Professional Documents
Culture Documents
2019 Cost of A Data Breach Report
2019 Cost of A Data Breach Report
2019 Cost of A Data Breach Report
Data Breach
Report 2019
Complete Findings 15
Root causes of a data breach 29
The four cost components 34
Factors that influence cost 37
Incident response effectiveness 40
The effect of abnormal customer turnover 42
The likelihood an organization will have another
data breach 46
The data breach lifecycle 49
Long tail costs 55
Impact of security automation 58
Cost of a mega breach 63
Organization Characteristics 71
Research Limitations 74
Next Steps 75
2
Executive Summary Part 1
Executive Summary
IBM Security and Ponemon Institute are pleased to
release the 2019 Cost of a Data Breach Report.1 Based
on in-depth interviews with more than 500 companies
around the world who experienced a data breach
between July 2018 and April 2019, the analysis in this
research study takes into account hundreds of cost
factors, from legal, regulatory and technical activities,
to loss of brand equity, customer turnover, and the
drain on employee productivity.
$3.92M
The years referenced in this report are for the year of publication. The data breach incidents studied in the 2019 report occurred between July 2018
1
3
Executive Summary Part 1
What’s new
in 2019
This year’s Cost of a Data Breach Report explores Continuing to build on previous research, the 2019
several new avenues for understanding the causes report examines trends in the root causes of data
and consequences of data breaches. For the first breaches and the length of time to identify and contain
time, this year’s report details the “long tail” of a data breaches (the breach lifecycle), plus the relationship
breach, demonstrating that the costs of a data breach of those factors to the overall cost of a data breach.
can be felt for years after the incident. The report also Following the 2018 report’s initial examination of
examines organizational and security characteristics “mega breaches” of greater than 1 million lost or stolen
that can impact the cost of a data breach, including: records, we continue this research with comparative
the complexity of security environments; operational data for 2019. And for the second year, we examined
technology (OT) environments; extensive testing of the cost impacts of security automation, and the state
incident response plans; and the process of closely of security automation within different industries
coordinating development, security, and IT operations and regions.
functions (DevSecOps).
4
Executive Summary Part 1
Key Findings2
The research in the Cost of a Data Breach Report is conducted by the Ponemon Institute and results are sponsored, analyzed and reported by IBM
2
Security. The study is based on a non-scientific sample of 507 companies. The key findings are based on IBM and Ponemon analysis of the data and
do not necessarily apply to organizations outside of the group that was studied.
Local currencies were converted to U.S. dollars.
3
5
Executive Summary Part 1
6
Executive Summary Part 1
7
Executive Summary Part 1
8
Executive Summary Part 1
Automation of security
reduced costs
Organizations that had deployed automated security
solutions that reduce the need for direct human interven-
tion – including the use of security solutions with artificial
intelligence, machine learning, analytics, and automated
incident response orchestration – saw significantly lower
costs after experiencing a data breach. Organizations
that had not deployed security automation experienced
breach costs that were 95 percent higher than breaches at
organizations with fully-deployed automation ($5.16 million
average total cost of a breach without automation vs. $2.65
million for fully-deployed automation). Breach costs at
organizations without automation deployed were far
costlier in 2019 than in 2018, going up from an average of
$4.43 million in 2018 to $5.16 million in 2019, an increase
of more than 16 percent. Breaches at organizations with
fully deployed automation decreased in cost from 2018 to
2019. Those breaches decreased in cost by 8 percent, from
an average of $2.88 million in 2018 to $2.65 million in 2019.
9
Executive Summary Part 1
10
About the Report Part 2
507
In this section of the report, we describe what factors
we study that affect the cost of a data breach and
provide answers to the most frequently asked
questions about the study.
3,211
For the 2019 Cost of a Data Breach Report, we
recruited 507 organizations that have experienced
a breach in the last year and interviewed more than
3,211 individuals who are knowledgeable about the
data breach incident in these organizations. The first
data points we collected from these organizations were
the number of customer records lost or stolen in the
breach and what percentage of their customer base
individuals interviewed
that was lost following the data breach.
11
About the Report Part 2
12
About the Report Part 2
13
About the Report Part 2
14
Complete Findings Part 3
Complete Findings
In this section, we provide the complete detailed
findings of this research.
15
Complete Findings Part 3
Key findings:
$3.54M $8.19M
The average total cost of a data breach in the U.S. for
the companies studied has grown from $3.54 million in
2006 to $8.19 million in 2019, a 130 percent increase
over 14 years. US total cost in 2006 US total cost in 2019
38,800 25,575
The Middle East had the highest average number of
breached records, 38,800, compared to the global
average of 25,575.
Middle East average number Global average of
of breached records. breached records.
$6.45M 65%
The average total cost of a data breach in the
healthcare industry was $6.45 million, or 65 percent
higher than the average total cost of a data breach.
Average total cost of 65 percent higher than
a data breach in the the average total cost
healthcare industry. of a data breach.
