September 27, 2023 By Mark Stone 4 min read

Data breaches can occur anywhere in the world, but they are historically more common in specific countries. Typically, countries with high internet usage and digital services are more prone to data breaches.

To that end, IBM’s Cost of a Data Breach Report 2023 looked at 553 organizations of various sizes across 16 countries and geographic regions, and 17 industries. In the report, the top five costs of a data breach by country or region (measured in USD millions) for 2023 are:

  • United States: $9.48 (up 0.4% from 2022)
  • Middle East: $8.07 (up 8.2% from 2022)
  • Canada: $5.13 (down 9% from 2022)
  • Germany: $4.67 (down 3.7% from 2022)
  • Japan: $4.52 (down 1.1% from 2022).

Is there a root cause for the top countries on the list? What factors are at play? Are some countries more susceptible to social engineering attacks like phishing?

Why are the costs for the top countries so high?

While it’s difficult to quantify, the high costs in the top five countries can be attributed to several factors.

The United States

The U.S. has the highest average total cost of a data breach at $9.48 million, up from $9.44 million in 2022. U.S. numbers are likely due to the size and complexity of U.S. organizations and extensive digital infrastructure in the country, as well as the sensitivity of the data they hold and the regulatory environment.

The Middle East

In the Middle East, the number is likely attributed to the large number of breached records, the high rate of malicious attacks and the longer time to identify and contain a breach.


In Germany, the statistics are likely due to the large number of lost or stolen records and the high rate of malicious or criminal attacks.

Canada and Japan

In Canada and Japan, the high cost may be attributed to the high churn rate (the rate at which customers stop doing business with an entity) and the longer time to identify and contain a breach.

Do data breach laws contribute to high costs among the top five countries?

While the report does not directly link these regulatory factors to the top five countries, it suggests that the regulatory environment and compliance with regulations can significantly impact the cost of data breaches.

For instance, in the United States, state data privacy policies such as the California Consumer Privacy Act (CCPA) and the Health Insurance Portability and Accountability Act (HIPAA) impose hefty fines and penalties for non-compliance. Similarly, in the European Union, the General Data Protection Regulation (GDPR) imposes strict penalties for data breaches, impacting countries like Germany and France.

Read the full report

Is the U.S. disclosing more breaches now than it has in the past?

The report does not conclude whether the U.S. is disclosing more breaches now than in the past due to mounting state data privacy policies. However, it does provide some relevant information:

  • The United States has been a part of the Cost of a Data Breach Report for 18 years, the longest of all countries or regions involved.
  • Only one-third of companies discovered the data breach through their own security teams, highlighting a need for better threat detection. The majority of breaches (67%) were reported by a benign third party or by the attackers themselves. When attackers disclosed a breach, it cost organizations nearly USD 1 million more than internal detection.
  • The majority of respondents (57%) indicated that data breaches led to an increase in the pricing of their business offerings, passing on costs to consumers.

This data suggests that the disclosure of breaches is a complex issue involving multiple factors, including detection capabilities and financial implications.

However, organizations often won’t disclose that they have been breached for fear of reputational damage, regulatory scrutiny or legal liability. Even more often, companies may lack adequate cybersecurity measures or trained personnel to deal with the breach.

In fact, the FBI recently stated that only about 20% of ransomware incidents are reported.

What unique costs does the U.S. experience compared to other countries?

The United States incurs several direct and indirect costs that other countries may not have, which include:

Higher lost business costs. The United States has the highest lost business costs, which include the abnormal turnover of customers, increased customer acquisition activities, reputation losses and diminished goodwill.

Higher post-data breach response. Response activities help minimize the impact of the breach, such as help desk resources, inbound communications, special investigative resources, remediation, legal expenditures, product discounts, identity protection services and regulatory interventions.

Notification costs. In the United States, organizations are required to notify affected individuals, regulators and the media in certain circumstances following a data breach. These notification costs can be substantial.

Are citizens more prone to social engineering in some countries compared to others?

The IBM report does not directly comment on the tech savviness of citizens or their susceptibility to social engineering. It primarily focuses on the organizational costs and impacts of data breaches rather than individual behaviors.

However, it does mention that human factors, including social engineering attacks, play a significant role in data breaches. For instance, it states that nearly one in six breaches (17%) were caused by phishing, which is essentially human error.

It’s important to note that susceptibility to social engineering attacks is not necessarily a reflection of being less tech-savvy. These attacks often rely on manipulation and deception, exploiting trust and authority rather than technical ignorance.

Remember, everyone is susceptible to social engineering — no matter how old you are or where you live.

More from Data Protection

Data security tools make data loss prevention more efficient

3 min read - As businesses navigate the complexities of modern-day cybersecurity initiatives, data loss prevention (DLP) software is the frontline defense against potential data breaches and exfiltration. DLP solutions allow organizations to detect, react to and prevent data leakage or misuse of sensitive information that can lead to catastrophic consequences. However, while DLP solutions play a critical role in cybersecurity, their effectiveness significantly improves when integrated with the right tools and infrastructure. Key limitations of DLP solutions (and how to overcome them) DLP…

Defense in depth: Layering your security coverage

2 min read - The more valuable a possession, the more steps you take to protect it. A home, for example, is protected by the lock systems on doors and windows, but the valuable or sensitive items that a criminal might steal are stored with even more security — in a locked filing cabinet or a safe. This provides layers of protection for the things you really don’t want a thief to get their hands on. You tailor each item’s protection accordingly, depending on…

What is data security posture management?

3 min read - Do you know where all your organization’s data resides across your hybrid cloud environment? Is it appropriately protected? How sure are you? 30%? 50%? It may not be enough. The Cost of a Data Breach Report 2023 revealed that 82% of breaches involved data in the cloud, and 39% of breached data was stored across multiple types of environments. If you have any doubt, your enterprise should consider acquiring a data security posture management (DSPM) solution. With the global average…

Cost of a data breach: The evolving role of law enforcement

4 min read - If someone broke into your company’s office to steal your valuable assets, your first step would be to contact law enforcement. But would your reaction be the same if someone broke into your company’s network and accessed your most valuable assets through a data breach? A decade ago, when smartphones were still relatively new and most people were still coming to understand the value of data both corporate-wide and personally, there was little incentive to report cyber crime. It was…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today