2021: $3.75 million
- Change from 2020: 4.7%
Industries rely heavily on data, and in January 2022, the transportation industry saw more than half a million credit reports exposed online. Security researcher Jeremiah Fowler and the Website Planet team found a database without password protection containing credit data, banking information, and tax ID numbers for companies and individuals in U.S. and Canadian transportation industries.
Hackers getting their hands on highly personal data that can be linked to individuals is not unique to the transportation industry. Based on IBM’s report, 44% of all industry data breaches worldwide in 2021 led to losing personally identifiable information—the most costly record type to lose in a breach.
#9. Education
- Average cost of data breach in 2021: $3.79 million
- Change from 2020: -2.8%
The education sector went through dramatic adjustments during the pandemic as students transitioned to remote learning, increasing the potential cost of a data breach.
According to the IBM report, ransomware attacks accounted for more than $4.65 million in 2021. In December 2021, the Chicago Public School District faced a ransomware attack in which more than half a million student and employee records held by the teacher evaluation vendor, Battelle for Kids, were breached.
The CPS suggested Battelle for Kids caused the breach by failing to encrypt data. The CPS wasn’t informed of the student data breach until April 2022. It learned in May 2022 that teachers' data was also leaked. The vendor said verifying and investigating the breach with law enforcement caused the delayed notification.
According to IBM, the longer it takes to identify a breach, the more costly it is on average. They added that finding a breach in 2021 took a week longer than in 2020.
#8. Entertainment
- Average cost of data breach in 2021: $3.80 million
- Change from 2020: not available
In November 2020, WildWorks, the creator of the kids’ video game Animal Jam, announced a data breach involving the loss of 46 million records that took them a month to identify. The company eventually revealed that the breach exposed 5.7 million records showing the player’s full birth date and 7 million parents’ email addresses. The game maker said security researchers found the information posted on a cybercrime forum and alerted them.
As important as cybersecurity is, many executives say they aren’t prepared to keep up with the threat of data breaches due to the complexity of the challenge and how quickly it changes.
#7. Industrial
- Average cost of data breach in 2021: $4.24 million
- Change from 2020: -15.0%
The pandemic and the Russia-Ukraine war are straining supply chains and industrial production while experts see sharp increases in the number of cybercrimes during these times of crisis. According to Aimei Wei, founder and chief technology officer of Stellar Cyber, cyberattacks increased by more than 800% during a 48-hour period following the beginning of the war.
Hacks can be far-reaching and affect multiple industrial companies at once. In 2017, a piece of malware known as NotPetya halted international production facilities and multinational corporations including food and beverage company Modelez, the Danish shipping company Maersk, and Russian oil company Rosneft. The White House stated that NotPetya cost companies $10 billion in total.
#6. Energy
- Average cost of data breach in 2021: $4.65 million
- Change from 2020: -27.2%
In May 2021, fuel supplies were disrupted throughout the Southeast due to a security breach at Colonial Pipeline, which became a victim of a ransomware attack. The attack revealed the vulnerability of America’s energy infrastructure, and the CEO of Colonial Pipeline was summoned to the Senate to explain how hackers were able to compromise the company’s security: A legacy network system with single-factor authentication allowed hackers to disrupt operations that delivered fuel to Gulf Coast refineries.
Despite the high-profile spotlight on the Colonial Pipeline incident, the energy sector remains a key target. One of the largest data breaches in the energy sector happened just a few months ago. In March 2022, Spanish energy titan Iberdrola reported the exposure of 1.3 million people’s personal data. The company said hackers obtained names, addresses, and phone numbers. Spanish authorities warned those affected to be wary of emails claiming to come from Iberdrola.
#5. Services
- Average cost of data breach in 2021: $4.65 million
- Change from 2020: 9.9%
The services industry experienced a significant increase in the average cost of a data breach from 2020 to 2021, and IBM reports this industry, along with media and hospitality, has weaker data protection regulations.
Regulatory compliance was a key factor in determining the average cost of a data breach, with highly compliant businesses paying $2.3 million less during a breach. Less regulated industries such as services also faced the brunt of their financial burden sooner, incurring 68% of the cost in the first year versus 46% for highly regulated industries in that same period.
#4. Technology
- Average cost of data breach in 2021: $4.88 million
- Change from 2020: -3.2%
Large-scale cyber incidents, including the T-Mobile breach in August 2021 where hackers stole information from 40 million former or prospective customers, are a reminder that even tech-focused companies struggle to keep up with the growing sophistication of cybercrime.
The tech industry also saw a major shift toward remote work during the pandemic. According to a May 2022 survey by business intelligence company Morning Consult, 85% of tech workers reported following a fully remote or hybrid work model following the onset of the pandemic. IBM’s report found that data breaches caused by remote work cost $1.07 million more on average.
#3. Pharmaceuticals
- Average cost of data breach in 2021: $5.04 million
- Change from 2020: -0.4%
The potential for supply chain issues related to medicine during global emergencies presents serious implications when it comes to cybersecurity. The pharmaceutical industry experienced rapid changes during the pandemic, which meant quickly deploying new networks and technology.
Cybercriminals take advantage of security vulnerabilities during times of crisis or uncertainty. In December 2020, hackers stole documents connected to the development of COVID-19 vaccines from Pfizer and BioNTech. There were initial fears around potential vaccine delays stemming from the hack, and this highly sought information could be exceptionally valuable to other countries and companies.
#2. Finance
- Average cost of data breach in 2021: $5.72 million
- Change from 2020: -2.2%
Financial motivation drives the majority of cybercrime. According to Verizon’s 2022 Data Breach Investigations Report, 71% of all data breaches on large organizations are financially motivated. The financial industry has been the target of some of the most costly and largest data breaches, including one of the worst in May 2019, when First American Financial accidentally leaked the detailed bank information of more than 800 million people.
A website error allowed anyone with a valid link to access sensitive information such as names, bank account numbers, and Social Security numbers contained on mortgage documents. A whistleblower noted that no passwords or security measures were in place to protect the documents.
#1. Health care
- Average cost of data breach in 2021: $9.23 million
- Change from 2020: 29.5%
The health care industry encountered the highest average cost of a data breach for 11 consecutive years. Data breach costs for the industry increased 29.5% from 2020 to 2021, per IBM.
In August 2021, plaintiffs filed 10 lawsuits, which included a class-action lawsuit against health care technology company CaptureRx claiming they didn’t do enough to protect more than 2.4 million patients’ personal data.
The lawsuit followed a cyber incident where the company discovered a hack exposing files with patients’ names, birth dates, and prescription information. In February 2022, CaptureRx agreed to pay $4.75 million to settle all 10 lawsuits with a stipulation that they improve their cybersecurity within 90 days.
