BakerHostetler Launches 2023 Data Security Incident Response Report

Press Releases / April 27, 2023

Washington — April 27, 2023

Key takeaways
  • BakerHostetler’s ninth annual security incident response report (based on data from over 1,160 security incidents from the prior year) contains data breach statistics and insights about key issues across the life cycle of data and technology.
  • The number of incidents across industries was almost identical in 2022 and 2021 (usually there are changes as threat actors find a new industry to target for a specific reason).
  • There were fewer ransomware incidents for most of 2022 (compared to 2021) until an end-of-the-year surge. The surge resulted in a moderate increase in the average amount of initial ransom demands, the amount of a ransom actually paid and the length of time to recover from a ransomware attack. Recovery times for most industries all increased last year.
  • Network intrusions remained the most common type of incident, accounting for nearly half of the matters tracked in the report. On a positive note, companies are getting quicker at identifying — and containing — such incidents.
  • Fraudulent fund transfers, which were prevalent in 2021, saw a decrease in number, total transfer amount ($27 million) and average transfer amount ($294,137) in 2022. However, the rate of success in recovering funds dropped from 42% in 2021 to 24% in 2022.
  • Forensic investigation costs increased by 20% on average last year, not including business interruption costs, data review and notice costs, and indemnity claims.
  • The attacker-defender struggle continued. Organizations implemented enhanced security measures and attackers evolved by using techniques such as MFA bombing, social engineering, EDR-evading malware and SEO poisoning.
  • Litigation related to data breaches was more frequent and lawsuits are being filed in matters affecting fewer individuals.
  • Lawsuits based on privacy statutes continued to grow.
Why this matters

Now in its ninth year, the Data Security Incident Response Report features statistics and insights from 1,160+ incidents that BakerHostetler’s Digital Assets and Data Management Practice Group helped clients manage in 2022. The unique report includes data aggregated from security incidents as well as insights from BakerHostetler’s full suite of advisory services for clients across the entire data and technology life cycle.

Key findings from the report are summarized on the inside cover and discussed in depth throughout. A dashboard-style “At a Glance” section provides data points on nine key incident response trends. These key areas are also covered in depth through annually recurring sections — industries affected, incident response life cycle timelines, forensics, regulatory investigations, litigation trends, privacy and ransomware. The statistics provide context companies can use to benchmark and prioritize where to make changes to enhance their cybersecurity posture. There are also “Take Action” items that convey the most common recommendations for improvements.  

The 2023 DSIR Report includes full sections on website tracking technology; issues faced by educational institutions, tribal organizations and health care institutions; actions by the Securities and Exchange Commission; international data protection developments; and updates on employee issues, Federal Trade Commission rulemaking and enforcement, information governance, advertising issues, state data collection laws, digital assets, and tech transactions.

Key quote

“We launched the Data Security Incident Response Report nine years ago because we recognized that organizations were making data-driven decisions about other areas of risk and compliance and that there was no source for that purpose for data security,” said Theodore J. Kobus III, chair of BakerHostetler’s Digital Assets and Data Management Practice Group. “The statistics and insights in the report are intended to help organizations with benchmarking and projections so they do not have to make decisions based on hype and fear. As organizations implement stronger security measures to adapt to the changing risk landscape, we see threat actors adapting their methods accordingly. The need for vigilance remains ever present. We also recognized that data and technology issues require an enterprise approach. So, over the years we added capabilities to serve our clients across the life cycle of data technology. Our Digital Assets and Data Management Practice Group now has more than 100 dedicated attorneys and technologists.”

Ransomware is back in full force

A reduction in ransomware matters in 2022 reversed course by the end of the year. The surge is continuing in 2023.

  • Average ransom demanded was $3,713,939. Six of eight industries tracked in the report showed an increase in the average ransom demanded.
  • Average ransom paid (for all industries) increased 15% in 2022 to $600,688. The health care industry saw the largest increase in average ransom paid ($1,562,141, up 78% from 2021).
  • Recovery times associated with ransomware incidents increased significantly overall and in almost every industry tracked.
  • Industries with a substantial increase in average recovery time included retail, restaurant and hospitality (91%), health care (69%), and energy and technology (54%).
Improvement in forensics data

There has been improvement in key incident response metrics over the past several years, according to DSIR Report data. In network intrusion matters, dwell time dropped from 66 days to 39 days; average time to containment is down to three days from four; and investigations on average are taking 36 days to complete, down from 41.

