How to Calculate the Cost of a Data Breach


Companies believe their security systems to be unbreachable until the very moment they face the consequences of a data leak.


You’ve probably seen the number $3.86 million in lots of articles covering the cost of a data breach. This is the average cost of a data breach according to the 2018 Cost of a Data Breach Study by Ponemon Institute. What’s more alarming is that this figure is growing every year.


The financial consequences of a data leak depend on many variables: the time to detect the leak, the type and amount of information stolen, the qualifications of your incident response team, and the public reaction of the company are only a few factors that estimate the cost of a data breach.


Getting ready for a possible data breach can save your company millions of dollars in addition to saving your reputation and client loyalty.


The best way of preventing a data breach is to learn more about how they happen. In this article, we cover the most common types of data breaches, offer examples, consider cost-forming factors, and give some tips for preventing a data breach.


What is a data breach?


A data breach is a security incident during which sensitive corporate data is copied, transmitted, viewed, stolen, or used by an unauthorized individual.


There are a few ways to obtain sensitive data. You can protect your corporate data better by learning more about how each type of breach happens.

Types of data breaches


Let’s see some of the most common types of data breaches:


1. Hacking.


This is the most popular type, accounting for more than 40% of all threats according to the Verizon 2018 Data Breach Investigation Report.


Hacking includes:


  • DDoS attacks.
  • Using stolen credentials.
  • Backdoor or command and control (C2) attacks.
  • Brute forcing.
  • Many other tactics. 


For example, Uber has been exposed to several attacks. In 2017, Uber disclosed that hackers had obtained personal records (names, emails, and phone numbers) of 57 million passengers and drivers. This data also contained details of 600,000 driving licenses. According to the Uber report, the company chose to pay the attackers $100,000 and sweep the incident under the carpet instead of disclosing the hack. After disclosing this breach, Uber fired its CSO and his deputy as a result of the incident.


2. Malware.


Malware is commonly used by cybercriminals to obtain sensitive data. The most popular way to deliver malware is through email (accounting for up to 92% of all cases).


The notorious WannaCry attack affected more than 230,000 computers in over 150 countries in 2017. The British National Health Service, Deutsche Bahn, Spain’s Telefónica, FedEx, Honda, and the Russian Interior Ministry were among its victims. The crypto worm encrypted data on Windows operating systems and demanded a ransom for decryption.


3. Phishing.


Phishing is a common way to steal user accounts. It usually happens in the form of an email with a request to confirm your identity by responding with your credentials or by logging into your account. It’s as simple as that, but it takes a lot of attentiveness to distinguish a real email from a spoofing email. Ninety-seven percent of recipients are unable to identify a phishing attempt at first sight, according to a 2015 McAfee survey. Stolen accounts are used to obtain more information, including payment details.


For example, in May 2018, the Internal Revenue Service reported a phishing attempt masked as emails from accounting and professional associations. Addressees were supposed to log in to their accounts on the fake website of the association. In this way, attackers tried to steal sensitive data of tax professionals’ clients.


4. An insider attack.


Twenty-eight percent of all data breaches in 2017 involved internal actors, according to the Verizon report. Insider attacks are especially dangerous because the actors know exactly what data they can obtain and how to do so in the most discreet way.


Morgan Stanley suffered an insider attack in 2017, when a financial advisor stole records of more than 730,000 customers. This data included names, contact information, and account numbers. Morgan Stanley paid $1 million as a penalty for the breach. It’s safer to keep an eye on your privileged employees. You can do this with privileged account and session management and user activity monitoring software.


5. Human errors.


Protecting your company’s sensitive data from human errors is one of the hardest tasks. You can’t control or predict human errors, but a single unintentional error can cost a fortune to fix.


The Equifax breach is a good example. In 2017, Equifax lost sensitive information of nearly 146 million Americans because of an employee’s mistake. The employee was implementing software fixes and failed to follow security warnings. Breached records included names, birth dates, Social Security numbers, addresses, and even a driver’s license and credit card data. The incident cost Equifax $275 million and forced CEO Richard F. Smith to step down.

Which industries are affected the most?


The primary motivators of hackers are financial gain, corporate espionage and market competition, and personal gain (for malicious insiders). This determines the types of data that are most often at risk and the industries that suffer from the most attacks.


The Ponemon Institute, in its 2018 Cost of a Data Breach Study, analyzed data from 477 companies that had suffered a data breach. They found that the most popular industries to attack are the financial, services, industrial manufacturing, technology, and retail.

The most popular industries to attack are the financial, services, industrial manufacturing, technology, and retail.

Insiders vs. outsiders: who’s more dangerous?


All data breaches can be divided into two categories: those caused by insiders and those caused by outsiders. There’s an ongoing debate about who causes the most damage, with reasonable arguments from both sides. Research presents completely contradictory statistics on the subject. The Verizon 2018 Data Breach Investigation Report states that 73% of data breaches are caused by outsiders. On the other hand, the 2018 Insider Threat Report by Crowd Research Partners claims that 90% of organizations feel vulnerable to insider attacks.


Anyone who is authorized to access your company data is a potential insider threat. They know what sort of information you store and how it’s protected. Therefore, if they attempt to steal data, it will be harder for a security officer to detect the incident.


On the other hand, outsider threats come from hackers or competitors. They have many tools to steal data: viruses, malware, phishing emails, compromised credentials, and so on. But reliable IT security infrastructure, secure systems, regular training, and security policies can save you from most attacks.


What determines the cost of a data breach?


