Connect with us

Hi, what are you looking for?


Data Breaches

Companies Increasingly Hit With Data Breach Lawsuits: Law Firm

Lawsuits filed against companies that have suffered a data breach are increasingly common, with action being taken even for incidents affecting less than 1,000 people.

Lawsuits filed against companies that have suffered a data breach are increasingly common, with action being taken more frequently even in cases where the number of impacted individuals is smaller, according to US law firm BakerHostetler.

BakerHostetler last week published its 2023 Data Security Incident Response Report, which is based on data collected from more than 1,100 cybersecurity incidents investigated by the company in 2022. 

The report shows that 45% of incidents were network intrusions, followed by business email compromise (30%) and inadvertent data disclosure (12%). Following initial access, the most common actions were ransomware deployment (28%), data theft (24%), email access (21%), and malware installation (13%). 

Earlier this year, a blockchain data company reported seeing a significant drop in the total amount of money received by ransomware groups in 2022 ($457 million) compared to the previous year ($766 million). 

However, data collected by BakerHostetler shows that ransomware victims that did pay a ransom in 2022 paid more compared to 2021. The largest ransom demand seen by the firm in 2022 exceeded $90 million (compared to $60 million in 2021), and the largest ransom that was paid in 2022 was more than $8 million (compared to $5.5 million in 2021). The average ransom amount paid last year was roughly $600,000, up from $511,000 in 2021. 

The cost of forensic investigations has also increased. For the 20 largest network intrusions, the average cost increased by 24%, from $445,000 in 2021 to $550,000 in 2022. 

In addition to higher ransom demands and increased forensic costs, BakerHostetler found that a bigger percentage of incidents where the impacted organization notified individuals of a data breach resulted in at least one lawsuit. Specifically, the numbers have increased from four lawsuits out of 394 incidents in 2018 to 42 lawsuits filed for 494 incidents in 2022. 

Four of the lawsuits filed last year were in response to incidents where fewer than 1,000 people were impacted, and 14 lawsuits were filed over incidents that hit between 1,000 and 100,000 people. 

Advertisement. Scroll to continue reading.

Another category of lawsuits has also increased: privacy-related class actions. BakerHostetler is aware of more than 50 lawsuits filed since August 2022 against hospital systems that allegedly shared patient identities and online activities via third-party website analytics tools without the user’s knowledge and consent.

The law firm says it’s currently defending more than 200 lawsuits related to privacy or data security. 

BakerHostetler’s report also looks at incident response trends, threat actor techniques, trends focusing on specific sectors and areas, state privacy and data collection laws, digital assets, and transactional data privacy and security.  

Related: Capita Confirms Data Breach After Ransomware Group Offers to Sell Stolen Information

Related: Ransomware Attack Hits Health Insurer Point32Health

Related: Payments Giant NCR Hit by Ransomware

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.

Data Breaches

A group of hackers has leaked Atlassian employee records and floorplans, information that was obtained from third-party workplace platform Envoy.

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.