Data breach cost in India jumps 39% since 2020: IBM report

The average data breach cost in India reached an all-time high of Rs 195 million in 2024. Breach costs have jumped 39% since 2020 and 9% from the prior year, as breaches have grown more disruptive and further expanded demands on cyber teams, reveals IBM in its annual Cost of a Data Breach Report. Globally, 70% of breached organisations reported that the breach caused significant or very significant disruption.

The report points out that lost business and notification costs drove the year-over-year cost spike in India, as the collateral damage from data breaches has only intensified. The cost of lost business —operational downtime, lost customers, and reputation damage, among others— escalated nearly 45%, and notification costs jumped 19% from the previous year. 

The slight rise in detection and escalation costs (almost 7% over the same time frame), reflects the complexity of breach investigations, and once again represents the highest portion of breach costs in India.

Prominent attack vectors

Phishing and stolen or compromised credentials account for 18% of incidents, followed by cloud misconfiguration (12%). Business email compromise was the costliest root cause at an average total cost of Rs 215 million per breach, followed by social engineering (Rs 213 million) and phishing (Rs 209 million) as the next highest costs.

Data breached across multiple environments

According to the 2024 report, 34% of data breaches studied in India involved data stored on public clouds and 29% across multiple environments (including public cloud, private cloud and on-prem). Breached data stored on public clouds represented the highest costs (Rs 227 million), while incidents spanning multiple environments took the longest to identify and contain (327 days).

Industries impacted

The Indian industrial sector faced the highest impact from data breaches, with average cost reaching Rs 255 million, followed by the technology industry at Rs 243 million and the pharmaceutical sector at Rs 221 million. Globally, critical infrastructure sectors – such as healthcare, financial services, industrial, technology, and energy organizations – incurred the highest breach costs across industries.

Key factors that decreased costs

In India, offensive security testing (such as red teaming and pen/vulnerability testing), implementing AI and machine learning-driven insights, and conducting proactive threat hunting were some of the factors that helped studied organisations decrease the total cost of data breaches.

Time dimension

Time is another relevant factor in India, as the report also found that organisations that took less than 200 days to identify and contain a data breach incurred an average cost of Rs 184 million. By contrast, organisations with a data breach lifecycle extending beyond 200 days incurred an average cost of Rs 205 million.

The case for security AI and automation

Continuing the trend from the 2023 report, security AI and automation played a significant role in accelerating the speed of breach identification and containment for organisations studied. In India, when these technologies were used extensively, local companies shortened the data breach lifecycle by 112 days and incurred an average Rs 130 million less in breach costs, compared to organisations without security AI and automation deployments.

In this context, the report reflected that 28% of organisations in India are now extensively deploying security AI and automation, compared to 20% in 2023. However, there remains significant potential for growth in India, as currently 72% of studied organizations have limited (35%) or no use (37%) of security AI and automation.

“The findings from this year’s IBM Cost of a Data Breach Report reinforce the importance of a proactive and integrated AI-powered approach to cybersecurity. As cyber-attacks gain pace and complexity, their impact on organisations becomes multi-dimensional, affecting reputational, financial, and operational aspects. Considering that India is getting ready for the rollout of the DPDP Act 2023, businesses also need to assess the regulatory implications of such attacks and ensure end-to-end compliance. Therefore, prioritising data security and safeguarding critical assets to help ensure that only the right people have access to organizational resources is essential,” said Viswanath Ramaswamy, Vice President, Technology, IBM India & South Asia.

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Accept Read More

Privacy & Cookies Policy