US manufacturing & utility businesses leaked nearly 88 million records in 302 data breaches in 2023

Since 2020, US businesses that specialize in manufacturing and utilities have suffered 973 data breaches affecting more than 202 million records. Based on the average cost per breached record (as reported by IBM each year), we estimate these breaches may have cost these businesses more than $33 billion. In 2023 alone, 302 data breaches are estimated to have cost almost $14.5 billion.

In 2022, the total number of data breaches across all sectors declined 14 percent from 2021, dropping to 226 from 262. But in 2023, manufacturing and utility data breaches hit an all-time high. The number of breaches exceeded 300 for the first time since our reporting first began in 2020.

Over the last four years, the number of records involved in these attacks has increased exponentially. In 2020, 2.3 million records were breached. This skyrocketed to more than 51 million records in 2021, just over 61 million in 2022, and more than 87.7 million in 2023. Oftentimes, these high figures stem from one or two large breaches. For example, the vast majority of impacted records in 2023 came from two data breaches: Comcast Cable Communications, LLC dba Xfinity with almost 35.9 million and VF Corporation with 35.5 million breached records.

It’s a similar story when we look at the average number of records lost per breach, too. In 2020, the average loss was 19,307. This jumped to 275,000 in 2021, 349,000 in 2022, and 399,000 in 2023. This demonstrates a growing trend in which hackers target organizations with large databases.

What’s more, the true extent of breaches often isn’t felt for months, if not years, so the average number of records affected per breach this year could increase even further.

So, what are these breaches costing manufacturing companies and utilities, how have they developed over time, and what threat does 2024 pose for data breaches within these sectors?

Our team of researchers collated information on manufacturing/utility data breaches over the last four years. We searched through state data breach reports, news, press releases, and industry reports to create an extensive list of breaches that have affected businesses across the United States. Due to there often being an overlap between manufacturing and utility organizations, we’ve included them together in this study.

Key findings from 2023

  • 302 manufacturing/utility businesses suffered data breaches
  • 87,717,122 records were affected because of these breaches
  • The cost of these affected records was more than $14.4 billion
  • The average number of records breached in 2023 was 398,714 per breach (a 14 percent increase on 2022’s average records breached–349,399)
  • California had the most breaches overall (34), followed by Texas (24), and New York (22)
  • Pennsylvania and Colorado had the highest number of records affected with 35.9 million and 35.8 million respectively (due to the large aforementioned attacks having their headquarters in these states)
  • Texas reported 9.2 million records breached, while Iowa, California, and Massachusetts were the only other states that reported above the 1 million records affected
  • The most common type of breach was hacking with 125 entities breached followed by ransomware with 73. Breaches via third parties (e.g. software providers or external agencies) saw the biggest increase in 2023–this was largely due to large-scale attacks via the MOVEit and Fotra GoAnywhere vulnerabilities

The worst hit states for manufacturing & utilities data breaches in 2023

California reported the highest number of data breaches in 2023 with 34 in total. Texas reported 24 breaches, and New York reported 22. They were closely followed by North Carolina with 18 and Massachusetts and Ohio with 17 each. 12 states did not suffer a manufacturing/utility data breach in 2023 (Alaska, Arkansas, Delaware, Idaho, Kansas, Mississippi, Nebraska, Nevada, North Dakota, South Dakota, West Virginia, and Wyoming).

The state with the highest number of records breached in 2023 was Pennsylvania with more than 35.9 million. The vast majority of these came from Comcast Cable Communications, LLC dba Xfinity in October 2023. This occurred via an unpatched Citrix vulnerability (now known as ‘Citrix Bleed’), which Xfinity had been notified of six days prior to the attack. Xfinity is now under investigation as a result.

Colorado had the second-highest number of records breached in 2023 with 35.8 million. Most of these records (35.5m) are due to a ransomware attack at VF Corporation.

It’s important to highlight that while Xfinity’s headquarters are located in Pennsylvania and VF Corporation’s in Colorado, the people affected by the breaches are nationwide. This is likely the same for some other companies, too. However, each breach and the number of records affected have been assigned to the state where the organization’s head office is located.

The cost of manufacturing & utility data breaches by year

According to IBM, the average cost per record involved in a breach in 2023 was $165–a slight increase on 2022’s cost of $164. 2023’s figure is the highest figure IBM has ever recorded and using these figures we have been able to estimate how much these breaches have cost manufacturing/utility businesses.

From 2020 to Feb 2024, the total cost of these types of data breaches amounted to an estimated $33 billion.

Over the last few years, the estimated cost of these breaches has gone through the roof. In 2020, the estimated cost of breaches was just $332.6 million. This increased by more than 24 times to reach a massive $8.2 billion in 2021. This increased further in 2022 ($10 billion) before reaching $14.5 billion last year.

While figures are already extraordinarily high, the true costs are likely much higher. This is not just because of all of the other costs involved in a data breach (e.g. recovery costs and ransom payments) but because some figures are unavailable for the number of records involved in breaches.