Threat actors find new ways around security measures

Many organizations have implemented stronger security and resiliency measures such as multifactor authentication, endpoint detection and response tools, immutable backups, and third-party security operation centers to monitor host and network activity in real time — to combat the most common methods used by cybercriminals.

However, threat actors have proven adaptable and resourceful at finding new ways to attack systems. Tactics BakerHostetler observed in 2022 include the following:

  • MFA bombing: Where, after obtaining an account’s username and password, the threat actor repeatedly sends authentication notices until the user wears down and approves the request — thus allowing the threat actor access.
  • EDR-evading malware: Threat actors evade EDR tools using polymorphic malware. In other instances, EDR tools are not deployed across all key assets, thus leaving systems vulnerable to threat actors.
  • Social engineering: Threat actors impersonate a company’s customer, IT team member or other trusted source in a conversation with an employee of the company. Over multiple conversations, sometimes lasting months, the threat actor eventually gains the trust of the employee, who through some action permits the threat actor to gain access to the system.
  • Search engine optimization poisoning: Threat actors create fraudulent websites mimicking real ones. They then use SEO to have the site show up higher in web searches. Customers mistakenly use the fraudulent site and enter their credentials, which are stolen and used by the threat actors.
Lawsuits proliferate

Litigation is a significant risk for companies that collect data and manage digital assets. A now five-year trend was observed — a greater percentage of incidents in which an organization provided notice to individuals that resulted in the filing of at least one lawsuit (from four out of 394 in 2018 to 42 out of 494 in 2022). Another multiyear trend is that lawsuits are being filed over small incidents. In 2022, four lawsuits were filed in incidents where fewer than 1,000 individuals were notified. Incidents where fewer than 100,000 individuals (but more than 1,000) were notified resulted in 14 lawsuits.

The 2023 DSIR Report includes in-depth analysis of privacy statute litigation, including lawsuits involving the California Invasion of Privacy Act, the Video Privacy Protection Act, Right of Publicity Statutes, the Illinois Biometric Information Privacy Act and the Health Insurance Portability and Accountability Act, as well as a wave of litigation based on website tracking technology.

Key quote

“Securing an enterprise is a significant challenge — there are a lot of risks and just spending more money does not automatically equate to more effective security,” said Craig Hoffman, co-leader of BakerHostetler’s national Digital Risk Advisory and Cybersecurity team. “We see a lot of incidents, including what allowed them to occur and what was done to address the issue. Because enterprises do not have unlimited budgets and staff to implement and maintain new solutions, being able to share objective data about security incidents — from causes to fixes to consequences — helps clients decide where to prioritize their efforts.”

BakerHostetler’s DADM Practice Group is a convergence practice addressing enterprise risks, disputes, compliance and opportunities throughout the life cycle of data, technology, advertising and innovation, including brand strategies and monetization. The practice group integrates seven service teams — Digital Risk Advisory and Cybersecurity; Advertising, Marketing and Digital Media; Privacy Governance and Technology Transactions; Health Care Privacy and Compliance; Privacy and Digital Risk Class Action and Litigation; Digital Transformation and Data Economy; and Emerging Technology.

For more information on the firm’s DADM Practice Group, visit Connect with us on Twitter at @BakerHostetler or on LinkedIn at @BakerHostetler@TedKobus and @CraigHoffman.


About BakerHostetler

BakerHostetler helps clients around the world address their most complex and critical business and regulatory issues. Our highly ranked attorneys deliver sophisticated counsel and outstanding client service. We have six core practice groups — Business, Digital Assets and Data Management, Intellectual Property, Labor and Employment, Litigation, and Tax — and more than 1,000 lawyers coast to coast. For more information, visit