Breaches And Lawsuits And Fines, Oh My! What We Learned, The Hard Way, From 2024
With the average cost of a data breach at $2.7 million and 33% of enterprises reporting being breached three or more times over the past 12 months, understanding and learning from past incidents is not just beneficial — it’s essential. Our detailed examination of the top 35 breaches and privacy fines of 2024 has unearthed critical insights into the evolving cyberthreat landscape. Among the key findings: Attacks cause more than just monetary damage; inadequate data protection severely impacts customer trust; and healthcare in particular is at a critical juncture, because it’s not just brand reputation at stake but delivery of critical medical services.
2024 also saw hefty fines levied on organizations. GDPR is once again the most enforced privacy regulation in the world, but it isn’t the only regulation with sharp penalties. In the US, more states are putting privacy laws in place and holding organizations accountable. Not only does Meta hold the record of the highest-ever GDPR fine at €1.2 billion in 2023 from an Irish regulator, but in 2024, Meta took home the largest US state fine ever at $1.4 billion. While some companies can pay off their fines like parking tickets, most organizations do not have the capital or lawyers to copy this behavior.
From our analysis of the top breaches and fines, we found the following:
- Massive breaches and outages drive regulatory proposals and changes. In early 2024, US Executive Order 14117 focused its attention on bulk sensitive personal data, with emphasis on telecommunications and the healthcare market. The US Federal Communications Commission has proposed telecom cybersecurity and supply chain risk management rules. The proposed HIPAA Security Rule that is currently open for comment is the first major update to the rule in over a decade. New York State, acting independently, implemented strict cybersecurity mandates for hospitals. And not to be outdone, the EU has focused on operational resilience, as the Digital Operational Resilence Act (DORA), which has been years in the making and has sweeping demands on security practices, went into effect January 17, 2025.
- Organizations need to worry about more than regulatory fines. It is important for firms operating within the US to be aware that, although the regulatory penalties they face can be substantial, there is another financial risk on the horizon that can’t be overlooked. Recent data indicates that the proportion of companies confronted with class-action lawsuits has reached its highest point in 13 years, and it is projected this year that the expenses associated with defending against these class-action lawsuits could exceed the costs of regulatory fines.
- Not all breaches are for financial gain. This past year, US ISPs and telecoms found their systems infiltrated by Chinese state-affiliated actors. After the investigation of these breaches, it appears that the focus was on a small number of individuals of political interest. In a separate incident, state-sponsored Chinese attackers breached the US Department of the Treasury through third-party vendor BeyondTrust’s support software. The objective was to gain sensitive information and conduct reconnaissance.
To see the rest of our analysis and, more importantly, get the recommended actions you can take to protect your organization, read our report, Lessons Learned From The World’s Biggest Data Breaches And Privacy Abuses, 2024, or schedule a guidance session with us to talk more.
(written with Danielle Chittem, research associate)
