September 27, 2023 By Mark Stone 4 min read

Data breaches can occur anywhere in the world, but they are historically more common in specific countries. Typically, countries with high internet usage and digital services are more prone to data breaches.

To that end, IBM’s Cost of a Data Breach Report 2023 looked at 553 organizations of various sizes across 16 countries and geographic regions, and 17 industries. In the report, the top five costs of a data breach by country or region (measured in USD millions) for 2023 are:

  • United States: $9.48 (up 0.4% from 2022)
  • Middle East: $8.07 (up 8.2% from 2022)
  • Canada: $5.13 (down 9% from 2022)
  • Germany: $4.67 (down 3.7% from 2022)
  • Japan: $4.52 (down 1.1% from 2022).

Is there a root cause for the top countries on the list? What factors are at play? Are some countries more susceptible to social engineering attacks like phishing?

Why are the costs for the top countries so high?

While it’s difficult to quantify, the high costs in the top five countries can be attributed to several factors.

The United States

The U.S. has the highest average total cost of a data breach at $9.48 million, up from $9.44 million in 2022. U.S. numbers are likely due to the size and complexity of U.S. organizations and extensive digital infrastructure in the country, as well as the sensitivity of the data they hold and the regulatory environment.

The Middle East

In the Middle East, the number is likely attributed to the large number of breached records, the high rate of malicious attacks and the longer time to identify and contain a breach.


In Germany, the statistics are likely due to the large number of lost or stolen records and the high rate of malicious or criminal attacks.

Canada and Japan

In Canada and Japan, the high cost may be attributed to the high churn rate (the rate at which customers stop doing business with an entity) and the longer time to identify and contain a breach.

Do data breach laws contribute to high costs among the top five countries?

While the report does not directly link these regulatory factors to the top five countries, it suggests that the regulatory environment and compliance with regulations can significantly impact the cost of data breaches.

For instance, in the United States, state data privacy policies such as the California Consumer Privacy Act (CCPA) and the Health Insurance Portability and Accountability Act (HIPAA) impose hefty fines and penalties for non-compliance. Similarly, in the European Union, the General Data Protection Regulation (GDPR) imposes strict penalties for data breaches, impacting countries like Germany and France.

Read the full report

Is the U.S. disclosing more breaches now than it has in the past?

The report does not conclude whether the U.S. is disclosing more breaches now than in the past due to mounting state data privacy policies. However, it does provide some relevant information:

  • The United States has been a part of the Cost of a Data Breach Report for 18 years, the longest of all countries or regions involved.
  • Only one-third of companies discovered the data breach through their own security teams, highlighting a need for better threat detection. The majority of breaches (67%) were reported by a benign third party or by the attackers themselves. When attackers disclosed a breach, it cost organizations nearly USD 1 million more than internal detection.
  • The majority of respondents (57%) indicated that data breaches led to an increase in the pricing of their business offerings, passing on costs to consumers.

This data suggests that the disclosure of breaches is a complex issue involving multiple factors, including detection capabilities and financial implications.

However, organizations often won’t disclose that they have been breached for fear of reputational damage, regulatory scrutiny or legal liability. Even more often, companies may lack adequate cybersecurity measures or trained personnel to deal with the breach.

In fact, the FBI recently stated that only about 20% of ransomware incidents are reported.

What unique costs does the U.S. experience compared to other countries?

The United States incurs several direct and indirect costs that other countries may not have, which include:

Higher lost business costs. The United States has the highest lost business costs, which include the abnormal turnover of customers, increased customer acquisition activities, reputation losses and diminished goodwill.

Higher post-data breach response. Response activities help minimize the impact of the breach, such as help desk resources, inbound communications, special investigative resources, remediation, legal expenditures, product discounts, identity protection services and regulatory interventions.

Notification costs. In the United States, organizations are required to notify affected individuals, regulators and the media in certain circumstances following a data breach. These notification costs can be substantial.

Are citizens more prone to social engineering in some countries compared to others?

The IBM report does not directly comment on the tech savviness of citizens or their susceptibility to social engineering. It primarily focuses on the organizational costs and impacts of data breaches rather than individual behaviors.

However, it does mention that human factors, including social engineering attacks, play a significant role in data breaches. For instance, it states that nearly one in six breaches (17%) were caused by phishing, which is essentially human error.

It’s important to note that susceptibility to social engineering attacks is not necessarily a reflection of being less tech-savvy. These attacks often rely on manipulation and deception, exploiting trust and authority rather than technical ignorance.

Remember, everyone is susceptible to social engineering — no matter how old you are or where you live.

More from Data Protection

Overheard at RSA Conference 2024: Top trends cybersecurity experts are talking about

4 min read - At a brunch roundtable, one of the many informal events held during the RSA Conference 2024 (RSAC), the conversation turned to the most popular trends and themes at this year’s events. There was no disagreement in what people presenting sessions or companies on the Expo show floor were talking about: RSAC 2024 is all about artificial intelligence (or as one CISO said, “It’s not RSAC; it’s RSAI”). The chatter around AI shouldn’t have been a surprise to anyone who attended…

3 Strategies to overcome data security challenges in 2024

3 min read - There are over 17 billion internet-connected devices in the world — and experts expect that number will surge to almost 30 billion by 2030.This rapidly growing digital ecosystem makes it increasingly challenging to protect people’s privacy. Attackers only need to be right once to seize databases of personally identifiable information (PII), including payment card information, addresses, phone numbers and Social Security numbers.In addition to the ever-present cybersecurity threats, data security teams must consider the growing list of data compliance laws…

How data residency impacts security and compliance

3 min read - Every piece of your organization’s data is stored in a physical location. Even data stored in a cloud environment lives in a physical location on the virtual server. However, the data may not be in the location you expect, especially if your company uses multiple cloud providers. The data you are trying to protect may be stored literally across the world from where you sit right now or even in multiple locations at the same time. And if you don’t…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today