• United States




How much does a security breach actually cost?

Oct 28, 20164 mins
Application SecurityData BreachNetwork Security

The average cost of a data breach involving fewer than 10,000 records was $5 million

data breach thinkstock
Credit: Thinkstock

The American public has become so inured to data breaches that it’s difficult to remember them all. Infamous breaches like the ones at Target and Sony become almost forgettable when confronted with the recently disclosed half-billion accounts compromised at Yahoo in 2014.

The numbers are simply staggering. It is estimated over 900,000,000 records of personally identifiable information (PII) have been stolen in the U.S. over the past few years. Keeping a memory of all the hacks and when they happened may require the use of complex data visualization.

But while the public memory of these events may be fuzzy, the cost for the organizations involved is not. When a data breach happens, executives lose their jobs and billion-dollar mergers are put in jeopardy. And the underlying reason these drastic steps occur is because data breaches cost organizations enormous sums of money to fix.

What’s the cost of a data breach?

Given the large numbers involved, it can seem a challenge to attempt to calculate the total price tag of a widespread data breach. It is, however, possible to review the data and establish some benchmarks, as has been done in the 2016 Data Breach Study by the Ponemon Institute and IBM.

According to the report, the total average cost for a breach is $7 million. Only in 2011 was there a higher average cost, $7.24 million. Unfortunately, this year saw the highest average cost per record, costing companies an average of $221 per compromised record.

Looking at that number more closely yields an important piece of information—companies spend more on the indirect costs than direct costs of a data breach.

In this case, direct costs refer to the amount spent to minimize the consequences of a data breach and to assist victims. Indirect costs are defined as the amount spent on existing internal resources to deal with the data breach.

Using that measure, only $76 per record represents the direct cost to the organization, including items such as legal fees and technological investments. The far greater portion, $145, reflects the indirect costs of a data breach, including the damage to an organization’s reputation and increased customer churn rate.

Certain industries are more vulnerable to churn and, consequently, have higher data breach costs. Financial, healthcare, technology, life sciences and service companies all experience higher churn rates after a breach. Heavily regulated industries such as insurance also suffer higher costs than average. Knowing this helps explain why these industries put so much investment in securing their information.

It’s clear customers value their personal data and hesitate to do business with an organization that cannot keep it secure. With this in mind, the first order of business for an organization that suffers a data breach is to move to retain and regain their customers’ trust.

Data breaches are more common than you think

While big hacks like the ones at Yahoo, Sony, and Target grab the headlines and public attention, data breaches have become so commonplace that many never reach a wider public audience.

That’s because 500 million accounts hacked at Yahoo in 2014 easily overshadows the 2016 average data breach size of 29,611 records. The number of breach records per typical incident in this year range from 5,125 to 101,520 records.

Knowing these numbers gives one a sense of how to measure their relative size. Because when it comes to measuring the cost of a data breach, size matters. It’s intuitive and true—the more records lost, the higher the cost.

According to the same Ponemon study, the average cost of a data breach involving fewer than 10,000 records was nearly $5 million, while a breach of more than 50,000 records had an average cost of $13 million.

Reviewing the numbers, it’s clear data breaches are a real and growing financial threat to businesses. The good news is it is a cost that can be avoided with a proactive investment in cybersecurity measures. Knowing the potential and average cost also gives business owners an idea of how much to budget to secure their information. 

The opinions expressed in this Blog are those of Michelle Drolet and do not necessarily represent those of the IDG Communications, Inc., its parent, subsidiary or affiliated companies.


Michelle Drolet is a seasoned security expert with 26 years of experience providing organizations with IT security technology services. Prior to founding Towerwall (formerly Conqwest) in 1993, she founded CDG Technologies, growing the IT consulting business from two to 17 employees in its first year. She then sold it to a public company and remained on board. Discouraged by the direction the parent company was taking, she decided to buy back her company. She re-launched the Framingham-based company as Towerwall. Her clients include Biogen Idec, Middlesex Savings Bank, PerkinElmer, Raytheon, Smith & Wesson, Covenant Healthcare and many mid-size organizations.

A community activist, she has received citations from State Senators Karen Spilka and David Magnani for her community service. Twice she has received a Cyber Citizenship award for community support and participation. She's also involved with the School-to-Career program, an intern and externship program, the Women’s Independent Network, Young Women and Minorities in Science and Technology, and Athena, a girl’s mentorship program.

Michelle is the founder of the Information Security Summit at Mass Bay Community College. Her numerous articles have appeared in Network World, Cloud Computing, Worcester Business Journal, SC Magazine, InfoSecurity,, Web Security Journal and others.

The opinions expressed in this blog are those of Michelle Drolet and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.

More from this author