Data breaches 9% more costly in 2013 than year before

It cost U.S. companies hit by data breaches last year an average of $5.4 million to cope with the after-effects up 9% from the year before, according to the ninth annual Ponemon Institute study published Monday.

On average, it cost $201 per record lost, up from the $188 the year before, based on Ponemon's analysis of costs from the loss or theft of personal data incurred by 61 U.S.-based organization in more than two dozen industry sectors. Ponemon's "2014 Cost of Data Breach Study: United States" concludes that the main reason for the steep increase in costs is "the loss of customers following the data breach due to additional expenses required to preserve the organization's brand and reputation."

+ ALSO ON NETWORK WORLD DeRodes steps into breach as Target's new CIO | Worst data Breaches of 2014...So Far (Q1) +

Ponemon's IBM-sponsored research included interviews with over 500 individuals directly involved at the victimized companies and government agencies. In 2013, there appeared to be what Ponemon refers to as "an abnormal churn rate" of 15% in customers abandoning companies especially those in financial services -- hit by a breach.

Ponemon points out the 9% increase in breach costs is a big change from the past few years when breach costs either did not drop or rose only a bit. The cost stood at $214 per record lost in 2011. Factors in tallying data-breach costs include everything from forensics experts, outsourcing hotline support and free credit monitoring subscriptions, discounts to customers to make amends, in-house investigations, legal and all the extra work that mounts up after a breach.

Heavily regulated industries such as healthcare, transportation, energy, financial services, communications, pharmaceuticals and manufacturing tend to have a higher per capita breach cost, the report says. Health topped the charts at an average $316 per record lost, with transportation close behind at $286. The sectors defined as "hospitality" and "research" had the lowest cost, at $93 and $73 respectively.

Based on its analysis, Ponemon has ventured to make predictions on "the probability of a data breach based on two factors: how many records were stolen and the company's industry." The outfit says public-sector organizations in government and retail companies are "more likely" to be at risk of a breach than others, while "energy and industrial companies" are least at risk.

Ponemon also today published a global study on data-breach cost issues, in which 314 organizations in the U.S., United Kingdom, Germany, Australia, France, Brazil, Japan, Italy, India, the United Arab Emirates and Saudi Arabia participated on an anonymous basis. The study found a wide difference in data-breach costs, with the U.S. and Germany suffering the highest average tallies at $201 and $195 per customer record respectively, and Brazil and India the lowest, at $70 and $50. The study did not delve into exactly why that might be but said that the regulatory environment appears to be a factor. Healthcare in general is believed to have faced the highest per-capita cost per industry at $359 and the public sector the lowest at $100.

Malicious and criminal attacks are cited most frequently as the root cause for data breaches globally, comprising 42% of incidents, while 30% were blamed on a negligent employee or contractor, and 29% on "system glitches" related to both technology and business process failures. In the U.S. (see chart) this was roughly the pattern as well.

Data breaches resulting from malicious or criminal attacks on U.S. companies led to higher costs, at $246 per compromised record on average, in comparison to $171 for a "system glitch" and $160 for "human error."

Ellen Messmer is senior editor at Network World, an IDG website, where she covers news and technology trends related to information security. Twitter: MessmerE. E-mail:

Read more about wide area network in Network World's Wide Area Network section.

Join the CSO newsletter!

Error: Please check your email address.

Tags TargetIBMsecuritylegalendpoint securityPonemon InstituteWide Area Networkcybercrime

More about IBM AustraliaIDG

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Ellen Messmer

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts