Total cost of average data breach reaches $3.8 million

The average consolidated total cost of a data breach is $3.8 million, according to a Ponemon Institute study of 350 companies spanning 11 countries.

The study also found that the average cost incurred for each lost or stolen record containing sensitive and confidential information increased six percent from a consolidated average of $145 to $154.

Healthcare emerged as the industry with the highest cost per stolen record with the average cost for organizations reaching as high as $363. Additionally, retailers have seen their average cost per stolen record jump from $105 last year to $165 in this year’s study.


Forty-seven percent of all breaches in this year’s study were caused by malicious or criminal attacks. The average cost per record to resolve such an attack is $170. In contrast, system glitches cost $142 per record and human error or negligence is $137 per record. The US and Germany spend the most to resolve a malicious or criminal attack ($230 and $224 per record, respectively).

Malicious attacks can take an average of 256 days to identify while data breaches caused by human error take an average of 158 days to identify.

The average global cost of data breach per lost or stolen record is $154. However, if a healthcare organization has a breach, the average cost could be as high as $363, and in education the average cost could be as high as $300. The lowest cost per lost or stolen record is in transportation ($121) and public sector ($68).

Anton Chuvakin, Research Vice President at Gartner, is not a fan of calculating the cost per record. “These numbers draw attention to the breaches of personal data and thus away from sensitive data such as intellectual property. They are clumsy since they ignore the fact that you have per breach costs (which are the same for many different-sized breaches) and per record costs. If you spend $100,000 to investigate, and $3/record to notify the victims, your overall per record cost will be hugely different for a 1000 record breach and a 100,000 record breach.”


Lost business costs are abnormal turnover of customers, increased customer acquisition activities, reputation losses and diminished good will. The average cost has increased from $1.23 million in 2013 to $1.57 million in 2015. Notification costs decreased from $190,000 to $170,000 since last year.

“The increased awareness, and perceived loss of trust of customers whose data has been part of a breach is the figure that will be of most concern to businesses across the globe,” shared Raj Samani, VP and CTO EMEA at Intel Security.

“Lost business is a major inhibitor in an organizations ability toward economic growth, equally abnormal churn can even result in negative growth for impacted organizations. Such statistics demonstrate the value that effective risk management can have, and should form a foundation in any business case for security controls intended to reduce the probability of becoming an unwanted statistic in next year’s report,” Samani added.


Board level involvement and the purchase of insurance can reduce the cost of a data breach. Positive consequences can occur when boards of directors take a more active role when an organization had a data breach. Board involvement reduces the cost by $5.50 per record. Insurance protection reduces the cost by $4.40 per record.

Jennifer Steffens, CEO at IOActive, believes that an organization can reduce the risk of data breaches by performing regular pen tests, security auditing, social engineering tests, and other related activities.

“While companies being breached is a never a good thing, the fact that the increased exposure has finally escalated security discussions to the board level is very encouraging and will certainly have a positive impact moving forward,” Steffens told Help Net Security.

The complete report, sponsored by IBM, is available here (registration required).