An analysis about one specific data breach takes the risk of being anecdotal. We do not want to report every single data breach that a company has faced. This kind of event is only useful if it serves to illustrate a broader issue, e.g. a history of repeated dishonest behaviour, neglect, and lack of regulation from the company to many of its clients/employees/users.
Unless the data breach and underlying wrongdoing are so significant that it would in itself justify a dedicated analysis, you should broaden the impact analysis to the larger issue, not just the specific data breach. Read more here on finding the right granularity level.
Beyond negatively impacting the company, data breaches and cybersecurity attacks have short and long-term consequences on employees/clients/consumers’ lives. They can result in identity theft, fraudulent credit card activity, and on a more interpersonal level, emotional challenges such as stress.
In your analysis, try to go beyond reporting the data breach(es) and measure the social impact it has had on individuals. You can use studies as proxies. Learn more in the article Step 5: Assess scale and value.
Also, describe the scale of the impact by taking into account:
1/ The breadth of the impact
Is the impact local, national, or global?
How many people are affected? Thousands? Millions? Billions?
As a rule of thumb, if it affects at least 1 million people, it is considered significant. Although, please bear in mind that this is not always the case, as, at times, it could be regarded as unfair to expect an impact to touch that many lives. Thus, this is flexible.
2/ The depth of the impact
Is the life of people concerned deeply affected, or does the issue just marginally impact them?
Are the changes brought by the issue profoundly changing society?
3/ The persistence of the impact