Four months: The average time it takes to report a data breach following a ransomware attack
If your private information is stolen in a ransomware attack, then you probably won’t find out about it for several months.
On average, it takes US organizations just over four months to report a data breach following a ransomware attack.
From 2018 to 2023, the average time to report a ransomware breach increased, rising from 2.1 months in 2018 to just over 5 months in 2023.
Across the four key sectors (business, education, government, and healthcare), education had the highest overall average for ransomware data breach reporting at 4.8 months. Healthcare had the lowest with 3.7 months, while businesses (4.2 months) and government entities (4.1 months) were similar.
Perhaps ironically, law firms had the worst overall average: 6.4 months to report a data breach stemming from a ransomware attack.
Using data collated by Comparitech researchers across over 2,600 ransomware attacks in the US since 2018, we examined how long it takes companies to report a data breach following a ransomware attack. We’ve analyzed these averages by year, key sectors and industries, state, and ransomware strain.
Until the victims of a data breach are notified that they’ve been compromised, they are vulnerable to identity theft, targeted scams, credit card fraud, impersonation, extortion, account takeovers, and more. Timely notification is essential for victims of data breaches to protect themselves, prompting them to check their credit reports, bank statements, and account security settings before the damage spirals out of control.
Key findings:
- The average time to report a data breach following a ransomware attack is 4.1 months
- Ransomware attacks in 2023 saw the highest average data breach reporting time (5.1 months)
- Education had the highest average with over 4.8 months
- Healthcare had the lowest average with just under 3.7 months
- Businesses took an average of 4.2 months with those in the legal sector taking the longest (6.4 months)
- The longest known reporting period is 38 months
- States with specific timeframes for reporting a data breach had a slightly lower average reporting period than those without (3.9 months compared to 4.2 months)
- Ransomware strains Pysa and LockBit have the highest average reporting periods (6.8 months and 5.7 months, respectively), while among the lowest were Lynx (2.6 months), RansomHub (3.2 months), and Qilin (3.3 months)
Ransomware data breach reporting by year
2023 saw the highest reporting period at 5.1 months. This figure did drop in 2024 (3.7 months) but, as we’re still seeing a number of breaches being reported from 2024, we expect this average to rise in the coming months. Therefore, 2023 likely gives us the most recent and accurate average as to how long data breaches are taking to report at present.
As the above pie charts demonstrate, breaches reported within one or two months of the ransomware attack taking place decreased year on year from 2019 to 2023. And the number of breaches reported six to 12 months after the attack took place increased significantly, especially in 2023.
Ransomware data breach reporting by industry
As we’ve already noted, the healthcare sector has the lowest average time for reporting data breaches following ransomware attacks.
Average time to report a ransomware data breach from 2018 to present:
- Businesses = 4.16 months
- Education = 4.84 months
- Government = 4.13 months
- Healthcare = 3.69 months
This could be due to healthcare companies’ compliance with the Health Insurance Portability and Accountability Act (HIPAA) as well as state laws. HIPAA stipulates that notifications should be provided no later than 60 days after the breach.
Often, healthcare companies will submit a notice on the breach portal of the U.S. Department of Health and Human Services Office for Civil Rights (OCR) before they have an exact figure for the number of people impacted. We frequently see companies submit a placeholder of 500 or 501 victims on the breach portal while further investigations are carried out.
In contrast, other sectors are primarily governed by individual state laws, which we’ll explore in more detail below. Some of these state laws may also include stipulations for certain entities. For example, Hawaii has a 20-day limit for government entities to notify the legislature after a breach.
The longest-known delay in reporting a ransomware data breach is 38 months
The longest known data breach reporting period (38 months) came from a healthcare company. In September 2023, Ventura Orthopedics started notifying patients of a July 2020 ransomware attack. Initially, Ventura believed the data breach was limited to one patient but further investigations revealed this wasn’t the case.
Another healthcare company, Westend Dental, was recently fined $350,000 for violating HIPAA regulations after its two-year delay in notifying victims of an October 2020 attack via MedusaLocker. Westend initially denied it had been hit by a ransomware attack before finally submitting data breach notifications to the 450 people affected in October 2022.
Also among the longest-known data breach reporting delays following a ransomware attack are CR&R Incorporated d/b/a CR&R Environmental Services and Exela Technologies, Inc.
CR&R Environmental Services reported its data breach in December 2024. Here, nearly 10,000 people were impacted when it was hit by an attack in October 2022 (both Vice Society and ALPHV/BlackCat claimed attacks on CR&R around that time).
The reason for the delay?
The investigation took two years (up until October 2024 to complete).
Meanwhile, Exela Technologies, Inc. issued data breach letters in June 2024 after Hunters International posted the company to its data leak site in April 2024.
