IBM security study: Mega data breaches cost $40 million to $350 million

The average cost of a data breach is $3.86 million, according to a study by IBM Security and Ponemon Institute. But the cost of “mega breaches,” where 1 million to 50 million records are lost, can run from $40 million to $350 million.

IBM Security and Ponemon conducted interviews with nearly 500 companies that experienced data breaches, and they collected information on hundreds of cost factors surrounding a breach, including technical investigations and recovery, notifications, legal and regulatory requirements, cost of lost business, and loss of reputation.

Overall, the study found that hidden costs in data breaches — such as lost business, negative impact on reputation and employee time spent on recovery — are difficult and expensive to manage. For example, the study found that a third of the cost of “mega breaches” (over 1 million lost records) were derived from lost business.

At $3.86 million, the average cost of a data breach globally is up 6.4 percent from the 2017 report. For the first time, the study also calculated the costs associated “mega breaches.” A breach of 1 million records costs $40 million, while a 50-million-record breach costs $350 million.

“While highly publicized data breaches often report losses in the millions, these numbers are highly variable and often focused on a few specific costs which are easily quantified,” said Wendi Whitmore, global lead for IBM X-Force Incident Response and Intelligence Services, in a statement. “The truth is there are many hidden expenses which must be taken into account, such as reputation damage, customer
turnover, and operational costs. Knowing where the costs lie, and how to reduce them, can help companies invest their resources more strategically and lower the huge financial risks at stake.”

In the past five years, the amount of mega breaches (breaches of more than 1 million records) has increased from nine mega breaches in 2013 to 16 mega breaches in 2017. Due to the small amount of  mega breaches in the past, the Cost of a Data Breach study historically analyzed data breaches of around 2,500 to 100,000 lost records.

Based on analysis of 11 companies experiencing a mega breach over the past 2 years, this year’s report uses statistical modelling to project the cost of breaches ranging from 1 million to 50 million compromised records. The vast majority of these breaches (10 out of 11) stemmed from malicious and criminal attacks (as opposed to system glitches or human error).

The average time to detect and contain a mega breach was 365 days – almost 100 days longer than a smaller scale breach (266 days).

For mega breaches, the biggest expense category was costs associated with lost business, which was estimated at nearly $118 million for breaches of 50 million records – almost a third of the total cost of a breach this size. IBM analyzed the publicly reported costs of several high-profile mega breaches, and found the reported numbers are often less than the average cost found in the study. This is likely due to publicly reported cost often being limited to direct costs, such as technology and services to recover from the breach, legal and regulatory fees, and reparations to customers.

For the past 13 years, the Ponemon Institute has examined the cost associated with data breaches of less than 100,000 records, finding that the costs have steadily risen over the course of the study.

For the 8th year in a row, healthcare organizations had the highest costs associated with data breaches — costing them $408 per lost or stolen record — nearly 3 times higher than the cross-industry average ($148).

“The goal of our research is to demonstrate the value of good data protection practices, and the factors that make a tangible difference in what a company pays to resolve a data breach” said Larry Ponemon, chairman and founder of Ponemon Institute, in a statement. “While data breach costs have been rising steadily over the history of the study, we see positive signs of cost savings through the use of newer
technologies as well as proper planning for incident response, which can significantly reduce these costs.”