The Average Cost of a Data Breach


Data breaches are not a new phenomenon - but the prevalence of new technology and criminal attacks means the actual cost of a data breach could be soaring for organizations.

In this article, we’ll look at common targets of these breaches, the effects this can have on companies in these sectors, and the true financial cost of data breaches.

How much does a data breach cost - body image illustration of fireman putting out a data breach fire with money flowing out of the fire hose

What is a data breach?

A data breach occurs when unauthorized or confidential information is obtained through suspect and often illegal practices. Data breaches can occur as a result of malicious hackers, human error or system glitches.

This results in the loss of sensitive data which could contain personal, professional or financial information - the number of records lost can escalate into the millions. We’ve previously explored how data breaches have changed over time.

With increasingly severe consequences for organizations who fall victim to a data breach - from the financial effects to reputational damage - the imperative for an organization to protect itself against data theft has never been greater.

Common targets

Data breaches usually fall into one of the following categories. The information is usually protected by privacy laws designed to protect consumers and organizations, so obtaining the data by illicit means is the only solution available to hackers and criminals. How much does a data breach cost - ID card illustrating personal information

  • Personal information. While the exact nature of the information in this category can vary, a broad definition is that the data usually relates to details that can help identify a person. Examples: Full name, Identification number (such as a Passport or Social Security Number), Date of birth, Telephone number. How much does a data breach cost - illustration of credit card with magnifying glass showing enlarge image of person from the card, representing financial information
  • Financial information. Data in this category varies from information held by the banking sector itself, to an individual’s account and card data. Examples: Credit scores, bank account information, credit or debit card details. How much does a data breach cost - illustration of health file with image of heart representing health information
  • Health information. Privacy regulations aim to protect patients from unauthorized release of their healthcare records, as well as associated information such as payment details. Examples: Patient records, medication history, healthcare plan information, Medicaid identification numbers.How much does a data breach cost - illustration of health file with image of heart representing health information
  • Intellectual property. This can include product designs or ideas, for which an individual or business may have applied for a patent or copyright. Examples: Product drawings or blueprints, manuscripts, inventions.

These are broad categories, but data breaches can involve several types of compromised records - ranging from the unauthorized release of legal or redacted documents, to confidential research data conducted by an organization, and one of the most common breaches - security credentials such as passwords or PINs (we reviewed the 10 biggest data breaches of all time in our recent article).

Data breach effects

The negative consequences of a data breach for an organization are multiple. Even taking account the potential costs financially (either as a result of compensation or legal fees), companies may also suffer reputational damage from negative press stories and consequently suffer lost business.

As one example, Heartland Payment Systems fell victim to a data breach in 2008 which resulted in the loss of over 100 million debit and credit card numbers. The company ended up accruing almost $140 million in expenses to cover compensation claims and fines, meaning the data breach (for which only one individual is serving prison time) had a significant financial impact.

In the 2006 TJX data breach, in which thieves stole more than 45 million records relating to credit and debit card numbers, costs escalated from an original estimate of $25 million to $256 million. The costs included lawsuits, investigation and computer system upgrades as a direct result of the breach. The disclosure had a negative impact on TJX’s stock price.

In addition, the reputational issues associated with a data breach have a quantifiable impact on a company’s bottom line. An annual report by the Ponemon Institute in conjunction with IBM Security found that, “...organizations that lost less than one percent of their customers due to a data breach resulted in an average total cost of $2.8 million. If four percent or more was lost, the average total cost was $6 million, a difference of $3.2 million.”

What is the global average cost of a data breach?

For the 2018 Institute Cost of a Data Breach Study, Ponemon spoke with more than 2,200 IT and data protection professionals from 477 companies that had experienced a recent data breach. Their findings aimed to provide a global overview of data breaches. The evidence showed that the breaches can have significant financial repercussions:

  • Worldwide, the average total cost of a breach was $3.86 million. This was a 6.4% increase on the global average from the previous year.
  • The average cost per lost or stolen record was $148.
  • The United States had the highest per capita cost of a data breach at $233 - contrasting with India ($68) and Brazil ($67) at the other end of the scale.
  • The average total cost of a data breach in the United States was $7.91 million.
  • The highest per capita data breach costs were in the healthcare and financial industries, where regulation and compliance is strict. Per capita, healthcare saw a data breach cost of $408, with financial services at $206.
  • The average time to contain a data breach was 69 days. Companies that contained a breach in less than 30 days saved over $1 million compared to those that took longer than 30 days.
  • A mega breach - defined a data breach involving more than one million records - yields an average total cost of $40 million.

The chart below shows how, when looking at the average cost of a data breach for last year, organizations in the United States are adversely affected by data breaches compared with other countries and regions.

How much does a data breach cost - illustration of file drawer with files and lock icon representing intellectual property

Data breach resources

This article highlights that protecting your organization against the negative consequences of a data breach is vital, especially as hackers are utilizing every resource at their disposal to obtain sensitive information.

There are numerous guides available on the Internet offering payment security tips, advice on how to protect yourself against cyber attacks, and even calculators so you can estimate the cost of a data breach in your own organization. We’ve summarized a few of the most useful resources here.

  • IBM Data Breach Calculator - explore the varying costs of a data breach for organizations in different regions and industry sectors.

Looking for more information?

Fill out the form below and we'll connect with you.


Thanks for your interest!
We will be in touch soon.