In 2024, the average cost of a data breach cleared $4.88 million, a significant 10% bump over last year. While low double-digits don’t seem like much of an increase, it was the largest spike since the pandemic. What did threat actors do differently – or lean into – this past year that contributed to their success? And what can we learn from the costliest data breaches of 2024?
2024 Data Breaches by Industry
Healthcare
The February 21, 2024, ransomware attack on Change Healthcare proved the most financially devastating to the healthcare industry last year. Costing an estimated $2.87 billion last year, the breach caused delays in patient care, disrupted reimbursements, and ground key operations to a halt. At least 24 class-action lawsuits were filed.
What we learned
Attackers love to double-dip, especially when they find paying customers. This may come as no surprise, but it bears repeating as ransomware victims fall into this trap time and again. Change Healthcare was no exception. After ransomware gang ALPHV BlackCat exfiltrated 4TB of data last February, the provider sent over an unverified payment of $22 million. By May, they had been targeted again, this time by affiliated group RansomHub.
A second lesson? Simple stuff works. Change Healthcare was hacked due to a lack of Multi-Factor Authentication (MFA) on their remote access servers, a critical (and preventable) mistake. After spending nine days moving laterally within the network, sensitive information was encrypted with a ransomware payload. This one violation of HIPAA law resulted in what Rick Pollack, President and CEO of the American Hospital Association termed, “the most significant and consequential incident of its kind against the U.S. healthcare system in history.”
Financial Services
In early January of 2024, California-based mortgage lender LoanDepot experienced a severe ransomware attack that ultimately compromised the sensitive data of 16,924,071 individuals and forced them to take their systems offline. The breach cost the company $41 million in the first half of the year alone, with ALPHV BlackCat again claiming responsibility for the attack (though this one happened before the Change Healthcare incident).
What we learned
ALPHV BlackCat is dangerous. A sophisticated Ransomware-as-a-Service group, meaning any threat actor can use their tool kit or services. This gang is believed to originate in Russia and is known for targeting critical U.S. infrastructure. In February of last year, CISA issued (yet another) an advisory about them, decrying their involvement and warning critical infrastructure organizations about their recently developed capabilities. Those additional ransomware capabilities, provided in an update to all ALPHV BlackCat RaaS affiliates, included: augmented tooling, improved defense evasion, new VMWare instances, and the ability to encrypt both Windows and Linux devices. Watch out.
Data Handling
The National Public Data (NPD) database breach is considered to be the costliest breach in the data handling industry in 2024. Leaking the private data of 2.9 billion U.S. citizens, the attack on the Florida-based background check business (a goldmine target for hackers) resulted in the sale of the stolen database on the dark web for a reported $3.5 million. The attack was attributed to a cybercriminal hacktivist organization known as USDoD (no connection to the U.S. Department of Defense).
Because National Public Data did not fall under the jurisdiction of CIRCIA, the company was not required to report the breach in under 72 hours. Accordingly, in an ensuing lawsuit, “the lack of notification [was cited] as a top concern of the Plaintiff.”
What we learned
Notification matters. When data breaches go public and personal, sensitive data gets lost. The fact that an entity was not under legal obligation to report the breach is of little consolation and may do more harm than good. Organizations should proactively protect interests, customers, and reputations, exceeding compliance requirements regardless of legal obligations.
A second lesson focuses on prevention. The lawsuit stated the data was “unencrypted, unredacted PII” compromised due to the lack of basic cybersecurity measures. For the future, the Plaintiff requested the company “encrypt all data going forward, use data segmentation, scan its databases and launch a threat-management program,” in addition to petitioning for “a cybersecurity framework evaluation to be conducted annually until 2034.” Basic cybersecurity measures matter. While the exact NPD payout amount is currently unknown, its massive scale forebodes a significant sum.
