Today’s ‘mega’ data breaches now cost companies $392 million to recover from

When consumer PII is involved, the cost increases.
Written by Charlie Osborne, Contributing Writer

The average cost of a "mega" data breach has risen astronomically over the past year and enterprise players impacted by such a security incident can expect to pay up to $392 million.

Data breaches are a commonplace occurrence now and cyberattacks launched against companies have spawned a new cyberinsurance industry, the emergence of regulatory and class-action lawsuits against firms that fail to protect data, and new laws -- such as the EU's GDPR -- that can be used to impose heavy penalties against data controllers with lax security. 

Yet, the data breaches keep rolling in, some of which lead to the theft of consumer records for sale on underground forums and an increased risk of identities being stolen. 

In order to tackle the aftermath of a data breach, organizations may need to spend funds on repairing systems and upgrading architectures, they may need to invest in new cybersecurity services and cyberforensics, and they may also face lawsuits or regulatory penalties -- and the cost continues to increase year-on-year when customer PII is involved. 

On Wednesday, IBM released its annual Cost of a Data Breach Report which says that the average data breach now costs $3.86 million. While this average has decreased by 1.5% in comparison to 2019, when over 50 million consumer records are involved, these "mega" breaches can cost up to $392 million to remedy, up from $388 million in 2019.

See also: EasyJet faces £18 billion class-action lawsuit over data breach

If an organization is acting as a data controller for between 40 and 50 million records, the cost on average is $364 million, and organizations could face a cost of up to $175 per consumer record involved in data theft or leaks.

The study, conducted by the Ponemon Institute, includes interviews with over 3,200 security professionals working at companies that have experienced a data breach in the past year. 

Compromised employee and insider accounts, as highlighted by the recent Twitter hack, are one of the most expensive factors in data breaches today, bringing the average cost of a data breach up to $4.77 million. When insider accounts were involved, 80% of incidents resulted in the exposure of customer records. 

In total, stolen or compromised account credentials -- alongside cloud misconfigurations -- account for close to 40% of security incidents. 

IBM says that in one out of five breaches, compromised account credentials have been used as an entryway for attackers, leading to the exposure of over 8.5 billion records in 2019 alone. Cloud misconfigurations account for close to 20% of network breaches. 

CNET: Apple's new security program gives special iPhone hardware, with restrictions attached

The exploit of third-party vulnerabilities, such as zero-days or unpatched security flaws in enterprise software, are also a costly factor in data breaches. An enterprise company that suffers a data breach due to such vulnerabilities can expect to pay up to $4.5 million. 

State-sponsored attacks, including those conducted by advanced persistent threat (APT) groups, are far less common and only represent 13% of overall data breaches reported by enterprise companies. However, when these threat actors are involved, the damage they cause often results in higher recovery costs, represented by an average of $4.43 million. 

If cyberinsurance has been taken out by organizations, this can reduce the damage bill on average by $200,000, with the majority of insurance payouts used for legal services and consultancy fees. 

TechRepublic: The challenges and opportunities of shadow IT

Within the report, IBM cites AI, machine learning, and automaton as valuable tools for responding to data breaches that may cut down incident response times by up to 27%.

"At a time when businesses are expanding their digital footprint at an accelerated pace and security industry's talent shortage persists, teams are overwhelmed securing more devices, systems and data," commented Wendi Whitmore, VP of IBM X-Force Threat Intelligence. "When it comes to businesses' ability to mitigate the impact of a data breach, we're beginning to see a clear advantage held by companies that have invested in automated technologies."

The biggest hacks, data breaches of 2020 (so far)

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards