The Real Cost of Data Breaches: Analysis of 2024’s Biggest Security Incidents – Examining the financial, reputational, and operational impacts of major cybersecurity failures with real-world data.
When news breaks about another massive data breach, the headlines typically focus on the raw numbers—millions of records exposed, billions in market value lost. But the real story of a data breach extends far beyond these initial reports. Recent years have seen an unprecedented wave of sophisticated attacks that have fundamentally changed how we think about cybersecurity and its implications for businesses and consumers alike.
The cost of a data breach has evolved significantly in recent years. It’s no longer just about the immediate financial impact or the technical response required. Today’s breaches create ripple effects that touch every aspect of an organisation—from customer trust to regulatory compliance, from employee morale to long-term business viability.
As we’ve observed in New Zealand and globally, organisations are increasingly recognising that cybersecurity isn’t merely an IT issue but a fundamental business risk that demands board-level attention. The major breaches we’ve seen in recent years have reinforced this reality in stark terms.
The 2024 IBM Cost of a Data Breach Report provides concrete evidence of the growing financial impact of breaches. According to this comprehensive study, the global average cost of a data breach reached USD 4.88 million in 2024, a 10% increase over the previous year and the highest total ever recorded. The research, based on experiences from 604 organizations and 3,556 cybersecurity and business leaders affected by breaches, shows that these costs continue to climb at an alarming rate.
The 2023 MGM Resorts ransomware attack offers a clear example of direct financial impact. When cybercriminals targeted the casino and hotel giant in September 2023, the company was forced to shut down various systems, including slot machines, hotel reservation systems, and restaurant point-of-sale systems. MGM Resorts later disclosed in SEC filings that the breach cost approximately $110 million in direct expenses, which included incident response, system recovery, and legal services.
The financial impact extended far beyond these direct costs. MGM estimated the breach resulted in $37 million in lost business, bringing the total impact to $147 million. Even with insurance covering a portion of these costs, the company still faced substantial financial consequences beyond what was covered.
The healthcare sector saw one of the most significant breaches when Change Healthcare, a major U.S. healthcare technology company, was hit by a ransomware attack in February 2024. The attack disrupted healthcare payment systems nationwide, affecting millions of patients and thousands of healthcare providers.
Beyond the immediate technical response, the regulatory scrutiny was intense. The U.S. Department of Health and Human Services launched an investigation, with potential penalties under HIPAA that can reach into the millions. Additionally, multiple state attorneys general opened investigations into the breach.
The regulatory impact of such breaches extends to New Zealand organisations as well. Under New Zealand’s Privacy Act 2020, companies face mandatory notification requirements and potential penalties for failing to adequately protect sensitive personal information. The Privacy Commissioner has increasingly shown willingness to use enforcement powers against organisations following serious breaches.
The 2023 case of Latitude Financial in Australia and New Zealand demonstrates this regulatory impact. After a breach affecting 14 million customer records, Latitude faced investigations from regulators in both countries. The company allocated millions for its regulatory response and remediation efforts, highlighting how modern data protection regulations substantially increase the cost of breaches beyond immediate incident response.
Perhaps no breach better illustrates the reputational impact than what happened to 23andMe in October 2023. The genetic testing company disclosed that hackers had accessed sensitive genetic information of approximately 6.9 million customers.
The breach significantly eroded consumer trust. In the months following the incident, 23andMe’s stock price dropped by approximately 30%. Independent surveys showed that consumer confidence in the company’s ability to protect sensitive data plummeted, with many users demanding their data be deleted from the company’s systems.
The reputational effects extended beyond just 23andMe to cast shadows on the entire genetic testing industry, with competitors like Ancestry.com reporting concerns from their own customers despite not being involved in the breach.
The Ponemon Institute’s research, conducted in partnership with IBM for the 2024 Cost of a Data Breach Report, quantified some aspects of this reputational damage. According to the report, 75% of the increase in average breach costs in this year’s study was due to the cost of lost business and post-breach response activities, highlighting how significantly reputation damage can impact an organization’s bottom line.
The 2024 IBM Cost of a Data Breach Report highlights an emerging threat: the proliferation of data across multiple environments, making it increasingly difficult to track and safeguard. According to the report, 40% of data breaches involved data stored across multiple environments, with breached data stored in public clouds incurring the highest average cost at USD 5.17 million.
Most concerning is the finding that one in three breaches now involves shadow data—information that organizations don’t know they have or have lost track of. This represents a significant blind spot in many security strategies, as you cannot protect what you don’t know exists.
The complexity of modern data environments is further complicated by the adoption of generative AI, third-party applications, Internet of Things (IoT) devices, and SaaS applications, all expanding the attack surface and putting increased pressure on security teams. The report notes that while organizations are moving quickly to adopt generative AI, only 24% of these initiatives are properly secured, creating potential vulnerability points for data exposure.
What these cases collectively demonstrate is that the true cost of a data breach extends far beyond the immediate financial impact. Organisations must develop comprehensive resilience strategies that address not just technical vulnerabilities but also operational continuity, regulatory compliance, communication readiness, and reputation management.
The 2024 IBM report reveals that organisations using security AI and automation extensively in their prevention strategies saved an average of USD 2.22 million compared to those that didn’t deploy these technologies. This represents one of the most significant findings in the report: AI and automation are no longer optional but essential components of an effective security strategy.
The most successful organisations have approached cybersecurity as a business risk management issue rather than merely a technical challenge. They’ve invested in breach preparation, not just breach prevention, recognising that in today’s threat landscape, the question isn’t if a breach will occur, but when—and how effectively the organisation can respond. This includes building “muscle memory” for breach responses through crisis simulation exercises that involve both security teams and business leaders.
For New Zealand businesses, particularly those in our vibrant small and medium enterprise sector, these lessons are especially relevant. With limited resources to invest in cybersecurity, prioritising efforts based on a clear understanding of the full cost implications of different types of breaches becomes essential.
As we move forward, the organisations that thrive will be those that develop this holistic view of cyber risk and build response capabilities that address all dimensions of a breach’s potential impact.
NZ National Cyber Security Centre. (2023). Cyber Threat Report 2023.
IBM Security. (2024). Cost of a Data Breach Report 2024.
MGM Resorts International. (2023). Form 8-K filed with the Securities and Exchange Commission, November 2023.
UnitedHealth Group. (2024). Press releases and investor communications regarding Change Healthcare breach, February-April 2024.
Privacy Commissioner of New Zealand. (2023). Annual Report 2022-2023.
Ponemon Institute. (2023). Cost of a Data Breach Study: Impact of Business Continuity Management.
23andMe. (2023). Data Security Incident Notices and Updates, October-December 2023.
CISA. (2023). Alert (AA22-110A): Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure.
Bloomberg. (2023). “ICBC’s U.S. Unit Hit by Ransomware Attack Affecting Treasury Market.” November 2023.
CERT NZ. (2023). Quarterly Report: Data-Driven Insights on Cyber Threats, Quarter 4, 2023.
This article is proudly brought to you by the Digital Frontier Hub, where we explore tomorrow’s business solutions and cutting-edge technologies. Through our in-depth resources and expert insights, we’re dedicated to helping businesses navigate the evolving digital landscape across New Zealand and beyond. Explore our latest posts and stay informed with the best in Artificial Intelligence, E-commerce, Cybersecurity, Digital Marketing & Analytics, Business Technology & Innovation, and Cloud Computing!