Average data breach costs Canadian organizations $6.32 million: IBM study

Canadian organizations embroiled in data breaches wind up paying an average $6.32 million to resolve the incidents, a new study from IBM says.

That total is down from 2023, when Canadian organizations were paying an average $6.94 million, and from 2022, when the average was $7.05 million, said the study, which was released Tuesday.

“There’s 27,000 breaches (a year) in Canada alone, an all-time high … That’s almost 75 breaches a day,” said Daina Proctor, IBM Canada’s security services leader.

“When I start looking at 75 breaches a day at an average $6.3 million per breach, that’s when I start saying this is staggering.”

IBM’s report comes as Canadians are routinely told of cyber attacks and other breaches that put their data at risk of falling into unauthorized hands. In the last year alone, Ticketmaster, AT&T, Giant Tiger, London Drugs and more have been victims of such attacks.

IBM sought to quantify not just the extent of attacks but also their cost — a figure that can include what organizations pay for detection and legal services, crisis management, regulatory fines, consumer reparations and lost business.

Its report was based on an analysis of data breaches experienced by 604 organizations globally between March 2023 and February 2024.

Of the 16 countries it looked at, Canada had the sixth-highest costs for data breaches, coming in behind nations including the U.S., Germany and Italy.

“Nobody necessarily wants to do Canadians harm, but they want to find financial gain and sometimes we are that weak wildebeest in the wild,” Proctor said.

When IBM combined the data from all of the countries it looked at, it found the most common forms of attack involved phishing or stolen or compromised credentials. Phishing attacks see scammers impersonate trusted people or website login forms to get victims to input or reveal sensitive information like passwords or credit card numbers.

Stolen or compromised credentials figured into 16 per cent of the attacks studied and on average, took the longest to identity and contain at nearly 10 months.

Phishing came in a close second, at 15 per cent of attacks, but ultimately carried even higher costs.

When IBM took an industry-based look, it discovered health care, financial services, industrial, technology and energy organizations faced the highest breach costs, reaching up to US$9.77 million for health-care entities.

In Canada, financial services and technology companies experienced the priciest breaches, with average costs hitting $9.28 million and $7.84 million, respectively.

When it comes to coping with the breaches, organizations are typically told to involve law enforcement, inform customers and avoid paying ransoms, which can encourage bad actors to carry out further attacks.

Some of these steps have likely led to the reduction in costs linked to breaches, Proctor said.

However, she acknowledged the sums organizations face during breaches are still too high and are often passed along to consumers.

Sixty-three per cent of organizations told IBM they would increase the cost of goods or services because of breaches they experienced — an increase from 57 per cent the year before.

Proctor feels discussing more frequently and publicly how the costs “flow down to us” could be a good tactic to address data breach “fatigue”, when people become numb to the impacts of attacks because there are so many and they feel their data is already out there.

Artificial intelligence could also be a good tool, she said, because IBM’s research showed organizations that used the technology had breaches that were 54 days shorter and cost $2.84 million less on average.

This report by The Canadian Press was first published July 30, 2024.

Tara Deschamps, The Canadian Press