Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

Cost Of Data Breaches Up Again, Ponemon Study Says

Cost per breached record hits $214; average breach costs $7.2 million

Everything's more expensive these days -- and experiencing a major corporate data breach is no exception.

The Ponemon Institute and Symantec earlier this week released the findings of the "2010 Annual Study: U.S. Cost of a Data Breach," which reveals data breaches grew more costly for the fifth year in a row.

The average organizational cost of a data breach increased to $7.2 million and cost companies an average of $214 per compromised record, markedly higher when compared to $204 in 2009, according to the researchers.

"Every year I predict that the costs will go down, and every year, I'm wrong," quipped Larry Ponemon, founder of the Ponemon Institute. "We did see some leveling off last year, but the overall costs are still on the rise."

The sixth annual report is based on the actual data breach experiences of 51 U.S. companies from 15 different industry sectors.

Interestingly, companies that responded quickly to data breaches ended up paying 54 percent more per record than companies that moved more slowly, according to the study. Forty-three percent of companies notified victims within one month of discovering the breach, up seven points from 2009. In 2010, these quick responders had a per-record cost of $268, up 22 percent from 2009; companies that took longer paid $174 per record, down 11 percent.

Malicious or criminal attacks are the most expensive breaches, the study says, and are on the rise. In this year’s study, 31 percent of all cases involved a malicious or criminal act -- up seven points from 2009 --and the cost of these compromises averaged $318 per record, up 43 percent from 2009.

While external breaches are on the increase, negligence remains the most common threat, Ponemon says. The number of breaches caused by negligence edged up one point to 41 percent and averaged $196 per record, up 27 percent from 2009.

Companies are more vigilant about preventing system failures, according to the report. System failure dropped nine points to 27 percent in 2010. "This trend indicates organizations may be more conscientious in ensuring their systems can prevent and mitigate breaches through new security technologies and compliance with security policies and regulations," Ponemon says.

Encryption and other technologies are gaining ground as post-breach remedies, but training and awareness programs remain the most popular, the study says. Sixty-three percent of respondents use training and awareness programs after data breaches, down four points from 2009. Encryption is the second-most implemented preventive measure as a result of a data breach, with 61 percent. Both encryption and data loss prevention (DLP) solutions have increased 17 percent since 2008.

The study takes into account a wide range of business costs, including expense outlays for detection, escalation, notification, and after-the-fact (ex-post) response. The study also analyzes the economic impact of lost or diminished customer trust and confidence as measured by customer churn or turnover rates.

"Churn is still the highest cost that we see," Ponemon said. "There's an attitude out there that users no longer care about their privacy as much, but our data shows that they really do."

The U.S. Cost of a Data Breach Study was derived from a detailed analysis of 51 data breach cases with a range of nearly 4,200 to 105,000 affected records. The study found there is a positive correlation between the number of records lost and the cost of an incident. Companies analyzed were from 15 different industries.

Have a comment on this story? Please click "Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Why Vulnerable Code Is Shipped Knowingly
Chris Eng, Chief Research Officer, Veracode,  11/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: I think the boss is bing watching '70s TV shows again!
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-26246
PUBLISHED: 2020-12-03
Pimcore is an open source digital experience platform. In Pimcore before version 6.8.5 it is possible to modify & create website settings without having the appropriate permissions.
CVE-2020-29279
PUBLISHED: 2020-12-02
PHP remote file inclusion in the assign_resume_tpl method in Application/Common/Controller/BaseController.class.php in 74CMS before 6.0.48 allows remote code execution.
CVE-2020-29280
PUBLISHED: 2020-12-02
The Victor CMS v1.0 application is vulnerable to SQL injection via the 'search' parameter on the search.php page.
CVE-2020-29282
PUBLISHED: 2020-12-02
SQL injection vulnerability in BloodX 1.0 allows attackers to bypass authentication.
CVE-2020-29283
PUBLISHED: 2020-12-02
An SQL injection vulnerability was discovered in Online Doctor Appointment Booking System PHP and Mysql via the q parameter to getuser.php.