July 29, 2020

Compromised credentials lead to costliest data breaches: IBM report

By Robert Scammell

Cyberattacks that leverage compromised company credentials such as email addresses and passwords cost businesses an average of $4.77m per data breach – nearly $1m more than the global average.

According to IBM Security’s 2020 Cost of a Data Breach Report, compromised credentials are one of the most common attack methods.

Alongside cloud misconfigurations – such as leaving a database without password protection – compromised credentials accounted for a combined 40% of malicious breach causes.

More than 8.5 billion business credentials were stolen in 2019, often ending up for sale on the dark web. This means that attackers are spoilt for choice when it comes to gaining access to a company with a method that doesn’t require advanced technical knowledge.

IBM analysed the data breaches suffered by over 500 companies between August 2019 and April 2020. It found that personally identifiable information (PII) was the costliest type of data to be exposed.

Unsurprisingly, there is a positive correlation between the number of exposed records and the cost of the breach. Those where more than 50 million records were compromised cost an average of $392m – up from $388m in the previous year.

Where 40 to 50 million records were exposed, the average cost came to $364m on average.

IBM also found that companies that had embraced artificial intelligence in their cyber defences reported half the average cost per data breach.

“When it comes to businesses’ ability to mitigate the impact of a data breach, we’re beginning to see a clear advantage held by companies that have invested in automated technologies,” said Wendi Whitmore, vice president, IBM X-Force Threat Intelligence.

“At a time when businesses are expanding their digital footprint at an accelerated pace and the security industry’s talent shortage persists, teams can be overwhelmed securing more devices, systems and data. Security automation can help resolve this burden, not only supporting a faster breach response but a more cost-efficient one as well.”

While nation state attacks remain rare – accounting for just 13% of malicious breaches – they are one of the most expensive for businesses, at an average of $4.43m per breach. This is because of their “highly tactical nature, longevity and stealth manoeuvres” and the “high-value data targeted”, IBM said.


Read more: 1 in 3 email hackers camp out in accounts for over a week