Global average cost of a data breach reaches all time high

What happened

• IBM Security’s 2023 annual ‘Cost of a Data Breach Report’ has shown that the global average cost of a data breach hit an all-time high of $4.45 million in 2023
• This represents a 15% increase over the last three years.
• The study of 553 global organisations also revealed that the cost of detecting and escalating data breaches grew by 42%, which indicates a shift towards more complex breach investigations.
• The report found that organisations who have suffered a breach are more likely to pass incident costs onto consumers (57%) than to increase investments in security (51%).
• AI and automation had the biggest impact on the speed that breaches were identified and contained, for the organisations studied.
• The report found that ransomware victims who involved law enforcement saved $470,000 in the average costs of a breach compared to those who chose not to involve law enforcement.
• Only one-third of the breaches studied were detected by an organisation’s own security teams or tools, compared to 27% that were disclosed by an attacker.
• A huge 82% of breaches involved data stored in the cloud – public, private or multiple environments
• The time taken to identify and contain breaches continues to be important to the overall financial impact. Breaches identified and contained under 200 days cost $3.93m but those taking over 200 days cost $4.95m (a 23% difference)

Why it matters

The report shows;

• the costs of data breaches are increasing rapidly
• ransomware victims have benefited from involving law enforcement
• cloud environments were frequent targets for cyber attackers in 2023
• the longer the time taken to resolve a breach, the higher the financial impact
• Organisations need to do more to detect data breaches quickly including incident response planning and testing, employee training and threat detection

Further information

IBM’s report can be found at

•  Global Data Breach Report 2023

What happened

• The ICO recently issued a reprimand to My Media World Ltd t/a Brand New Tube (BNT) over a cyber attack
• The attack happened in August 2022 when an unauthorised 3^rd party was able to access BNT’s systems and remove the personal data of 345,000 individuals
• Despite the type of data not being particularly high risk, the ICO’s action has shown the importance of regular pen testing
• The ICO said a server misconfiguration and a DDoS attack were responsible for the access to BNT’s systems
• One of the main data protection principles is the need to have appropriate technical and organisational measures in place
• Measures include having adequate contracts in place with suppliers, maintaining Records of Processing (ROPA) documents and carrying out regular scans and testing

Why it matters

• Although no fine was imposed, the ICO’s reprimand highlights that organisations must check that they are following basic recommendations to;
  • Have appropriate contracts in place with 3^rd party providers
  • Keep accurate records of processing activities and security measures taken
  • Do regular scans and testing and note the outcomes and address any issues

Further information

The ICO’s checklist for organisations to consider when implementing technical security measures can be found at

A guide to data security | ICO

The National Cyber Security Centre has provided guidance on vulnerability scanning tools and services at  

Vulnerability Scanning Tools and Services – NCSC.GOV.UK

What happened

• The Police Service of Northern Ireland (PSNI) recently published personal data relating to all of its 10,000 staff members online, in error
• The PSNI were replying to a Freedom of Information (FOI) request which asked for a breakdown of staff by rank and number
• FOI requests should not generally contain personal data (there is an exemption), but the spreadsheet disclosed contained initials, surnames, details of the units worked at and responsibilities
• FOI requests have a time limit of 20 days which means there is extra pressure on response times, however, the risk of human error must always be considered
• The problem at PSNI was compounded by the occurrence of a second data breach where a paper spreadsheet containing names of over 200 current police officers and a laptop were stolen from a private vehicle
• Many breaches are caused by human error; often emails are misdirected, individuals respond to phishing attacks and weak passwords are often reused, but it is important that controls appropriate to the risks involved, are in place
• PSNI has been the target of threats and physical attacks by dissident groups in Northern Ireland. In March 2023, the terrorist threat level was raised to ‘severe’ when an off duty PSNI officer was fatally shot, so the identification of individuals on the force has meant that their personal security is jeopardised
• The cause of the PSNI data breaches was human error, but the impact was huge

Why it matters

• The PSNI breach disclosed personal data, which might ordinarily be found in the public domain, however, the political context in Northern Ireland meant that the breach could have serious consequences for the individuals involved
• These cases have shown that what might seem to be minor human errors can have serious consequences
• Manual processes often mean there is an element of human error, but robust controls must be in place for personal data handling and security, including adequate training of staff

Further information

The relevant data protection principles here are (i) data minimisation/purpose limitation – use the minimal amount of data and only use it where necessary for the intended purposes (ii) technical measures & safeguards – ensure technical measures and safeguards are in place (iii) accountability, reporting/notification – report the breach within 72 hours of becoming aware of it

Further details can be found at;

PSNI data breach: Details of NI police in hands of dissident republicans – BBC News