That’s only two months, though, right?
Well, yes… but the stolen data came from an attack way back in June 2022, which was carried out by Hunters’ predecessor, Hive.
Average ransomware data breach reporting by business sector
Within our business category, we also break down companies by sector. So, while businesses had an overall average data breach reporting period of 4.16 months after a ransomware attack, some sectors performed much better than others..
Legal companies had the worst overall average at 6.4 months but were closely followed by companies operating in the education sector* with an average of 6.3 months. Meanwhile, utility companies and companies in the healthcare sector** had the best overall averages.
*Not schools, colleges, and universities, but other businesses such as examination boards, substitute teacher providers, and online-based education tools.
**Not hospitals, clinics, and other direct care providers but companies operating in this sector, such as pharmaceutical manufacturers, healthcare billing providers, and medical device manufacturers.
| Year | Construction | Education | Finance | Food and Beverage | Healthcare | Legal | Manufacturing | Retail | Service | Technology | Transportation | Utilities | Other |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2018 | 2.00 | 3.00 | 1.67 | #N/A | 3.00 | 5.00 | 1.50 | 1.00 | 1.67 | #N/A | #N/A | #N/A | 2.00 |
| 2019 | 1.00 | #N/A | 1.33 | #N/A | 2.00 | #N/A | 3.00 | 5.00 | 4.67 | #N/A | #N/A | 2.00 | 4.25 |
| 2020 | 3.85 | 6.00 | 4.00 | 3.17 | 4.00 | 5.75 | 4.88 | 3.29 | 3.87 | 2.60 | 3.75 | 2.56 | 2.67 |
| 2021 | 2.23 | 5.00 | 4.43 | 3.13 | 3.57 | 7.44 | 3.53 | 3.79 | 4.46 | 2.65 | 4.25 | 2.83 | 4.06 |
| 2022 | 3.35 | 3.50 | 5.04 | 3.93 | 3.64 | 6.82 | 3.43 | 4.59 | 3.91 | 5.70 | 3.82 | 5.63 | 4.95 |
| 2023 | 5.40 | 9.17 | 5.20 | 4.72 | 3.64 | 6.68 | 3.76 | 5.57 | 5.33 | 6.11 | 4.33 | 3.80 | 4.90 |
| 2024 | 2.88 | 5.33 | 3.48 | 2.97 | 2.76 | 4.65 | 4.09 | 3.63 | 3.85 | 4.15 | 2.94 | 2.64 | 4.31 |
| 2025 | 2.50 | #N/A | 1.80 | 2.00 | #N/A | 2.00 | 1.81 | 1.80 | 1.25 | 3.00 | #N/A | #N/A | 2.40 |
Average ransomware data breach reporting by state
While there is no federal data breach law, each US state has its own data breach reporting requirements. 17 states also stipulate how long an organization has to report a data breach. This is as low as 30 days in Colorado and Florida and as high as 90 days in Connecticut.
Does this legislation have any impact on how quickly breaches are reported in these states?
Maybe slightly, but not significantly.
In the 17 aforementioned states, the average reporting time for a breach following a ransomware attack is just under 3.9 months. In states without a specific time period, it’s about 4.2 months.
None of the states in the top five for longest reporting periods has a specific timeframe for submitting data breach notifications.
- Wyoming = 7.3 months
- District of Columbia = 6.6 months
- North Dakota = 6.3 months
- New Jersey = 5 months
- Michigan = 4.9 months
At the other end of the scale with the shortest reporting periods were:
- Montana = 1.9 months
- South Dakota = 2.2 months
- Alaska = 2.3 months
- Idaho = 2.3 months
- Hawaii = 2.7 months
Of those, only South Dakota specifies a timeframe in which breaches should be reported (60 days). It is, therefore, the only state where the average reporting period is close to what’s required by law.
Data breach reporting periods by ransomware gang
Even though you could argue that the type of ransomware used in an attack shouldn’t have too much impact on the data breach reporting period, there does appear to be quite a significant difference in the averages when we look by ransomware strain.
Top 10 average data breach reporting times by ransomware gang
- Pysa = 6.8 months
- LockBit = 5.7 months
- Karakurt = 5.3 months
- AvosLocker = 5.1 months
- DragonForce = 5 months
- Conti = 4.9 months
- RansomHouse = 4.8 months
- Royal = 4.8 months
- NoEscape = 4.7 months
- ALPHV/BlackCat = 4.6 months
There could be a number of reasons for these lengthier delays.
First, a company may be unsure whether or not data has been breached following an attack, especially if there is no contact with the hackers. So, until the hacker makes a claim on its data leak site or affected systems are analyzed to see what data may have been impacted, the data theft and the extent of it may be somewhat unknown.
