Every year, cybersecurity watchers tally up the largest data breaches, typically ranked by the billions of records exposed or stolen. But what if the true cost of a breach isn’t just in the numbers—but in what those numbers actually mean?
Kiteworks, a leader in secure information exchange, aims to shift that conversation with the release of its “Top 11 Data Breaches of 2024” report. At the heart of this year’s analysis is a new framework: the Risk Exposure Index (REI)—a proprietary scoring model that redefines breach severity by focusing not just on scale, but on substance. Using a multidimensional approach that weighs data sensitivity, financial fallout, regulatory risk, attack sophistication, and more, the REI reveals a more nuanced and impactful view of cybersecurity threats.
In this exclusive TechBullion Q&A, Kiteworks vice president of corporate marketing and research, Patrick Spencer, unpacks the findings from the report, explore why what data is stolen now matters more than how much, and explain how businesses can use these insights to prioritize protection, secure their ecosystems, and stay ahead of 2025’s emerging cyber risks.
Your latest report introduces the Risk Exposure Index (REI). What makes this approach different from traditional breach severity rankings?
The Risk Exposure Index (REI) represents a significant advancement over traditional breach severity rankings by providing a multidimensional assessment framework rather than relying solely on record counts. While conventional approaches typically focus on the number of records exposed as the primary metric, the REI incorporates seven key weighted factors: number of records exposed (15%), financial impact estimation (20%), data sensitivity classification (20%), regulatory compliance implications (15%), ransomware involvement (10%), supply chain impact assessment (10%), and attack vector sophistication (10%). This comprehensive methodology normalizes each factor on a 1-10 scale to produce a final score ranging from 1 (minimal impact) to 10 (catastrophic impact), enabling more meaningful comparisons between diverse breach types. The report’s analysis confirms this approach’s value, showing that financial impact (r=0.84) and data sensitivity (r=0.78) correlate more strongly with actual breach severity than raw record counts (r=0.61), proving that what was stolen often matters more than how much was taken.
One of the key findings is that data sensitivity matters more than record count. Can you break down why that’s such a game-changer?
The report’s finding that data sensitivity outranks record count as the most influential factor (24% influence) in determining breach severity represents a profound shift in how we should evaluate cybersecurity incidents. This insight challenges the headline-grabbing focus on massive record counts and redirects attention to the actual harm potential of compromised information. The LoanDepot breach perfectly illustrates this principle—despite affecting only 16.9 million records (relatively small compared to National Public Data’s 2.9 billion), its exposure of highly sensitive financial documentation including tax returns and income verification earned it a higher risk score than several larger breaches containing less sensitive data. The report establishes a clear sensitivity hierarchy, with protected health information and financial documentation at the top, followed by payment details, Social Security numbers, and credentials. This finding should fundamentally reshape how organizations prioritize their security investments, suggesting they focus protective measures on their most sensitive data repositories rather than attempting to uniformly secure all information assets.
How did this insight play out in 2024’s biggest breaches? Were there cases where fewer records were exposed but the impact was severe?
The supremacy of data sensitivity over record count was vividly demonstrated through several key breaches. The Change Healthcare incident stands as the most compelling example—while affecting “only” 190 million records (significantly less than National Public Data’s 2.9 billion), it earned the second-highest risk score (8.7) due to the extreme sensitivity of the compromised healthcare claims data and its catastrophic impact on the entire healthcare ecosystem. Similarly, the LoanDepot breach exposed just 16.9 million records but received a high risk score (7.6) because it contained highly sensitive financial documentation including tax returns and income verification. The Kaiser Foundation Health Plan breach (13.4 million records) and Dell Technologies breach (49 million records) further reinforce this pattern, with both receiving elevated risk scores (7.6 and 7.2 respectively) despite their relatively smaller scale, primarily due to the sensitive nature of the compromised information and regulatory implications. These cases definitively prove that what was stolen matters significantly more than how much was taken when measuring true breach severity.
The Change Healthcare breach received a perfect 10.0 for Supply Chain Impact. What made its effects so widespread?
The Change Healthcare breach stands as a textbook example of how a single vulnerability can cascade through an entire ecosystem, earning it a perfect 10.0 Supply Chain Impact score. As a critical infrastructure provider processing approximately 15 billion healthcare transactions annually and handling claims for one in three Americans, Change Healthcare’s systems were deeply embedded in the operations of thousands of healthcare providers nationwide. When its claims processing infrastructure was completely shut down for 26 days, it triggered a healthcare payment crisis of unprecedented proportions. The cascading effects included disruption of cash flow for healthcare providers across the country, delayed patient care due to verification challenges, pharmacy processing interruptions affecting medication access, and administrative backlogs that persisted months after technical recovery. The breach demonstrated how supply chain dependencies create force multiplier effects, where the impact extends far beyond the directly compromised organization—the initial $22 million ransom payment pales in comparison to the estimated $32.1 billion in total ecosystem impact, a ratio that underscores the amplification effect of supply chain breaches.
