Data breaches comprising more than 50 million records, so-called “mega breaches,” can cost organizations as much as $350 million, according to a new report by the Ponemon Institute.
The findings of the report were based on interviews with more than 2,200 IT, data protection and compliance professions from 477 organizations. The report also analyzed 11 companies that have been subject to what it terms “mega breaches” (which is defined as one million or more records).
The report also ranks countries by the size of the average data breach. India and the Middle East came out top, with the average data breach comprising 36,451 and 34,110 records respectively. The U.S. is third, with an average of 31,465 records per breach.
“Malicious or criminal attack” is the root cause of most breaches globally. In the US, this category accounted for 52 percent of all breaches, with system glitches (23 percent) and human error (25 percent) making up the remainder.
Globally, the total average cost of a data breach for the organizations analyzed is $3.86 million, while the per capita cost is $148 (which is an increase of 4.8 percent year-on-year).
The report also found that cost per capita declines relative to the size of the breach. The costs incurred include “detection and escalation”, “notification”, “post data breach response” and “lost business costs”.
“Lost business costs” include direct, indirect and opportunity costs, while notification costs include the cost of informing both customers and regulatory authorities.
Companies that have experienced “mega breaches” were analyzed independently of other organizations owing to the small sample and propensity to skew results.
Of the 11 “mega breaches” analyzed, the report found that the average cost of a breach comprising 1 million records is $39.5 million. “Lost business costs” from a breach of this prove more expensive than any factor and amount to over $15 million.
Interestingly, the report also found that the larger breach the less likely it is an organization will suffer another breach within the next 24 months.
Moreover, it also found that the mean time to identity (MTTI) and mean time to contain a breach is 197 days (up from 191 days in 2017) and 69 days (up from 66 days in 2017) respectively.