On Average, Announcing a Data Breach Takes 287 Days

According to IBM, it takes an average of 287 days for security teams to identify and contain a data breach. The timeline for notifying customers potentially affected can be even longer. On August 25, 2022, Georgia-based CorrectHealth (CH) announced that it had experienced a data security incident. The breach affected 54,066 individuals. CH stated that it discovered an unauthorized user potentially had access to its employee email accounts on November 10, 2021. The company promptly engaged a specialized third-party forensic firm to determine the nature and scope of the incident. The investigation concluded on January 28, 2022. Then CH engaged a third party to analyze the specific files that were compromised and to identify the individuals potentially impacted. This review lasted from March to July 2022.

It still took almost another month before CH announced the breach. The timeline for notification of customers from its detection on November 10, 2021, to the announcement on August 25, 2022, was 289 days, two days more than the IBM average. This shows how long it takes organizations to figure out what happened and to report it. So if you experienced a data breach on January 1st of this year, you may not have fully identified and contained it until October 14th.