Meanwhile, the National Public Data breach had the highest overall risk score. What specific factors drove its ranking?
The National Public Data breach earned the highest overall risk score (8.93) due to a perfect storm of critical risk factors. Most prominently, it exposed an unprecedented 2.9 billion records—the largest data breach in history by volume—earning a maximum score of 10.0 for records exposed. The financial impact was similarly catastrophic, estimated at over $10 billion, which includes direct costs of notification and credit monitoring services, plus indirect costs from business disruption and reputational damage that erased $3.8 billion in market capitalization in just one week. The breach also scored exceptionally high (9.5) on data sensitivity due to the compromise of Social Security numbers for approximately 1.1 billion individuals, along with home addresses, property ownership information, and other sensitive personal details. Additionally, its regulatory implications were severe (9.0), triggering investigations by the FTC, SEC, 47 state attorneys general, and European data protection authorities in 12 countries. The attack vector sophistication (8.4) was also remarkable, featuring “low-and-slow” API exploitation methods specifically designed to evade detection systems, allowing attackers to remain undetected for nine months.
Your research also examines how breaches happen. What trends stood out in the sophistication of attack methods used in 2024?
The 2024 breach landscape revealed significant evolution in attack sophistication. Credential-based attacks remained the primary initial vector in 5 of 11 major breaches but evolved from generic phishing to advanced social engineering tactics like Dell’s convincing partner impersonation and Kaiser’s MFA fatigue techniques. The vulnerability exploitation window shortened dramatically, with Change Healthcare attacked just 16 days after patch release. Most concerning was the rise of “low-and-slow” methodologies, exemplified by National Public Data’s breach where attackers maintained undetected access for nine months using sophisticated evasion techniques. The Ticketmaster breach showcased another trend—combining zero-day exploitation with highly targeted actions focused on specific high-value systems. These patterns indicate threat actors are increasingly prioritizing stealth and precision over speed, conducting extensive reconnaissance to understand their targets’ most valuable assets.
Regulatory consequences factored heavily into your rankings. How are different industries handling the compliance challenges that follow major breaches?
The report reveals significant disparities in how industries handle post-breach regulatory challenges, with financial services and healthcare demonstrating the most mature response frameworks due to their established regulatory environments. Healthcare organizations like Change Healthcare and Kaiser face particularly complex scenarios under HIPAA, with UnitedHealth Group navigating both healthcare regulations and SEC disclosure requirements simultaneously. Financial institutions like LoanDepot contend with sector-specific obligations under GLBA alongside state privacy laws. The retail sector, exemplified by Hot Topic, struggles with the intersecting demands of PCI DSS compliance and consumer protection regulations. Organizations operating internationally, like Ticketmaster, face the most daunting compliance landscape, navigating requirements across dozens of jurisdictions with conflicting timelines and mandates. The report notes that entities subject to multiple regulatory regimes experienced 27% higher breach costs, yet regulation alone hasn’t proven effective at preventing breaches, as regulated and less-regulated industries showed similar breach rates, suggesting compliance doesn’t necessarily equate to better security.
Healthcare and financial services consistently top breach impact lists. What systemic issues make them prime targets for cyberattacks?
Healthcare and financial services consistently top breach impact lists due to several systemic vulnerabilities. Both industries store extraordinarily valuable data—healthcare holds protected health information (ranked highest in data sensitivity), while financial institutions possess documentation enabling immediate monetization. Their complex digital ecosystems, often combining aging legacy infrastructure with modern cloud services, create expanded attack surfaces with security gaps. The report highlights how operational constraints delay critical security updates—Change Healthcare was breached just 16 days after a patch release. Third-party dependencies amplify risks through interconnected vendor networks, as demonstrated by Kaiser Permanente’s vendor breach. Finally, strict regulatory requirements paradoxically increase breach impact; while protecting consumers, they significantly raise post-breach costs through mandatory notifications, investigations, and penalties, explaining why these sectors experienced 27% higher breach costs.
Your report highlights third-party risk as a growing concern. Why do organizations still struggle with securing vendor and partner ecosystems?