Software Development
The data breach in April 2024 of Young Services, an organization providing integrated software solutions to medical groups, compromised the data of 950,000 people. The software maker asserted the data belonged to Blue Shield, for whom they provided risk management services. They sent out a letter notifying the nearly 1 million individuals and offered each free credit monitoring for a year (an $11 million retail cost). Although the breach was reported within 14 days, at least one lawsuit investigation is currently underway. Ransomware gang BlackSuit gained illicit access to Young Services, exfiltrating sensitive information. When the company refused to pay the ransom, BlackSuit listed the data on their leak site.
What we learned
Breach reporting rules are closely monitored and critically important. In the United States, software companies primarily fall under the jurisdiction of the Federal Trade Commission (FTC) reporting rules which require notification of cyber incidents “without unreasonable delay,” or typically within 30 days. In this case, even a reporting timeline of under two weeks is the subject of scrutiny.
Additionally, while refusing to negotiate with cybercriminals can result in leaked data, it at least lowers the chance of a similar attack happening again – potentially compromising even more data in the process. After refusing to pay the ransom, Young Services has reported no further ransomware attacks after the first incident. Perhaps the ransom money was used to improve their security controls and processes!
IT Services and IT Consulting
One of the most impactful data breaches in 2024 targeted prominent customers of Snowflake, a cloud-based storage and analytics company. Customers included businesses including Santander Bank and Neiman Marcus Group. Attackers managed to extort roughly $2.7 million from a total of up to 165 affected Snowflake customers. While not the largest sum on the list, this heist was impactful in other ways.
The cybercriminals, a group known as Shiny Hunters, took the easy route and got a few lucky breaks. First, they compromised credentials that were stored unencrypted on a worker’s machine. Next, they leveraged the stolen logins to compromise several Snowflake customer accounts, none of which had MFA enabled. It was the perfect scenario, and attackers were able to infiltrate without exploiting a single vulnerability.
What we learned
While the attack did not directly target Snowflake, it brings up some timely questions regarding who bears the ultimate responsibility for cyberattacks within the cloud’s shared responsibility model. Katell Thielemann, VP distinguished analyst at Gartner, noted that “too many CISOs think they have signed up for a shared responsibility model when in fact they cannot abdicate security ownership to any vendor.” Having MFA on by default is one of the provisions of CISA’s secure-by-design pledge (signed by Snowflake and 200 others). Going forward, it’s important for vendors participating in the shared responsibility model to ensure that client-side responsibilities like MFA are in place – and customers should double-check, too.
Retail and eCommerce
Unfortunately, one bad thing leads to another. As a lingering result of the Snowflake breach, Ticketmaster suffered a breach of its own (it was another targeted customer), resulting in exfiltrated data affecting a remarkable 530 million individuals. The perpetrators were, perhaps obviously, the same as last time (Shiny Hunters), with the vector of choice being an exploited vulnerability in the ticket distribution company’s customer portal.
What we learned
U.S. retail companies using digital payment card systems fall under the auspices of PCI DSS 4.0. The latest version of the Payment Card Industry Data Security Standard (PCI DSS) not only reaffirms the requirement for vulnerability management, as in previous versions, but also broadens the scope of vulnerabilities that companies must assess, extending beyond just critical and high-risk weaknesses to include a wider range of potential issues. Additionally, PCI DSS 4.0 now requires authenticated internal vulnerability scans. While vulnerability management may seem perfunctory in a world plagued with polymorphic threats, AI-generated phishing traps, and sophisticated malware, it is often the easiest door to lock that gets tried first. After all, attackers don’t want to work harder than they must.
Avoiding a Data Breach in 2025
While so much talk of AI-based threats swirls around (and for good reason), many of last year’s most substantial breaches were due to relatively low-tech means. In the above cases, organizations suffered significant damage due to a failure to apply fundamental cybersecurity measures, including:
- Not implementing MFA
- Paying ransom payments and negotiating with cybercriminals without addressing underlying security issues
- Not encrypting stored credentials
- Having unpatched vulnerabilities
- Not reporting breaches in a timely manner
Cyber defenders don’t have the luxury of focusing on only one area of the threat landscape. However, if the breaches of 2024 taught us anything, it’s that a primary focus in 2025 should be strengthening security fundamentals.
