How Long Does a Data Breach Go Undetected? The Numbers Your Board Needs to See

Most companies don’t discover a data breach when it happens.

They find it later. Sometimes weeks later. Sometimes months.

In many cases, attackers have already spent a long time inside the system before anyone notices.

According to IBM’s Cost of a Data Breach Report, it takes an average of 241 days to identify and contain a breach. That’s close to eight months.

For leadership teams, that number matters because every extra day increases financial risk, legal exposure, and reputational damage.

Key Data Breach Statistics

• 241 days average time to identify and contain a breach

• 279 days average for healthcare breaches

• $4.44 million average global breach cost

• $1.9 million saved when AI-powered security tools are used

• 147 million people affected in the Equifax breach

• 4 years undetected in the Marriott / Starwood breach

How Long Does a Data Breach Stay Undetected?

On average, a breach takes 241 days from discovery to full containment, according to IBM’s 2025 global research.

That number includes:

• time to detect the breach

• time to investigate what happened

• time to contain the threat

• time to restore normal operations

In more complex environments such as healthcare and multi-cloud systems, the timeline can be even longer.

For example, healthcare breaches took an average of 279 days to detect and contain.

That means attackers may have access to systems for months before a company fully regains control.

What Happens During Those 241 Days?

This is the part many non-technical leaders underestimate. A breach is not usually a single event. It often unfolds in stages:

1. Initial access

Attackers gain entry through phishing emails, stolen credentials, weak passwords, or unpatched vulnerabilities.

2. Lateral movement

Once inside, they move from one system to another looking for valuable data.

This may include:

• customer records

• payment information

• employee data

• internal documents

• financial reports

• intellectual property

3. Data extraction

Sensitive information is copied, downloaded, or transferred outside the company.

4. Persistence

Attackers may create hidden backdoors so they can come back even after passwords are changed.

This is why delays are so dangerous. The longer the breach stays hidden, the more time attackers have to deepen the damage.

Case Studies: How Long Major Breaches Took to Detect

Equifax (2017)

One of the most widely known data breaches in history. Hackers exploited a known vulnerability in May 2017, but the breach was only discovered in late July.

That means the attackers remained inside Equifax’s systems for around 76 days before detection.

Consequences

• 147 million people affected

• social security numbers exposed

• birth dates and addresses compromised

• major regulatory and legal fallout

• $700 million settlement

This is a perfect board-level example of how even a few months can create massive damage.

Marriott / Starwood (2018)

Attackers reportedly had access to Starwood’s reservation database from 2014 until discovery in 2018.

That is roughly four years undetected.

Consequences

• around 500 million guest records

• passport numbers exposed

• travel details compromised

• significant regulatory fines

• major trust damage in the hospitality sector

Yahoo (2013–2014)

Yahoo’s breach was disclosed years after the initial compromise. Some incidents reportedly remained undiscovered for years, affecting billions of accounts.

Consequences

• usernames and passwords exposed

• reduced acquisition value during Verizon deal

• severe reputation damage

• long-term customer trust loss

This is a powerful example of how delayed discovery can directly affect company valuation.

Expert Insight

“A data breach that remains undetected for months is not just an IT issue. It becomes a business continuity, compliance, and reputation risk.”

What Does a Delay Cost Your Company?

This is the number boards care about most. IBM reports that the global average cost of a data breach is $4.44 million.

It includes:

• legal fees

• regulatory fines

• customer notifications

• downtime

• lost revenue

• PR and crisis management

• customer churn

Breaches involving shadow AI added $670,000 more to average costs.

Organizations using AI-powered security tools saved $1.9 million per breach on average.

That is the difference between proactive investment and reactive damage control.

Expert Insight

“Every additional day an attacker stays inside your systems increases the likelihood of lateral movement, data loss, and regulatory exposure.”

Why Do Breaches Go Undetected for So Long?

Usually, it comes down to visibility gaps. Common reasons include:

Poor monitoring

Companies are not completely unaware of what is happening in their systems, but they often lack a clear and consistent view across all environments. Activity is spread across multiple tools, and important signals can get lost among routine alerts. 

Alert fatigue

When security teams are dealing with a high volume of notifications, it becomes harder to identify what actually needs attention, which increases the chances of something being missed.

Weak access controls

Access control is another factor. In many organizations, permissions are broader than they need to be, which makes it easier for attackers to move between systems once they gain initial access. This is not a small issue. IBM has reported that 97% of organizations affected by AI-related breaches lacked proper access controls, which shows how common this gap is.

No governance policy

There are also gaps in governance. Many companies still do not have clearly defined policies around newer technologies, particularly AI tools, which creates additional blind spots. In the same report, 63% of organizations said they did not have formal AI governance policies in place, making it harder to monitor and manage risk effectively.

Unpatched systems

At the same time, basic issues such as unpatched systems continue to play a role. Known vulnerabilities are sometimes left open for extended periods, giving attackers a straightforward way in.

Taken together, these gaps make it possible for breaches to go unnoticed for far longer than expected, which is why detection time often becomes the real risk rather than the initial point of entry.

What should leadership be asking?

• How quickly can we detect unusual activity?

• What is our mean time to detect?

• Do we have incident response playbooks?

• Are backups tested regularly?

• Do we have visibility across cloud and on-prem systems?

• How are third-party vendors monitored?

• What controls exist for AI and shadow IT?

How can companies reduce breach detection and response time?

There is no single fix for reducing breach detection and response time, because delays usually come from a combination of smaller gaps rather than one major failure. The focus is not on eliminating risk entirely, but on shortening the time between something going wrong and someone recognizing it early enough to act.

One of the biggest factors is visibility. Teams need a clear view of what is happening across systems, rather than relying on disconnected tools and scattered logs. When activity, alerts, and user behaviour are spread across multiple platforms, it becomes much harder to identify unusual patterns early, which is often where valuable time is lost.

Access control also plays a significant role. In many cases, breaches escalate because attackers are able to move too easily between systems after gaining initial access. Limiting permissions to only what is necessary helps contain the impact, even if a system is compromised, and reduces the time needed to understand and isolate the issue.

Another common issue is response readiness. Detecting a breach is only the first step, and delays often happen because teams are unsure how to respond or who should take ownership. Having a clear incident response plan, along with regular testing, helps reduce hesitation and ensures that actions are taken quickly when something goes wrong.

At the same time, too much noise can slow everything down. When teams are dealing with a high volume of alerts, it becomes difficult to separate what is important from what can be ignored. Improving how alerts are prioritized and focusing on meaningful signals allows teams to respond more effectively and avoid missing critical issues.

For companies that do not have dedicated security leadership, these gaps are harder to identify and address internally. In such cases, bringing in fractional cybersecurity expertise can help structure monitoring, define response processes, and provide ongoing oversight without the need for a full in-house function.

Conclusion

For most organizations, the question is not whether a breach will happen, but how long it will take to detect it.

The difference between identifying a breach within a few days and discovering it months later can significantly change the outcome. What might have been a contained incident can quickly turn into a much larger issue, affecting customers, operations, and overall business risk.

That is why detection time matters. It reflects how well a company understands what is happening inside its own systems and how quickly it can respond when something goes wrong.

For leadership teams, this is one of the most important indicators to pay attention to, because the longer a breach remains unnoticed, the harder it becomes to control its impact.

Frequently Asked Questions