September 27, 2023 By Mark Stone 4 min read

Data breaches can occur anywhere in the world, but they are historically more common in specific countries. Typically, countries with high internet usage and digital services are more prone to data breaches.

To that end, IBM’s Cost of a Data Breach Report 2023 looked at 553 organizations of various sizes across 16 countries and geographic regions, and 17 industries. In the report, the top five costs of a data breach by country or region (measured in USD millions) for 2023 are:

  • United States: $9.48 (up 0.4% from 2022)
  • Middle East: $8.07 (up 8.2% from 2022)
  • Canada: $5.13 (down 9% from 2022)
  • Germany: $4.67 (down 3.7% from 2022)
  • Japan: $4.52 (down 1.1% from 2022).

Is there a root cause for the top countries on the list? What factors are at play? Are some countries more susceptible to social engineering attacks like phishing?

Why are the costs for the top countries so high?

While it’s difficult to quantify, the high costs in the top five countries can be attributed to several factors.

The United States

The U.S. has the highest average total cost of a data breach at $9.48 million, up from $9.44 million in 2022. U.S. numbers are likely due to the size and complexity of U.S. organizations and extensive digital infrastructure in the country, as well as the sensitivity of the data they hold and the regulatory environment.

The Middle East

In the Middle East, the number is likely attributed to the large number of breached records, the high rate of malicious attacks and the longer time to identify and contain a breach.

Germany

In Germany, the statistics are likely due to the large number of lost or stolen records and the high rate of malicious or criminal attacks.

Canada and Japan

In Canada and Japan, the high cost may be attributed to the high churn rate (the rate at which customers stop doing business with an entity) and the longer time to identify and contain a breach.

Do data breach laws contribute to high costs among the top five countries?

While the report does not directly link these regulatory factors to the top five countries, it suggests that the regulatory environment and compliance with regulations can significantly impact the cost of data breaches.

For instance, in the United States, state data privacy policies such as the California Consumer Privacy Act (CCPA) and the Health Insurance Portability and Accountability Act (HIPAA) impose hefty fines and penalties for non-compliance. Similarly, in the European Union, the General Data Protection Regulation (GDPR) imposes strict penalties for data breaches, impacting countries like Germany and France.

Read the full report

Is the U.S. disclosing more breaches now than it has in the past?

The report does not conclude whether the U.S. is disclosing more breaches now than in the past due to mounting state data privacy policies. However, it does provide some relevant information:

  • The United States has been a part of the Cost of a Data Breach Report for 18 years, the longest of all countries or regions involved.
  • Only one-third of companies discovered the data breach through their own security teams, highlighting a need for better threat detection. The majority of breaches (67%) were reported by a benign third party or by the attackers themselves. When attackers disclosed a breach, it cost organizations nearly USD 1 million more than internal detection.
  • The majority of respondents (57%) indicated that data breaches led to an increase in the pricing of their business offerings, passing on costs to consumers.

This data suggests that the disclosure of breaches is a complex issue involving multiple factors, including detection capabilities and financial implications.

However, organizations often won’t disclose that they have been breached for fear of reputational damage, regulatory scrutiny or legal liability. Even more often, companies may lack adequate cybersecurity measures or trained personnel to deal with the breach.

In fact, the FBI recently stated that only about 20% of ransomware incidents are reported.

What unique costs does the U.S. experience compared to other countries?

The United States incurs several direct and indirect costs that other countries may not have, which include:

Higher lost business costs. The United States has the highest lost business costs, which include the abnormal turnover of customers, increased customer acquisition activities, reputation losses and diminished goodwill.

Higher post-data breach response. Response activities help minimize the impact of the breach, such as help desk resources, inbound communications, special investigative resources, remediation, legal expenditures, product discounts, identity protection services and regulatory interventions.

Notification costs. In the United States, organizations are required to notify affected individuals, regulators and the media in certain circumstances following a data breach. These notification costs can be substantial.

Are citizens more prone to social engineering in some countries compared to others?

The IBM report does not directly comment on the tech savviness of citizens or their susceptibility to social engineering. It primarily focuses on the organizational costs and impacts of data breaches rather than individual behaviors.

However, it does mention that human factors, including social engineering attacks, play a significant role in data breaches. For instance, it states that nearly one in six breaches (17%) were caused by phishing, which is essentially human error.

It’s important to note that susceptibility to social engineering attacks is not necessarily a reflection of being less tech-savvy. These attacks often rely on manipulation and deception, exploiting trust and authority rather than technical ignorance.

Remember, everyone is susceptible to social engineering — no matter how old you are or where you live.

More from Data Protection

Cost of a data breach: Cost savings with law enforcement involvement

3 min read - For those working in the information security and cybersecurity industries, the technical impacts of a data breach are generally understood. But for those outside of these technical functions, such as executives, operators and business support functions, “explaining” the real impact of a breach can be difficult. Therefore, explaining impacts in terms of quantifiable financial figures and other simple metrics creates a relatively level playing field for most stakeholders, including law enforcement.IBM’s 2024 Cost of a Data Breach (“CODB”) Report helps…

Cost of data breaches: The business case for security AI and automation

3 min read - As Yogi Berra said, “It’s déjà vu all over again.” If the idea of the global average costs of data breaches rising year over year feels like more of the same, that's because it is. Data protection solutions get better, but so do threat actors. The other broken record is the underuse or misuse of technologies that can help safeguard data, such as artificial intelligence and automation.IBM’s 2024 Cost of a Data Breach (CODB) Report studied 604 organizations across 17…

Cost of a data breach: The industrial sector

2 min read - Industrial organizations recently received a report card on their performance regarding data breach costs. And there’s plenty of room for improvement.According to the 2024 IBM Cost of a Data Breach (CODB) report, the average total cost of a data breach in the industrial sector was $5.56 million. This reflects an 18% increase for the sector compared to 2023.These figures place the industrial sector in third place for breach costs among the 17 industries studied. On average, data breaches cost industrial…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today