Based on a study of 350 companies in 11 countries, the average data breach costs a company an average of $3.79 million, or $154 for every lost or stolen record. The amounts represent an increase from the overall average cost of $3.52 million in 2014 and a per-record cost of $145.
Massive data breaches such as the estimated 56 million credit and debit card numbers stolen from Home Depot Inc. (NYSE: HD) in 2014 and the 40 million exposed by the Target Corp. (NYSE: TGT) in the attack against the company during the 2013 holiday shopping season cost the companies far more than that average. One estimate of the cost to Home Depot came in at $10 billion by 2020 (an average of $177 per lost record).
Over the next 24 months, companies and organizations in Brazil and France are the most likely to experience a data breach involving a minimum of 10,000 records, while organizations in Canada and Germany are the least likely to have such a breach. The somewhat good news is that any company is more likely to have a breach involving 10,000 or fewer records (22% chance) than a breach involving more than 100,000 records (less than 1% chance).
The data was released earlier this week by International Business Machines Corp. (NYSE: IBM) and the Ponemon Institute, a data security consulting and research firm. All 350 companies included in the study have experienced a data breach at some time, with the breaches ranging from a low of about 2,200 comprised records to a high of more than 101,000 breached records.
The research notes three major reasons for the higher costs in 2015:
- Cyberattacks occur more frequently and the cost to repair the damage is higher.
- The cost of the lost business is higher while repairs are being made.
- Costs to detect breaches are higher.
In the United States, the cost of a data breach averages $6.5 million, the highest in the world, followed by Germany which has an average total cost of $4.9 million. The lowest costs are posted in Brazil ($1.8 million) and India ($1.5 million).
The cost of a data breach to a health care organization could be as much as $363 per record. From 2014 to 2015, the retail industry has seen its costs for a data breach rise from $105 to $165 per lost or stolen record.
Data breaches are most often the result of malicious or criminal attacks (47% of the time), with system glitches accounting for 29% of data breaches and human error accounting for the remaining 25%. More than half of all breaches are the result of a system glitch or human error in all but three locations: Canada, Germany and the combined Saudi Arabia-United Arab Emirates region. In the United States, malicious or criminal attacks account for 49% of data breaches.