Hi folks! Short one today.

In the mid-2010s, I was inspired to investigate companies that had gone out of business as the result of a breach. I heard this statistic that just felt wrong to me.

First off, 60% seemed like a ton of businesses. The vast majority of businesses in the world are small businesses, so 60% would suggest millions of businesses going out of business because of breaches every year! The problem is, we don’t see anywhere near that many breaches every year - there literally are not enough cybercriminals to pull off that many heists. The 2025 Verizon DBIR tracked “22,052 real-world security incidents, of which 12,195 were confirmed data breaches.”

And wouldn’t we hear about it? Surely the media would be covering such a wide-scale catastrophe.

According to the SBA: “There are 31.7 million small businesses in the U.S. 81 percent, or 25.7 million, have no employees (termed “nonemployers”) and 19 percent, or 6 million, have paid employees. There are 20,139 large businesses.”

“Within six months of a cyber attack” also sounded odd. How would you know they were closing up because of the cyber attack? The vast majority of small businesses close up over a short period anyway, if I recall correctly (feel free to check me on this, I didn’t look up this stat).

The List

So I started a list. It began with web searches. Then I shared my findings. Other folks helped me discover more companies that had gone out of business from a breach, and the list grew. There are currently 33 companies on the list, though there are more I’m still investigating.

Here’s the new site: destroyedbybreach.com

The big takeaway here is that it’s extremely rare to see a company go out of business because of a cybersecurity incident or breach. It does happen though, but the victim is almost always a small-to-mid-sized business that doesn’t have the cash flow to continue, or suffers reputational damage too great to continue. Large companies have the insurance, size, and momentum to work through a breach and carry on. Smaller companies don’t.

What about the stat?

The stat blew up in 2011, when the National Cyber Security Alliance published it in a short article. They quickly retracted it and apologized, but the myth had already taken off. Every few years, they continue to ask people to stop using the stat, to no avail. It still pops up everywhere.

In 2017, Joseph Marks, a reporter for NextGov at the time, investigated the origins of the statistic and discovered that the origin was media personality, Ramon Ray.

Ray continues to use the fake statistic he invented, as recently as 2021. People love it - it’s a great source of fear that feeds a narrative that some folks in cybersecurity sales and marketing are quick to jump on and use in their messaging and reports.

Help out Destroyed by Breach

If you come across a case that you think should be on the list, use the submission form on the website and let me know!

In the future, I’m going to start writing up some of the stories of the companies on this list. Let me know if you’d be interested in more of those on this Substack in the future.