The top 5 biggest manufacturing & utility data breaches in 2023

  1. Comcast Cable Communications, LLC dba Xfinity – 35.9 million records: As we have seen, an unpatched Citrix vulnerability meant hackers gained access to more than 35.8 million customer records.
  2. VF Corporation – 35.5 million records: The December 2023 ransomware attack carried out by ALPHV/BlackCat resulted in the breach of 35.5 million records.
  3. AT&T (vendor) – 9 million records: A supply-chain attack via a third party saw 9 million records breached in January 2023. Most of the data leaked was reportedly related to device upgrade eligibility and was several years old.
  4. PurFoods, LLC dba Mom’s Meals – 1.2 million records: A ransomware attack on food manufacturing company, Mom’s Meals, resulted in 1.2 million breached records in January 2023.
  5. Topgolf Callaway Brands Corp. – 1.1 million records: In August 2023, Topgolf Callaway identified unusual activity on its computer network that resulted in more than 1.1 million customer records being breached.

Manufacturing & utility data breaches and records affected by month and year

As we’ve mentioned above, 2023 was a record-breaking year for data breaches on manufacturing/utility companies, accounting for 31 percent (302) of all breaches in the last four years. It also had the highest number of breached records, making up 44 percent of all records breached in the last four years (nearly 88 million). As hackers continue to go after companies with colossal datasets, should we expect 2024 to exceed figures seen in 2023?

2024 (to Feb)

  • Total # of breaches – 6
  • Total # of records affected – 46,398
  • Average # of records affected – 9,280
  • Total cost of breaches – $7,655,670

2023

  • Total # of breaches – 302
  • Total # of records affected – 87,717,122
  • Average # of records affected – 398,714
  • Total cost of breaches – $14,473,325,130

2022

  • Total # of breaches – 226
  • Total # of records affected – 61,144,782
  • Average # of records affected – 349,399
  • Total cost of breaches – $10,027,744,248

2021

  • Total # of breaches – 262
  • Total # of records affected – 51,135,997
  • Average # of records affected – 274,925
  • Total cost of breaches – $8,232,895,517

2020

  • Total # of breaches – 177
  • Total # of records affected – 2,278,238
  • Average # of records affected – 19,307
  • Total cost of breaches – $332,622,748

Manufacturing & utility data breach types

Since 2020, the breach category that has affected the most companies was hacking with 439 breaches, accounting for 45 percent of the total. Ransomware attacks were also prolific, accounting for 30 percent of all breaches with 291 attacks overall. There were also 105 third-party data breaches (a third-party vendor or processor), 13 inadvertent disclosure breaches, and 9 insider data breaches (e.g. theft by an employee). Some breaches remain unknown (111), with certain information still unavailable.

Above we have already acknowledged the largest data breaches with the highest number of records affected for 2023 (Comcast and VF Corporation), below are some other major data breaches across the different categories.

  • T-Mobile (August 2021 and November 2022, HACKS) – T-Mobile reported two hacking incidents that resulted in 47.8 million records (2021) and 37 million (2022) records being compromised.
  • Charter Communications (January 2023, THRD) – A utility-based company, Charter Communications expressed that a third-party vendor exposed 550,000 customer records in a breach in January 2023.
  • 200 Networks, LLC (Feb 2021, DISC) – 1,481,280 records in a database of robocall logs were accessible after researchers discovered them publicly exposed with no password protection.
  • Electrostim Medical Services (April 2023, RANS) – Healthcare manufacturer, EMS reported a ransomware attack by the ALPHV/BlackCat ransomware group in April 2023 which resulted in 542,990 breached records.
  • Tesla, Inc. (May 2023, INSD) – 75,735 confidential records were put at risk when two former Tesla employees misappropriated certain private information and shared it with a media outlet.

How is 2024 looking for manufacturing & utilities data breaches?

During the first two months of 2024, six reported manufacturing and utility data breaches so far this year have resulted in 46,398 breached records–two hacks, two ransomware attacks, and two unknowns. The unknowns, while unconfirmed, have both been claimed by ransomware attackers.

The two confirmed ransomware attacks were carried out on utility companies in January 2024. Veolia North America, Massachusetts, was breached by an unknown ransomware group with 8,951 records affected. Meanwhile, Muscatine Power and Water, Iowa, has just confirmed that 36,955 people were breached in its ransomware attack.

As we have already seen, hackers have become much more targeted in their approach with a shift to breaching “big-ticket” companies in possession of large data sets.

Utility and manufacturing companies are targeted by both cybercriminals looking for low-hanging fruit as well as sophisticated state-sponsored attackers. A successful attack against these companies can cause widespread outages and supply chain issues, not to mention putting customer privacy at risk. And that’s why this industry remains a key target for hackers in 2024.

Methodology

Using state reports, news, press releases, and industry reports, we have collated all of the records of data breaches that have occurred in companies that specialize in manufacturing and utilities– including two subcategories– healthcare manufacturing and food manufacturing.

Our research found 973 manufacturing and utility data breaches in total from 2020 to February 2024. Out of these, we went on to find the number of records affected for each breach (if the data was available). Using this information, we could then use figures provided by IBM to make estimates as to how much these breaches are costing businesses. IBM’s yearly figure (e.g. $165 for 2023) was added to the number of records affected to create an estimated total amount lost. For 2024 we used the IBM cost per breach from 2023 (as this isn’t available for 2024 yet).

For a full list of sources, please request access here.

Researcher: Charlotte Bond