The Average Cost of a Data Breach
For the 14th year, IBM and the Ponemon Institute have released their annual “Cost of a Data Breach” report, aggregating the costs reported by 507 organizations, from 17 industries, and 16 regions. IBM and Ponemon interviewed 3,211 individuals and collected data points regarding the number of client records stolen or lost in breaches, how the organization responded to the breach, and how their business did after the breach.
According to the report, data breaches cost $150 per record this year. Last year the average cost of a data breach was $148 per record.
The cost associated with a data breach can span anywhere from $1.25 million to $8.19 million depending on the country and the industry.
Healthcare is the most expensive industry when it comes to data breaches
The healthcare industry continues to be susceptible target for attackers when it comes to cyberattacks. Healthcare breaches are the most expensive and cost an organization $6.45 million per breach. For the ninth year in a row, healthcare organizations have had the highest costs associated with a data breach.
The average cost per breached healthcare record ($429) is more than double any other industry and substantially higher than the average $150.
Healthcare breaches can often take the longest to identify. It can pass up to 236 days before a breach is detected. Additionally, the healthcare industry, followed by the financial and pharmaceuticals industries, had the most significant difficulty retaining customers following a data breach.
The report breaks down every angle of a data breach, detailing how having mitigation in place can reduce the cost of a data breach. Having an incident response team or using encryption alone can reduce the cost, but by having both in place, a company could potentially decrease the cost of a breach by $720,000.
By having security automation deployed, companies experience around half the cost of a breach. Companies that have incident response teams and security automation deployed could save $1.23 million per data breach on average.
The most expensive country to experience a data breach
The most expensive country to experience a data breach are the United States.
In the U.S., the average cost of a data breach increased from $7.91 million in 2018 to $8.19 million in 2019. That’s more than twice the global average.
The average number of records per breach is the highest in the Middle East and India.
Some of the biggest data breaches
Data breaches can affect businesses of all sizes, and in deed, some big companies and organizations suffered attacks in the past. Although large companies survive data leaks, they suffer great material and reputational losses. The problem becomes bigger with small and medium-sized companies where the result of a data leak can be devastating to them and mean the end of their business.
We gathered just some of the biggest data leaks in the past.
U.S Office of Personnel Management
COST: $500 million to several billion
IMPACT: 4 million people, 21.5 million records
The United States Office of Personnel Management (OPM) reported that it had been the target of a data breach. Federal officials have described it as among the largest and most critical breaches of government data in the history of the United States. The data breach consisted of two separate, but linked attacks. The first attack was discovered on March 20, 2014, but the second attack was not found until April 15, 2015. FBI arrested a Chinese national suspected of helping the creation of the malware used in the breach.
COST: $242.7 million
IMPACT: 200+ million U.S. consumers and 110 million business contacts
Exactis, a marketing and data aggregation firm, was the subject of a data breach in which customer information ended up on the internet. The stolen data includes phone numbers, addresses, emails, and other information — like interests, habits, and the number of one’s children. Hackers frequently use this type of information to steal identities and break into accounts.
COST: minimal $470 million
IMPACT: 3 billion user accounts
Yahoo! suffered two significant data breaches. The records contained names, email addresses, telephone numbers, encrypted or unencrypted security questions and answers, dates of birth, and hashed passwords. Yahoo! has been criticized for its late disclosure of the breaches and their security measures. The breaches impacted Verizon Communications’s plans to acquire Yahoo! for about $4.8 billion. The FBI officially charged four mean for the 2014 breach, including two that work for Russia’s Federal Security Service (FSB).
COST: $439 million to 4 billion
IMPACT: 148 million Americans, 209,000 credit card numbers
Equifax announced in September 2017 that its systems had been breached and sensitive personal data had been compromised. The data included names, home addresses, phone numbers, dates of birth, social security numbers, and driver’s license numbers. The Equifax breach is unprecedented in scope and severity. There have been larger security breaches by other companies in the past, but the sensitivity of the personal information held by Equifax and the scale of the problem makes this breach unprecedented.
COST: $270 million to 4 billion
IMPACT: 60 million users
Epsilon – the largest permission-based email marketing company, suffered a data breach. The breach was a result of an “unauthorized entry” to Epsilon’s email system. Companies like Walgreens, BestBuy, CitiGroup, JPMorgan, Capital One and others were all affected indirectly, as they were clients of Epsilon. No personally identifiable information was obtained, but the emails they got could be used for spam and phishing attacks.
COST: $256 million
IMPACT: 94 million customers
Intruders gained access to TJX’s computer systems. The breach affected 94 millions of retail shoppers. Customers’ MasterCard and Visa cards had been compromised. Debit card PINs weren’t compromised, but hackers gained access to unencrypted magnetic stripe data. Several banks sued to recoup losses related to the breach.
COST: $200 million to $1 billion
IMPACT: 500 million customers, 383 million guest records, 18.5 million encrypted passport numbers
Marriott suffered a massive data breach. Information accessed included payment information, names, mailing addresses, phone numbers, email addresses and passport numbers. Details included 9.1 million encrypted payment card numbers and 385,000 valid card numbers in addition to 5.25 million unencrypted passport numbers.
Sony Playstation Network
COST: $171 million to $2 billion
IMPACT: 77 million accounts
Sony suffered a data breach that exposed the names, addresses and other personal data of their users. An “Illegal and unauthorized person” got access to people’s names, addresses, email addresses, birthdays, usernames, passwords, logins, security questions and more for two days. Sony stated that it saw no evidence that credit card numbers were stolen, but advised users they credit card numbers and expiration date may have been obtained.
COST: $148 million
IMPACT: 600,000 Drivers
Uber suffered a breach and concealed the hack for more than a year. The hackers were paid $100,000 by Uber to delete the data and keep the breach quiet. Driver’s license numbers of around 600,000 drivers in the U.S., names, email addresses, and mobile phone numbers were stolen. Uber agreed to pay $148 million in connection with this data breach and subsequent cover-up.
COST: $100 million to $500 million
IMPACT: 26.5 million people
A Veterans Affairs data analyst took home a laptop and an external hard drive containing unencrypted information on 26.5 million people. The laptop and hard drive were stolen in a burglary of the analyst’s home. The employee admitted that he had been routinely taking home such sensitive data for three years. The stolen data included names, Social Security numbers, dates of birth, and some disability ratings.