Average Cost of Data Breach Rises to $3.79 Million

By: Arieanna Schweber | 6/12/2015

The Ponemon Institute and IBM recently released the 2015 Cost of Data Breach Study which indicates that costs associated with data breaches continue to rise. The cost of a data breach in 2014 was $154 per record, up from $145 in 2013, a 6% increase. The average cost of a data breach to an organization increased 23% over the past 2 years to $3.79 million. In the case of mega-breaches, those which affected millions of people, the costs are even higher (and are not reflected in these average costs).

The vast number of data breaches is helping to bring to light the fact that IT is not to blame for data breaches; instead, everyone in the organization has a role to play in data protection:

“High-profile data breaches are a wake-up call to enterprises everywhere. However, they pose the question: Why did IT fail to stop the data breach? The answer is that it’s an enterprise-wide issue, not just a technology problem,” notes Larry Ponemon.

This is the 10th year of this report, analyzing actual data breach experiences from more than 350 organizations in 11 countries. The report helps highlight the impact of data breaches, which has more wide-reaching and long-lasting implications thanks to reputational damage and class-action lawsuits; lost business is the most severe financial consequence suffered post-breach.

The report also highlights the shifting impacts of breach sources and industry trends. Just as the number of breaches per industry differs, so too does the average cost per industry, with the public sector having the lowest costs and the retail and healthcare industries suffering the highest costs. Indeed, the costs for the healthcare industry are more than twice the average for all sectors, reflecting the high value of medical data and its long shelf-life on the black market.

Key highlights from the study:

  • The average cost of a data breach per organization is now $3.79 million (up from $3.5 last year) or $154 per record
    • The cost per lost or stolen record is $68 in the public sector, $121 in transportation, $165 in the retail industry and $363 in healthcare
  • The cost of data breaches due to malicious or criminal attacks is the highest source cost. It has increased from an average of $159 to $174 per record in the past year
  • It takes an average of 256 days to spot a data breach caused by a malicious attack and 158 days to spot one caused by human error
  • The costs associated with a data breach include: hiring experts to fix the breach, investigating the cause, setting up hotlines for customers and offering credit monitoring for victims, lost business, class-action lawsuits, and costs associated with forensic investigations, assessments and incident response team management
  • Cyberattacks from well-funded groups are more common, and harder to defend against since non malicious actions lead to malicious attacks - i.e. people are still the root cause of data breaches

According to the report, there are two major actors that affect the financial consequences of a data breach: executive involvement (C-level and board) in their organization’s IT security strategy and response to data breaches and the purchase of cyber insurance. Other ways to cut costs include having an incident response team, training employees, using encryption and business continuity management.

As the report notes, tackling data security as a “business challenge,” not an IT challenge, aligns with our recommendation to take a holistic approach to data security. Support data protection with people, process and layered technology solutions. Ensure data is protected and that you can prove it was protected through the use of persistent technology. Have a way to manage and secure all endpoints, with automatic alerts to detect and respond to anomalies faster, further mitigating the cost of a data breach. To learn more about how we can help reduce the costs associated with a data breach, visit our website or read our whitepaper, When Security Breaches Don’t Have to be Reported.

Financial Services