By the Numbers: The Average Data Breach Costs?

data breach costs

A recurring issue within cybersecurity is the startlingly cavalier attitude upper management can have about data breaches. They seem to be under the impression that either their enterprise is not at risk of a data breach or that the data breach costs they’d face wouldn’t seriously harm their bottom line or reputation.

Both of these lines of thinking are, sadly, delusions. Any enterprise can be a target for a data breach; all you need is  customer or corporate information that the unscrupulous and malicious might want. And data breach costs can be more than staggering: they can bring your enterprise, whether large or small, to its knees.

Here are some numbers to keep in mind about data breach costs:

$114 million—the data breach costs Equifax has already suffered due to breach remediation, offering free credit monitoring for affected customers, and legal services as a result of their 2017 incident, according to CIO Dive.

$164 million—the total data breach costs, according to Reuters.  

$26.5 million—what Equifax had to pay in data breach costs in 2017 Q4 alone.

$X—the amount Equifax still has to pay in upcoming legal fees, contract losses, security upgrades, and loss of customers (among other costs) in 2018 as a result of the data breach. According to Reuters, that number might be $275 million, bringing the total to $439 million. The data breach costs could even reach as high as $600 million before it is completely resolved.

Sources say this would make the Equifax breach the most costly in history. That’s not even factoring in the damage to Equifax’s reputation. Public opinion polls and consumer behavior studies indicate that consumers are hesitant to patronize enterprises with a history of data breaches or that treat their private information carelessly. Additionally:

25%—the value Equifax shares dropped since the data breach revelations. Despite some small recovery, it has not returned to its previous value. 

But that’s the data breach cost Equifax is facing; it might be easy to dismiss those data breach costs given the size and severity of their attack. But smaller companies with less substantial breaches can still face heavy costs:

$13.5 million—the amount, under state law, the Pennsylvania Attorney General’s Office could seek in their lawsuit against Uber for its 2016 breach cover-up. It is likely they will seek this full amount. 

$7 million—the total average data breach costs for enterprises, according to the Ponemon Institute and IBM in 2016.

$221—the cost per record breached in 2016.  

$1 billion—the discount Verizon sought in its purchase of Yahoo after the breach of the latter became public.  

1/4—the chances of your enterprise experiencing a data breach, according to Security Intelligence and the Ponemon Institute.

Sometimes larger numbers can be difficult to process. For the smaller enterprise or business, here’s another way to conceive of data breach costs:

46 days—the average time it takes to resolve a cyber attack after discovery.

$21,155—the average cost per day to resolve a data breach.

$0.59 million—the average notification costs to regulatory bodies after a data breach.

This can bring the total to over $1 million for even the smallest breach.

Ben Canner

Ben Canner

Ben Canner is an enterprise technology writer and analyst covering Identity Management, SIEM, Endpoint Protection, and Cybersecurity writ large. He holds a Bachelor of Arts Degree in English from Clark University in Worcester, MA. He previously worked as a corporate blogger and ghost writer. You can reach him via Twitter and LinkedIn.
Ben Canner