The cost of any data breach consists of several major components:


  • The direct cost is the expense of dealing with the breach when it’s detected. This includes forensic and investigation activities, fines, compensation to affected customers, and so on.
  • Indirect costs are connected with the time, effort, and other resources necessary to cover losses from the data breach. Indirect costs include expenses for communications regarding the status and effects of the breach, issuing new accounts/credit cards/credentials, and lost revenue from system downtime.
  • The lost opportunity cost accounts for lost business opportunities as a consequence of negative reputation effects. For example, a breach can lead to lost customers and a shortfall in profits due to loss of reputation.


Data breach cost calculation is influenced by every action of your company. Even its location has an effect. The average total cost of a breach in the United States in 2017 was $7.91 million, whereas in Brazil it was $1.24 million. The highest average costs per stolen record in 2017 were $233 in the United States and $202 in Canada.


How can you calculate the cost of a data breach for your company? Basic cost-forming factors include the location of your company, the type of data stolen, the size of the breach, its impact in the news and on the company’s reputation, and other factors. This calculation can’t be pinpoint accurate, however, because each data breach needs to be handled in a different way. But it gives you an understanding of the cost components.

There are several factors that influence the cost of a data breach

Most expensive data breaches


As we’ve mentioned, a data breach can literally cost your company a fortune, especially because its reputation is at stake. Let’s consider some of the most expensive data breaches to date.


The Epsilon case is considered one of the most expensive and dreadful data breaches in history. Epsilon provided email marketing services to about 2,500 companies. On April 1, 2011, Epsilon disclosed that its databases had been breached. Hackers stole the email addresses of 2% of its clients. Best Buy, Walt Disney Company, Barclays, Citibank, JPMorgan Chase, and Target were among those clients. The cost of this breach is estimated at $3 billion to $4 billion. This includes costs to Epsilon, and its clients.


When we talk about data leaks as a blow to reputation, the Facebook breaches probably come to mind. In 2018, Facebook disclosed leaks twice — 87 million profiles exposed during the Cambridge Analytica scandal in March and 50 million profiles exposed during their security system failure in September.


Setting aside financial penalties for the company, it has lost ground as the dominant social network. A Pew Research Center study shows that 44% of Facebook users aged 18 to 29 deleted the social network’s app during the past year. Seventy-four percent of users took a break from Facebook, changed privacy settings, or deleted their accounts. Data breaches can’t be the only cause for that, but security concerns are one of the major reasons for leaving Facebook. Moreover, the Facebook leaks encouraged discussion in the US Senate regarding reinforcing government regulations for companies holding data.


Tips to prevent a data breach


It takes an average of 197 days to identify a breach and 69 to contain it, according to the 2018 Cost of a Data Breach Study. The more time that passes between a breach and its discovery, the more resources you’ll spend dealing with it. Here are some tips on how to reduce the cost and build up your security system.


Incident response team


The International Association of Privacy Professionals believes that creating an internal incident response team is the most important step. This team should consist of specialists from various departments: IT, legal, security, communications, customer service, executive management, and compliance. They need appropriate training in dealing with data-stealing threats.


Planning and research


You need to identify possible threats and draw up a plan for preventing them. While working on this plan, it would be helpful to study previous breaches in your industry. Firstly, this will give you insights into key threats you’re exposed to. Secondly, it will show you which actions other companies took after breaches to ensure that the same attack wouldn’t be successful again.


Software tools


There’s a set of tools can help reduce risks to your sensitive data. When building an efficient software ecosystem for preventing data breaches, you should consider:


  • What data you protect.
  • Infrastructure where this data is stored.
  • Channels used to transfer this data.
  • Users who can access this data.


When considering risk mitigation from the data perspective, you usually evaluate various encryption products, solutions to guarantee data integrity from both the physical and logical perspective, and efficient tools for data backup and recovery.


From the infrastructure point of view, we’re mostly talking about building a protected perimeter and setting up intrusion detection systems.


From the channel's point of view, you should use effective network security tools and secure communication channels and consider advantages of DLP solutions that monitor data in motion.   


The fourth component, users, may be the trickiest. On the one hand, you should guarantee the ability to smoothly work with data, while on the other hand, you should build an effective insider threat protection system. Let’s consider this in more detail.


User-based risk mitigation includes three main components:


  • Identity management. Take every reasonable effort to guarantee the true identity of users accessing sensitive information and detect compromised accounts in a timely fashion.
  • Access management. Clearly define who has the right to access what digital assets. Use cybersecurity best practices (such as the least privilege principle and purpose-based access scheme) to build a transparent and reliable system.
  • Activity monitoring. Make sure you have a detailed audit trail for any session of work with sensitive data, as it will not only help you meet compliance regulations but will also cut costs of incident detection and investigation. Ensure that potential incidents are automatically alerted to cut the time to detect and respond properly at the earliest stages of a data breach.  


The cybersecurity market provides a great selection of tools to reinforce these three components. Ekran System has made one more step forward in user-based risk mitigation, delivering all three controls within one software agent.

Learn more about Security Incident Investigation



The cost of a data breach depends on a great number of factors. Some you can influence (losses to your customers, lost revenue) and some you can’t (fines, forensics, and investigations). And you can’t precisely estimate how much a data breach could cost your company because every breach is unique.


The only way to prevent a breach or reduce the cost of dealing with a breach is by building a 360-degree security system. Companies tend to focus on external threats, overlooking insider threats. At Ekran System, we believe that to be a major mistake. While external attacks are more common, inside actors can do more harm with data.


With user activity monitoring, you can be alerted of any suspicious activity inside your network. Your security officer can then terminate a session until further investigation. If a breach has already happened, user session records can speed up inquiries and reduce the costs of a forensic investigation.