Organizations continue to struggle with third-party risk management despite its growing importance. The report identifies this as “the least mature security domain in 2024,” with most vendor assessment programs remaining compliance-oriented rather than risk-based, using point-in-time questionnaires instead of continuous monitoring. The Change Healthcare breach illustrated this problem dramatically, receiving a perfect 10.0 Supply Chain Impact score when its compromise disrupted thousands of healthcare providers nationwide. Contract security requirements typically lack specificity and enforcement mechanisms, while incident response plans rarely account for multi-party scenarios. The report notes that 64% of major breaches exploited third-party vulnerabilities, proving security is only as strong as the weakest vendor. This gap persists because addressing it requires cross-organizational collaboration and governance models that clash with traditional security approaches focused primarily on organizational boundaries.
For businesses looking to reduce their exposure, what key takeaways from the report should they act on immediately?
Businesses should act immediately on these key takeaways: First, classify data by sensitivity and focus security on the most sensitive assets, as data sensitivity showed the strongest correlation (24%) to breach impact. Second, strengthen third-party risk management, as 64% of major breaches exploited supply chain vulnerabilities. Third, accelerate vulnerability patching, particularly for customer-facing systems, with the Change Healthcare breach demonstrating exploitation just 16 days after patch release. Fourth, enhance credential security with phishing-resistant authentication, as credential attacks remained the initial vector in nearly half of major breaches. Finally, develop incident response plans that prioritize business continuity, particularly for ransomware scenarios where operational impact correlation (r=0.76) significantly exceeds general risk correlation (r=0.47).
Beyond short-term fixes, how can organizations use the Risk Exposure Index to guide long-term cybersecurity investments?
Organizations can leverage the Risk Exposure Index for strategic long-term cybersecurity investments by using its weighted factor analysis to align security spending with actual breach impact drivers. Rather than spreading resources evenly, they should prioritize protecting their most sensitive data repositories (24% influence on risk score), focus on reducing potential financial impact through segmentation and resilience (22% influence), and strategically address regulatory compliance through automated frameworks (18% influence). The REI’s correlation findings should guide architecture decisions—with data sensitivity mattering more than volume, organizations might consolidate sensitive data into highly secure environments while distributing less sensitive information. Supply chain impact scores should inform vendor management strategies, particularly for critical service providers like Change Healthcare whose compromise received a perfect 10.0 score. Finally, the REI provides a common risk language that enables security leaders to communicate investment priorities to boards and executives in terms of measurable risk reduction rather than technical capabilities.
Patrick Spencer
With 61% of breaches involving third-party interactions, how does Kiteworks Private Data Network (PDN) mitigate the risk of vendor and partner ecosystems, especially in highly regulated industries?
Kiteworks Private Data Network (PDN) addresses the critical third-party risk challenge highlighted in the report by creating a secure, controlled environment for all sensitive data exchanges. Given that 64% of major breaches exploited supply chain vulnerabilities, PDN’s unified approach provides significant advantages, particularly for highly regulated industries. The platform establishes a security boundary that extends beyond organizational perimeters to encompass the entire digital supply chain, replacing the fragmented third-party connections that led to breaches like Change Healthcare’s (which received a perfect 10.0 Supply Chain Impact score). For regulated industries like healthcare and financial services, which experienced 27% higher breach costs due to compliance requirements, PDN’s comprehensive tracking, governance, and compliance capabilities ensure that all data exchanges meet regulatory standards regardless of the partner involved. By unifying visibility and control across all sensitive data movements, PDN addresses the report’s finding that third-party risk management remains “the least mature security domain in 2024,” converting a significant vulnerability into a manageable risk.
Looking ahead, what cyber threats and vulnerabilities should businesses be preparing for in 2025 based on your latest findings?
Looking ahead to 2025, businesses should prepare for more sophisticated third-party and supply chain attacks as threat actors recognize these remain the least mature security domain. The report’s finding that 64% of major breaches exploited these relationships suggests attackers will continue targeting the weakest links in interconnected ecosystems. We’ll likely see more incidents resembling the Change Healthcare breach, where compromise of a single service provider created catastrophic cascading effects across an entire industry. AI-related vulnerabilities present a growing concern on two fronts: first, as organizations integrate generative AI into their operations, potential data leakage through these systems creates new exfiltration vectors; second, AI-powered attacks will become more prevalent, with threat actors leveraging machine learning to create more convincing social engineering schemes or to identify and exploit vulnerabilities faster than organizations can patch them. The diminishing window between patch release and exploitation (just 16 days in the Change Healthcare breach) will likely shrink further, making rapid vulnerability management an even greater priority.
