Blog article
See all stories »

What data breaches really cost

What hits the headlines might be sobering stuff, but it isn’t the whole story.

However, to get the latest horror stories on the table first, let’s take a look at the last month or so.  My thanks to Bloomberg BusinessWeek,, SF Gate, Forrester and other news feeds, on which I have drawn freely.

 Hackers made off with personal details of 1.3 million Orange France customers.  Two months ago data was stolen from 0.8 million customers via its My Account website page. Orange has started to push into mobile money recently, which in these circumstances looks brave.

  The SEC was told by the US Government Accountability Office to strengthen its controls to prevent information from misuse, fraudulent use, improper disclosure, manipulation or destruction. They found that the SEC did not “consistently protect its system boundary from possible intrusions”. It found fault with a new system configuration, software patching and disaster recovery planning.  This looks a little clumsy for two reasons. Firstly, the SEC plays a key role in the Securities markets and inevitably relies heavily on computer systems to do this.  Secondly, the SEC had just warned US broker-dealers and investment advisors that it would be checking up on the adequacy of their cyber security arrangements.

  The ‘Heartbleed’ vulnerability, said by some to be the worst internet breach of all time, resulted in the US Federal Financial Institutions Examination Council warning banks to incorporate patches on systems and services, applications and appliances using Open SSL and to upgrade systems “as soon as possible”.  Forrester looked at social media sentiment in the week following the news of the breach and found a good deal of consumer angst mixed with resignation. There’s a message in there for the world’s businesses. There is also plenty more shroud-waving commentary on the practical difficulties of fixing the problem. One commentator advised that fixing Heartbleed requires online companies not only to update the software that contains the bug; but also change their own internal “keys” and security certificates used in encrypted traffic and observed: “The first step is relatively simple and quick. The second isn’t”.  Others stepped forward to tell their customers what to do: Tumblr’s notice read: “This might be a good day to call in sick and take some time to change your passwords everywhere - especially your high-security services like e-mail, file storage and banking, which may have been compromised by this bug,”  I’d be surprised if this one did not rumble on for a long time yet.

  Having already claimed the scalp of US Retailer Target’s CIO, the massive pre-Christmas data breach took a second this week. The CEO’s.  In case this is new to you, the data from some 40 million cards was compromised.  The new CIO talked of the ‘tremendous opportunity’ the business now had to sort out its security issues, as the business unveiled outline plans to incorporate Mastercard chip and PIN technology in all of its credit and debit cards. But the pain just doesn’t stop. The US Consumer Bankers’ Association estimates the Target breach has so far cost US banks over $172 million in re-issued plastic cards. A research house, Jefferies, predicts a $1 billion bill, based on its view of resultant fraud on the compromised card accounts. And analysts have not looked kindly on the situation, one calling it ‘ the final straw’.

 Now, before we all limp off the field hurt, take some crumbs of comfort from the Ponemon Institute’s ’2014 Cost of Data Breach Study’ which has just hit the streets.

 As I suggested at the start, major breach stories are not the whole story.

That said, there appear to be an awful lost of smaller breaches, wherever you look. And they’re getting more costly to handle.

 This study is mighty robust, 314 companies from 10 countries from the Americas, India, Middle East, Europe and Asia.  It is sectorally well spread, Financial, Public, Retail, Services, Consumer, Technology, Transport, Energy, Comms, Hospitality, Media, Pharma, Healthcare, Research and Education (phew).  And cost estimates from 1, 690 executives across the sample.

  So, what are headllines?

 Every business in the sample had suffered a data breach, bar none.

 Average data breach cost is $3.5m. Trend: costs going up.

 Average detection and escalation costs between $0.3m – $1.3m per breach

 Average notification costs between $0.02m – $0.5m per breach.

 Average post data breach between $0.4m – $1.6m per breach.

 Average lost business costs between $0.25m – $3.3m per breach.

 Average number of breached records: 18,600 – 20,100 (rounded).

 Indirect costs account for between 40% and 67% of post data breach costs.

 Average cost per record by industry: $100 (Public) to $359 (Healthcare). Financial is fourth highest (and sectorally huge) at $207.

 Breaches involving <=10,000 records are more common that breaches of >100,000 records. A breach, by the way, is defined loss or theft or compromised records. A compromised record is one which identifies the individual whose information has been lost or stolen.

 Average per record cost of data breach: $136 – 201 dependent on geography. Germany and US suffer the highest costs.

 Malicious and criminal attacks are the most common cause of data breach.

 Malicious and criminal attacks cost the most at $159 per record.  System glitches $126, Human error $117 per record.

 The severest threats are considered to come from sustained probes or malicious code. These are expected to increase more steeply than other forms of threat.

 Having a strong security posture, incident response plan and CISO reduces the cost of data breaches.  By between $7 and $14 per record.

 Business continuity management cuts the cost as well: $9 per record avoided.

 Breach remediation costs are hefty: sorting lost or stolen devices, handling third party involvement, notifying regulators, users and other stakeholders cost between $10 and $16 per record.

 Abnormal post-breach customer churn follows data breaches, although this varies by geography. Certain EU countries experience the highest fallout.

 Based on the whole sample and with some clever statistical analysis, the probability of data breach of 10,000+ record is 22%.  In some BRIC countries it’s 30%, in some EU countries just 2%.

 The more data that is lost, the higher the total cost of the data breach.

 The higher the rate of resulting customer churn, the higher the cost per record.

 Post-breach customer churn is significantly higher in Pharma, Financial and Healtchare than any other sector.

 Spending on security in the next 12 months is considered to be about half of what is needed.

 Businesses with strong security in place are most likely to have cyber-insurance.  Those with weak security are less likely to be insured.

Well, I guess it’s another way to choose your next bank.


Comments: (0)