IBM security study reveals cost of a data breach

The average cost of a data breach has grown 6.4 percent to $3.86 million in 2018, IBM Security and Ponemon Institute study said.
Data Breach Study from IBM Security and Ponemon Institute
The study analyzed hundreds of cost factors surrounding a breach, from technical investigations and recovery, to notifications, legal and regulatory activities, and cost of lost business and reputation — based on interviews with nearly 500 companies that experienced a data breach.

“While highly publicized data breaches often report losses in the millions, these numbers are highly variable and often focused on a few specific costs which are easily quantified,” said Wendi Whitmore, global lead for IBM X-Force Incident Response and Intelligence Services (IRIS).

Cost of a breach

US $7.91 million
Middle East $5.31 million
Brazil $1.24 million
India $1.77 million

In the past five years, the amount of mega breaches (breaches of more than 1 million records) has nearly doubled – from nine mega breaches in 2013, to 16 mega breaches in 2017.3

Average cost of a data breach of 1 million compromised records was nearly $40 million.

Estimated total cost of a breach was $350 million at 50 million records. The majority of these breaches (10 out of 11) stemmed from malicious and criminal attacks (as opposed to system glitches or human error).

The average time to detect and contain a mega breach was 365 days – almost 100 days longer than a smaller scale breach (266 days).

For mega breaches, the biggest expense category was costs associated with lost business, which was estimated at nearly $118 million for breaches of 50 million records – almost a third of the total cost of a breach this size.

The average cost of a data breach was $3.86 million in the 2018 study, compared to $3.50 million in 2014 – representing nearly 10 percent net increase over the past 5 years of the study.

The average time to identify a data breach in the study was 197 days, and the average time to contain a data breach once identified was 69 days.

Companies who contained a breach in less than 30 days saved over $1 million compared to those that took more than 30 days ($3.09 million vs. $4.25 million average total)

The amount of lost or stolen records also impacts the cost of a breach, costing $148 per lost or stolen record on average.

Having an incident response team was the top cost saving factor, reducing the cost by $14 per compromised record.

The use of an AI platform for cybersecurity reduced the cost by $8 per lost or stolen record.

Organizations that had deployed automated security technologies saved over $1.5 million on the total cost of a breach ($2.88 million, compared to $4.43 million for those who had not deployed security automation.)

Healthcare organizations had the highest costs associated with data breaches – costing them $408 per lost or stolen record – nearly three times higher than the cross-industry average ($148).


IBM said the average cost for data breach in India was Rs 119 million (+7.9 percent) and the average per capita cost per lost or stolen record was Rs 4,552, a 7.8 percent increase from the 2017 report.

Services industry was the most affected amongst the surveyed companies in India with 19 percent reporting a data breach. Services industry was followed by 18 percent of respondents from Industrial Sector and 16 percent from Technology Sector reporting a data breach.

Financial sector reported the highest per capita cost at Rs 6,210 whereas the least average cost was reported by Public Sector at Rs 1,813

Average mean time to identify data breach increased from 170 to 188 days. Malicious or criminal attacks took 219 days on an average to be identified whereas System glitch took 175 days on an average followed by Human Error at 155 days.

Average mean to contain data breach increased from 72 to 78 days. Average time to contain Malicious or criminal attacks took 99 days followed by System glitch and Human Error taking 65 days and 60 days respectively.