Cost Of Data Breaches Increased In 2009, Study Says

Ponemon Institute research says malicious attacks are the most costly breaches

Tim Wilson, Editor in Chief, Dark Reading, Contributor

January 26, 2010

4 Min Read

The cost of data breaches continues to rise, and malicious attacks accounted for more of them in 2009 than in previous years, according to a study published today.

In conjunction with study sponsor PGP Corp., Ponemon Institute today released the results of its fifth annual "U.S. Cost of a Data Breach" report. The news isn't good, according to the research firm's founder, Larry Ponemon.

"Each year, I expect the breach cost figures to decrease, but the numbers are still rising," Ponemon says. The 2009 study showed a slight increase in the organizational cost of a data breach -- from $6.65 million to $6.75 million per incident -- and a slight increase in the average cost per compromised record, from $202 to $204.

Legal costs showed the greatest increase in 2009, according to the study. Fees associated with legal handling of breach-related litigation increased by more than 50 percent between 2008 and 2009. "This reflects the increasing chances that a breach will result in litigation, which we've seen in cases like Heartland [Payment Systems]," Ponemon says. Heartland recently agreed to a $60 million settlement related to its 2008 breach, and some of the plaintiffs are now asking for more.

Malicious attacks also showed a sharp rise in the 2009 report, Ponemon observes. In the 2008 report, external attacks accounted for 12 percent of all breaches, but this year that figure is approximately 24 percent. "What this says is that the seriously deranged criminal is a lot smarter than they used to be," Ponemon says. "The attacks are a lot more sophisticated now, and the criminals are working with technologies that are a lot stealthier."

The study is an analysis of the actual data breach experiences of 45 U.S. companies from 15 different industry sectors. It takes into account a wide range of business costs, including expense outlays for detection, escalation, notification, and after-the-fact response. It also analyzes the economic impact of lost or diminished customer trust and confidence, as measured by customer turnover (churn) rates.

"Loss of business continues to be the greatest cost associated with breaches," Ponemon says. "When customers experience a breach, they may not come back, or they may be expensive to acquire again."

The study also shows that, for the first time, many companies are starting to use enabling prevention and remediation technologies more often and effectively, Ponemon says. Despite this trend, most organizations aim to prevent future breaches through training and awareness programs (67 percent) and additional manual procedures and controls (58 percent).

Some other strategies also saw an increase, such as expanded use of encryption (58 percent), deployment of identity and access management solutions (49 percent), and deployment of data loss prevention solutions (42 percent).

"Over the last three to five years, many companies have been focusing on encryption at the endpoints," noted Tim Matthews, senior product director at PGP, the encryption firm that sponsored the study. "Now, with the increase in breaches occurring through malware, we are seeing companies shift resources to encrypt data inside the data center, rather than just at the endpoints."

The 2009 cost per compromised record of data breaches involving a malicious or criminal act averaged $215 per record -- 40 percent higher than breaches involving a negligent insider ($154) and 30 percent higher than breaches from system glitches ($166), Ponemon says.

The presence of a chief information security officer (CISO) is a benefit to the organization, according to the study. "Companies with a CISO [or equivalent title] who managed data breach incidents experienced an average cost per compromised record of $157, versus $236 -- a whopping 50 percent increase -- for companies without such leadership," the study says.

Interestingly, companies that notified breach victims fastest did not end up saving money. About 36 percent of participating organizations notified victims within one month, but these "quick responders" ended up paying more than their slower peers ($219 versus $196, a 12 percent difference). Moving too quickly through the data breach process -- especially during the detection, escalation, and notification phases -- could cause inefficiencies that raise total costs, Ponemon says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

About the Author(s)

Tim Wilson, Editor in Chief, Dark Reading


Tim Wilson is Editor in Chief and co-founder of Dark, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one of the top cyber security journalists in the US in voting among his peers, conducted by the SANS Institute. In 2011 he was named one of the 50 Most Powerful Voices in Security by SYS-CON Media.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights