Hidden Costs of Data Breaches Increase

An IBM Security study calculated the effects of mega breaches ranging from 1 million to 50 million records lost, and projected those breaches cost organizations between $40 million and $350 million.

Sponsored by IBM Security and conducted by Ponemon Institute, the 2018 Cost of a Data Breach Study found the average cost of a data breach globally is $3.86 million, a 6.4% increase from the 2017 report. For the past 13 years, the Ponemon Institute examined the cost associated with data breaches of less than 100,000 records, finding that the costs have steadily risen over the course of the study.

Based on interviews with nearly 500 companies that experienced a data breach, the study analyzed hundreds of cost factors surrounding a breach, from technical investigations and recovery, to notifications, legal and regulatory activities, and cost of lost business and reputation.

Financial services remained the second most expensive industry for a data breach, costing organizations $206 per lost or stolen record, a considerable amount more than the cross-industry average of $148. According to the study, heavily regulated industries such as financial services experienced a much higher cost per record for a data breach than other industries and 2018 has already seen major ransomware attacks and incidences of data theft among leading financial organizations.

Overall, the study found that hidden costs in data breaches, such as lost business, negative impact on reputation and employee time spent on recovery, are difficult and expensive to manage. For example, the study found that a third of the cost of mega breaches (over 1 million lost records) come from lost business.

This year’s report used statistical modelling to project the cost of breaches ranging from 1 million to 50 million compromised records.

Key findings included:

  • The average cost of a data breach of 1 million compromised records is nearly $40 million. At 50 million records, the estimated total cost of a breach is $350 million.
  • Most of these breaches (10 out of 11) stemmed from malicious and criminal attacks, as opposed to system glitches or human error.
  • For mega breaches, the biggest expense category was costs associated with lost business, estimated at nearly $118 million for breaches of 50 million records.
  • The average time to identify a data breach: 197 days; and the average time to contain a data breach once identified: 69 days.
  • Companies who contained a breach in less than 30 days saved over $1 million compared to those that took more than 30 days. The amount of lost or stolen records also affects the cost of a breach, costing $148 per lost or stolen record on average.

Several factors increased or decreased this cost.

Having an incident response team was the top cost saving factor, reducing the cost by $14 per compromised record. Artificial intelligence reduced the cost by $8 per lost or stolen record. Companies with a “rush to notify” had a higher cost by $5 per lost or stolen record

The analysis found organizations extensively deploying automated security technologies saved over $1.5 million on the total cost of a breach.

One major aspect affecting the cost of a data breach in the U.S. was the reported cost of lost business, which was $4.2 million – more than the total average cost of a breach globally, and more than double the amount of “lost business costs” compared to any other region surveyed.