Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Cost Of Data Breaches Increased In 2009, Study Says

Ponemon Institute research says malicious attacks are the most costly breaches

The cost of data breaches continues to rise, and malicious attacks accounted for more of them in 2009 than in previous years, according to a study published today.

In conjunction with study sponsor PGP Corp., Ponemon Institute today released the results of its fifth annual "U.S. Cost of a Data Breach" report. The news isn't good, according to the research firm's founder, Larry Ponemon.

"Each year, I expect the breach cost figures to decrease, but the numbers are still rising," Ponemon says. The 2009 study showed a slight increase in the organizational cost of a data breach -- from $6.65 million to $6.75 million per incident -- and a slight increase in the average cost per compromised record, from $202 to $204.

Legal costs showed the greatest increase in 2009, according to the study. Fees associated with legal handling of breach-related litigation increased by more than 50 percent between 2008 and 2009. "This reflects the increasing chances that a breach will result in litigation, which we've seen in cases like Heartland [Payment Systems]," Ponemon says. Heartland recently agreed to a $60 million settlement related to its 2008 breach, and some of the plaintiffs are now asking for more.

Malicious attacks also showed a sharp rise in the 2009 report, Ponemon observes. In the 2008 report, external attacks accounted for 12 percent of all breaches, but this year that figure is approximately 24 percent. "What this says is that the seriously deranged criminal is a lot smarter than they used to be," Ponemon says. "The attacks are a lot more sophisticated now, and the criminals are working with technologies that are a lot stealthier."

The study is an analysis of the actual data breach experiences of 45 U.S. companies from 15 different industry sectors. It takes into account a wide range of business costs, including expense outlays for detection, escalation, notification, and after-the-fact response. It also analyzes the economic impact of lost or diminished customer trust and confidence, as measured by customer turnover (churn) rates.

"Loss of business continues to be the greatest cost associated with breaches," Ponemon says. "When customers experience a breach, they may not come back, or they may be expensive to acquire again."

The study also shows that, for the first time, many companies are starting to use enabling prevention and remediation technologies more often and effectively, Ponemon says. Despite this trend, most organizations aim to prevent future breaches through training and awareness programs (67 percent) and additional manual procedures and controls (58 percent).

Some other strategies also saw an increase, such as expanded use of encryption (58 percent), deployment of identity and access management solutions (49 percent), and deployment of data loss prevention solutions (42 percent).

"Over the last three to five years, many companies have been focusing on encryption at the endpoints," noted Tim Matthews, senior product director at PGP, the encryption firm that sponsored the study. "Now, with the increase in breaches occurring through malware, we are seeing companies shift resources to encrypt data inside the data center, rather than just at the endpoints."

The 2009 cost per compromised record of data breaches involving a malicious or criminal act averaged $215 per record -- 40 percent higher than breaches involving a negligent insider ($154) and 30 percent higher than breaches from system glitches ($166), Ponemon says.

The presence of a chief information security officer (CISO) is a benefit to the organization, according to the study. "Companies with a CISO [or equivalent title] who managed data breach incidents experienced an average cost per compromised record of $157, versus $236 -- a whopping 50 percent increase -- for companies without such leadership," the study says.

Interestingly, companies that notified breach victims fastest did not end up saving money. About 36 percent of participating organizations notified victims within one month, but these "quick responders" ended up paying more than their slower peers ($219 versus $196, a 12 percent difference). Moving too quickly through the data breach process -- especially during the detection, escalation, and notification phases -- could cause inefficiencies that raise total costs, Ponemon says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message. Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
US Formally Attributes SolarWinds Attack to Russian Intelligence Agency
Jai Vijayan, Contributing Writer,  4/15/2021
Dependency Problems Increase for Open Source Components
Robert Lemos, Contributing Writer,  4/14/2021
FBI Operation Remotely Removes Web Shells From Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/14/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Tell him only Kevin Mitnick and the President know the launch codes.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-23
In SaltStack Salt 2016.9 through 3002.6, a command injection vulnerability exists in the snapper module that allows for local privilege escalation on a minion. The attack requires that a file is created with a pathname that is backed up by snapper, and that the master calls the snapper.diff function...
PUBLISHED: 2021-04-23
The xmlhttprequest-ssl package before 1.6.1 for Node.js disables SSL certificate validation by default, because rejectUnauthorized (when the property exists but is undefined) is considered to be false within the https.request function of Node.js. In other words, no certificate is ever rejected.
PUBLISHED: 2021-04-22
Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). The supported version that is affected is Prior to 6.1.20. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromi...
PUBLISHED: 2021-04-22
Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). The supported version that is affected is Prior to 6.1.20. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromi...
PUBLISHED: 2021-04-22
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.23 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attac...