Data loss costs are going up – and not just for those who choose to pay thieves

Data loss – particularly from ransomware attacks – has always been a costly proposition for enterprises. However, the price organizations have to pay is going up, not only in terms of the ransom demanded but also for the cost of investigating attacks and the lawsuits that increasingly follow in the wake of such breaches.

In its 2023 Data Security Incident Response Report [PDF], Cleveland-based law firm BakerHostetler – which three years ago launched a practice around data, equal to other practices like tax, IP, and litigation – found while the number of ransomware incidents the firm responded to dipped in early 2022, it came roaring back toward the end of the year and into early 2023.

With this came higher ransom demands and, eventually, payments. The largest ransom demand last year was more than $90 million, with the largest payment exceeding $8 million. Both were larger than in 2021 (more than $60 million and $5.5 million respectively).

The average ransom paid hit $600,688, up from $511,957 the year before, though still below the peak of $794,620 in pandemic-ravaged 2020. About 40 percent of victims paid a ransom.

The numbers are based on the 1,160-plus security incidents the law firm investigated in 2022.

The ransom payment numbers appear to contradict what blockchain analysis company Chainalysis found in January, when it reported that the total amount of money paid to ransomware attackers dropped last year – from almost $766 million in 2021 to almost $455 million last year – due in large part to victims refusing to pay.

Both the UK's National Cyber Security Centre and the US Federal Bureau of Investigation have said publicly that they don't support paying ransoms, which many believe only encourage criminals to take more data hostage, in addition to the fact that there's no way of knowing that miscreants will delete the data, or that they won't simply sell it again despite the ransom being paid. There's also the issue that your computer will still be infected and that once you pay, you'll become a target they'll circle back to later.

BakerHostetler noted that the number of organizations stiffening their defenses – via endpoint detection and response (EDR) tools and backing up data – has reduced the pool of potential victims. However, "the remaining may be even more vulnerable," the firm wrote. "In 2022, we saw increases in average ransom demands, average ransom payments, and average recovery times in most industries."

"The lull in ransomware that marked the start of the year is over. Ransomware groups have resumed attacks, and organizations must redouble their efforts to defend themselves against increasing attacks."

• You've been pwned, how much will each stolen customer SSN cost you? How about $7.5k?
• US House reps, staff health data swiped in cyber-heist
• China has 50 hackers for every FBI cyber agent, says Bureau boss
• Keep calm and carry on when the supply chain goes up in flames

Investigations into breaches aren't cheap

Victims aren't only paying more if they decide to pay the ransom, but the overall cost of forensic investigations of data breaches also jumped. For the 20 largest network intrusions, the average investigation costs increased 24 percent from $445,926 in 2021 to $550,987 a year later.

But it wasn't the same for everyone. Companies in the finance and insurance, business and professional services, and retail, restaurant and hospitality industries saw decreases in both the average and median costs for investigations. In two other industries – government and energy and technology – there were higher averages but lower medians, "reflecting a general decrease in costs for most clients but offset by some significant ransomware matters for certain clients," BakerHostetler wrote.

However, the average and median amount spent on forensic investigations for those in the healthcare and manufacturing sectors both rose in 2022. The healthcare industry in particular – which holds scads of personal data on patients and employees and operates a lot of connected devices – has become a target of the Royal ransomware group and others.

Even US politicians and their staff members weren't immune to the attacks.

Lawsuits and breaches

Another source of financial outflow are lawsuits filed against companies that had to notify individuals that their data had been accessed by criminals. Of the security incidents handled by BakerHostetler last year, 494 involved having to send out such notifications. Forty-two of those resulted in one or more lawsuits being filed by people unhappy about their data being stolen.

That compares to 23 such lawsuits filed in 2021.

More than half of the 42 incidents that resulted in lawsuits – 26 – involved medical and health information being breached, and 20 involved a healthcare organization. Forty included Social Security Numbers or driver's license data and six involved payment card information.

Twenty-five lawsuits were filed in cases where 10,000 to 500,000 people were notified, with another nine when more than a million were notified.

Privacy litigation in particular is on the rise, with hospitals seeing a significant ramp up. Since August 2022, more than 50 such lawsuits were filed against hospital systems, with plaintiffs alleging that the entities track and disclosed their identities and online activities through third-party website analytics tools without the consent of those visiting the sites.

Many involve breach of contract or confidence and violations of state privacy and consumer protection laws.

In all, the law firm said it is defending more than 200 privacy or data security lawsuits. ®