Ponemon: Mega breaches, data breach costs on the rise

The Ponemon Institute's latest study on data breach costs highlights the rise of what it calls "mega breaches," which are the worst types of security incidents in terms of costs and data exposed.

The "2018 Cost of a Data Breach Study: Global Overview," which was sponsored by IBM Security, details the cost enterprises incur after falling victim to a data breach and found that the average total cost of a data breach rose from $3.62 to $3.86 million -- a 6.4% increase -- with $148 as the average cost per lost or stolen record. This year's report also features data on the biggest breaches, which Ponemon and IBM have termed "mega breaches."

"Mega breaches are where there are more than one million records that have been breached," Limor Kessem, executive security advisor at IBM, told SearchSecurity. "And then we looked at up to 50 million [records exposed], although it could be up to infinity these days. Just last year there were 2.9 billion records exposed, and in 2016 there were over 4 billion records exposed, so a breach can be millions and hundreds of millions as well."

Given that this is the first year that Ponemon has included mega breaches in its annual report and that there were only 11 mega breaches that occurred, there was no data from past years to compare these findings to. However, the report found that a mega breach with the minimum of 1 million records exposed lead to an average total cost of $40 million, while a mega breach with 50 million records exposed had an average cost of $350 million.

 After collecting data from more than 2,500 separate interviews that were conducted over a 10-month period with 477 enterprises, the study concluded that mega breaches take 365 days to identify, which is almost 100 days shorter than typical breaches (266 days to detect).

The Ponemon study also discovered that "data breaches are the most costly in the United States and the Middle East and least costly in Brazil and India," given that the average total in the United States was $7.91 million. "The U.S. topped the chart at almost twice the international average," Kessem said. "Of course there are currency differences, but the big thing in the U.S. is loss of business."

Kessem further noted that when consumers were interviewed, 75% of them said they would not want to do business with a company that they didn't trust to safeguard their data.

"People in the U.S. are very aware of breaches," she said. "They topped the charts in awareness of how [data breaches] happen and how many happen and so on. In other words, we know breaches are happening and we wouldn't like to do business with those who can't protect our data and I think this was a major cost center for the U.S. in terms of data breaches."

In addition to the cost per record, companies also experience direct and indirect costs after a breach. For example, Canada has the highest direct costs, according to the report, but the U.S. had the highest indirect cost at $152 per capita, which includes "employee's time, effort and other organizational resources spent notifying victims and investigating the incident." The study also highlights the idea that breaches in the healthcare industry are the most expensive and have been consistently so for several years, according to Kessem, considering the amount of personal data healthcare companies possess. 

"Typically [healthcare companies] have a lot of personally identifiable information," she said. "They're also going to have payment information and contact information -- the more information is attached to an identity, the more it is going to cost."

Post-breach consequences are further addressed in the report, which states, "Organizations that lost less than one percent of their customers due to a data breach resulted in an average total cost of $2.8 million." However, the Ponemon study also noted that an incident response team has the ability to reduce the cost by as much as $14 per compromised record -- a small change that would greatly add up at the end of a breach.