~70%
Estimated share of breaches that are unreported, hidden, or hard to attribute
Why so many slip through
▸Threshold loopholes. Most disclosure laws kick in only above a victim count (e.g. HIPAA's 500-record floor). Smaller compromises stay private.
▸Quiet ransom payments. Companies pay attackers and never file a notice — protecting reputation, stock price, and customer trust.
▸Detection lag. IBM puts the average dwell time at 277 days. Many breaches are caught months or years after the fact — often too late to attribute or report meaningfully.
▸Third-party blind spots. Vendor and supply-chain compromises are routinely contained internally and never named.
▸Jurisdiction gaps. Many countries have weak or no mandatory disclosure laws. Global incident counts skew low by design.
▸Dark-web silence. Stolen data circulating in private forums or unindexed leak sites is rarely traced back to its source organization.
▸Misclassification. Organizations call something an "incident" rather than a "breach" to avoid the disclosure trigger entirely.
Verizon DBIR explicitly notes its dataset is biased toward what gets reported and investigated. IBM Cost of a Data Breach 2024 reports a 277-day mean detection-to-containment window. The map above shows confirmed, geocoded incidents only — the iceberg below the waterline is much larger.