The Sony Pictures data breach in 2014 was a headline-grabber, exposing not only employee records and financial statements, but entire unreleased movies and a trove of snarky emails about studio executives and movie stars. Some 47,000 records were breached, and Sony executives estimated the investigation and remediation costs would be as much as $35 million.
Shockingly, that wasn’t close to the worst breach of the year — it’s not even in the top 20. Based on information gleaned from the massive data-breach database maintained by Privacy Rights Clearinghouse, the data-visualization firm Silk ranks the Sony breach as only number 33 on the list of biggest hacks of 2014. Ebay, J.P. Morgan Chase, Home Depot, Community Health Systems and Michaels Stores ranked as the top five.
The recent release of the annual Cost of Data Breach Study by IBM and the Ponemon Institute confirms that it was an exceptionally bad year. The benchmark study of breaches involving 350 companies spanning 11 countries found that the average consolidated total cost of a data breach is $3.8 million, representing a whopping 23 percent increase over the previous year.
The study also found that the average cost incurred for each lost or stolen record containing sensitive and confidential information increased 6 percent from a consolidated average of $145 to $154. Healthcare emerged as the industry with the highest cost per stolen record with the average cost reaching as high as $363. Additionally, retailers have seen their average cost per stolen record jump dramatically from $105 last year to $165 in this year’s study.
“Based on our field research, we identified three major reasons why the cost keeps climbing,” said Dr. Larry Ponemon, chairman and founder, Ponemon Institute. “First, cyberattacks are increasing both in frequency and the cost it requires to resolve these security incidents. Second, the financial consequences of losing customers in the aftermath of a breach are having a greater impact on the cost. Third, more companies are incurring higher costs in their forensic and investigative activities, assessments and crisis team management.”
The study cites the following key takeaways:
- Board-level involvement and the purchase of insurance can reduce the cost of a data breach. For the first time, the study looked at the positive consequences that can result when boards of directors take a more active role when an organization had a data breach. Board involvement reduces the cost by $5.50 per record. Insurance protection reduces the cost by $4.40 per record.
- Business continuity management plays an important role in reducing the cost of data breach. The research reveals that having business continuity management involved in the remediation of the breach can reduce the cost by an average of $7.10 per compromised record.
- The most costly breaches continue to occur in the U.S. and Germany at $217 and $211 per compromised record, respectively. India and Brazil still have the least expensive breaches at $56 and $78, respectively.
- The cost of data breach varies by industry. The average global cost of data breach per lost or stolen record is $154. The lowest cost per lost or stolen record is in transportation ($121) and public sector ($68).
- Hackers and criminal insiders cause the most data breaches. Forty-seven percent of all breaches in this year’s study were caused by malicious or criminal attacks. The average cost per record to resolve such an attack is $170. In contrast, system glitches cost $142 per record and human error or negligence $137 per record. The U.S. and Germany spend the most to resolve a malicious or criminal attack ($230 and $224 per record, respectively).
- Notification costs remain low, but costs associated with lost business have steadily increased. Lost business costs are abnormal turnover of customers, increased customer acquisition activities, reputation losses and diminished goodwill. The average cost has increased from $1.23 million in 2013 to $1.57 million in 2015. Notification costs decreased from $190,000 to $170,000 since 2013.
- Time to identify and contain a data breach affects the cost. For the first time, the study shows the relationship between how quickly an organization can identify and contain data breach incidents and financial consequences. Malicious attacks can take an average of 256 days to identify, while breaches caused by human error take an average of 158 days to identify.
“The growing sophistication and collaboration of cybercriminals ties directly with the historic costs we’re seeing for data breaches,” said Marc van Zadelhoff, Vice President of Strategy, IBM Security. “The industry needs to organize at the same level as hackers to help defend themselves from these continuing attacks. The use of advanced analytics, sharing threat intelligence data and collaborating across the industry will help to even the playing field against attackers while helping mitigate the cost to commerce and society.”