This appears to be the case with the group with the highest data breach reporting average–Pysa. The longest known delay comes from Felix Storch following its attack in December 2020. It didn’t communicate with Pysa after its ransom demands and, initially, the manufacturer didn’t believe any data had been stolen. But subsequent investigations found that around 226 people had been affected and letters were issued in October 2022, 22 months later.
In contrast, Judson Independent School District did make contact with Pysa and paid the gang $547,000 to have its stolen data deleted in June 2021. Due to the nature of the attack, Jusdon ISD still needed to issue data breach notifications. One extensive investigation later and it started notifying nearly 429,000 people of the breach in September 2022, more than a year later.
The investigations that take place after every data breach will often play a huge part in how long it takes a company to report a breach. Most companies will employ a third-party cybersecurity firm to do the work for them. This will involve going through all of the data impacted to see which customers have been affected. Consequently, they’ll have to find contact information for everyone whose data may have been involved. Difficulty in locating this information could also contribute to longer disclosure times.
Other factors can include the length of time it takes to discover the breach. For example, when Stock Development started issuing its data breach letters in January 2025, it revealed that its breach had started in April 2023 but it had only become aware of it in March 2024 when unauthorized activity (LockBit) was detected on its systems.
Data breaches following attacks via the following ransomware gangs had the lowest data breach reporting times:
- Lynx = 2.6 months
- NetWalker = 3.1 months
- RansomHub = 3.2 months
- Qilin = 3.3 months
- DarkSide = 3.3 months
Many of Lynx’s and RansomHub’s attacks are from the last year, which could point toward more prompt reporting following these types of attacks. Qilin is a more recent strain that emerged in 2023. However, these averages may also be lower due to breaches from 2024 still being reported.
NetWalker’s attacks from 2020 and 2021 often included significant breaches on healthcare companies, which may explain its lower average. DarkSide in the same period often launched large, highly publicized attacks, e.g., Colonial Pipeline, Smile Brands, and Brenntag North America, Inc.
The danger of waiting too long to report a data breach following a ransomware attack
As we have noted above, sometimes companies may be unsure whether data has been breached in a ransomware attack until a hacker makes a claim on their site. That’s why it’s always better to assume (and prepare) for the worst.
The aforementioned attack on Exela Technologies is a prime example. Two years down the line from its attack, it’d be forgiven for thinking it was “out of the woods.” But as hackers evolve, branch off, reconvene, and welcome new affiliates, they’re going to find ways to exploit companies in any which way possible. And if they find some data that hasn’t been deleted and/or previously been held to ransom, they’ve hit the jackpot.
Data theft is a common component of ransomware attacks, so it’s not unreasonable for companies to assume hackers stole data, even if there isn’t any evidence to suggest data theft at first. The worst thing to do is to jump to the conclusion that data hasn’t been stolen.
Ultimately, the length of time it takes for a company to notify people of a data breach isn’t dependent on the state it’s located in, the type of ransomware strain it’s been hit with, or the sector it’s part of. Rather, it has more to do with the company’s attack response time and subsequent investigations.
What is clear from our data is that, even with improved knowledge and awareness of ransomware attacks and hackers’ motives, breach notification periods aren’t improving. If anything, they’re getting worse. 2024 may have seen an improvement but, as we’ve mentioned, we’re still seeing a lot of data breach notifications coming through for last year being reported on now. Alvin Independent School District, for example, just started notifying over 47,000 people of a breach stemming from an attack back in June 2024.
With this in mind, 2023’s average is probably the most accurate indication as to how long it is taking companies (on average) to notify people of breaches following ransomware attacks–just over five months.
Five months is a long time for people to be unaware their data has potentially been impacted in a ransomware attack. Not only that, but hackers often post victims to their data leak sites within a month of the attack taking place if ransom negotiations fail. Therefore, stolen data may have been on the dark web for four months or more before those whose data is compromised are any the wiser.
Methodology
All of our data is based on over 2,600 data breach reports following ransomware attacks from 2018 to present. These have been logged in our US ransomware tracker.
We haven’t used any breaches where the start date is unclear. Sometimes, when only the breach reporting date is available, this is what we will also use for the “breach date.” For example, a company may have submitted a data breach notification in June 2024 but didn’t confirm the exact date the breach occurred. Therefore, the breach is logged as having occurred in June 2024. In these cases, we haven’t included the data in our comparison because it’s likely the breach occurred earlier than the breach notification.
Some breaches may be ongoing for months (and even years) before they’re discovered. For example, hackers may have entered a company’s system in January 2024 but systems may not be encrypted until May 2024, alerting the company to the breach. In these cases, January 2024 is classed as the breach date as this is when it started. This may add several months to the breach reporting time.
Data researcher: Charlotte Bond
Source link