$204 $3,533
Smaller organizations had higher costs relative to
their size than larger organizations. The total cost
for organizations with more than 25,000 employees
averaged $204 per employee. per employee per employee
16
Complete Findings Part 3
Figure 1:
* Middle East is a cluster sample of companies located in Saudi Arabia and the United Arab Emirates
# ASEAN is a cluster sample of companies located in Singapore, Indonesia, Philippines, Malaysia, Thailand and Vietnam
+ Scandinavia is a cluster of companies located in Denmark, Sweden, Norway and Finland
17
Complete Findings Part 3
Figure 2:
$4.10
$4.00
$4.00
$3.92
$3.90 $3.86
$3.79
$3.80
$3.70
$3.62
$3.60
$3.50
$3.50
$3.40
$3.30
$3.20
FY2014 FY2015 FY2016 FY2017 FY2018 FY2019
18
Complete Findings Part 3
Figure 3:
$160
$155
$150
$145
$140
$135
$130
19
Complete Findings Part 3
Figure 4:
$6.00
$5.00 $5.11
$4.00 $4.41
$4.35
$3.50 $3.63
$3.00 $2.74
$2.65
$2.00
$1.50
$1.00
$0.00
Less than 500 500 to 1,000 1,001 to 5,000 5,001 to 10,000 10,001 to 25,000 More than
employees employees employees employees employees 25,000
employees
20
Complete Findings Part 3
Figure 5:
Germany $4.78
Canada $4.44
France $4.33
Japan $3.75
Italy $3.52
ASEAN $2.62
Scandinavia $2.30
Australia $2.13
Turkey $1.86
India $1.83
Brazil $1.35
21
Complete Findings Part 3
Figure 6:
22
Complete Findings Part 3
Figure 7:
India 35,636
Brazil 26,523
France 26,300
Germany 25,610
Italy 24,577
Canada 23,071
Turkey 22,551
ASEAN 22,500
Scandinavia 21,663
Japan 20,445
Australia 19,800
23
Complete Findings Part 3
Figure 8:
24
Complete Findings Part 3
Figure 9:
ASEAN
Australia
Brazil
Canada
France
Germany
India
Italy
Japan
Middle East
South Africa
South Korea
Turkey
United Kingdom
United States
L
Abnormal customer turnover Size of data breach Average total cost Per record cost
Figure 9 presents the percentage change in four As shown, only four countries experienced a net
metrics over the past year for each country. 5
decrease in abnormal customer turnover. These
These metrics are: (1) abnormal customer turnover are Australia, Canada, Japan and the United States.
(greater-than-expected loss of customers since the In addition, only Canada experienced a net decrease
breach occurred), (2) average size of a data breach in the average total and per record cost of a data breach.
(number of records lost or stolen), (3) average total All countries experienced a net increase in the size of
cost of a data breach and (4) per record cost. a data breach.
4
Scandinavia is not included in this analysis because this is the first year this region is included.
5
he percentage change shown in Figure 9 is calculated from cost figures in local currencies rather than the U.S. dollar.
T
Hence, this analysis is not influenced by currency gains or losses.
25
Complete Findings Part 3
Figure 10:
Health $6.45
Financial $5.86
Energy $5.60
Industrial $5.20
Pharma $5.20
Technology $5.05
Education $4.77
Services $4.62
Entertainment $4.32
Transportation $3.77
Communication $3.45
Consumer $2.59
Media $2.24
Hospitality $1.99
Retail $1.84
Research $1.65
Public $1.29
26
Complete Findings Part 3
Figure 11:
Health $429
Financial $210
Technology $183
Pharmaceutical $178
Services $178
Energy $165
Industrial $160
Education $142
Entertainment $138
Communication $132
Consumer $131
Transportation $130
Hospitality $123
Media $123
Retail $119
Research $117
Public $78
Figure 11 compares this year’s per record costs for the It is important to note that the highest per record cost
consolidated sample by industry classification. Similar of $429 was experienced by healthcare organizations.
to Figure 10, industries such as healthcare and financial A reason for the much higher cost is the fact that all
organizations have a per record data breach cost healthcare companies in this study are located in the
substantially higher than the overall mean of $150. United States, which had the highest per record cost.
Public sector, research, retail and hospitality had a In other countries, healthcare was classified as a public
per record cost well under the overall mean value. sector organization.
27
Complete Findings Part 3
Figure 12:
Research 15.5%
22.2%
Pharmaceuticals 6.4%
8.8%
Technology 8.2%
7.9%
Industrial 3.4%
5.1%
Health 3.5%
5.0%
Transportation 2.4%
4.6%
Public 4.8%
3.9%
Communication 2.6%
3.1%
Hospitality 2.2%
2.5%
Financial 2.1%
1.9%
Retail 1.0%
1.7%
Energy -3.0%
-1.2%
Services -2.6%
-3.9%
Entertainment -5.2%
-4.9%
Consumer -3.8%
-6.6%
Media -6.3%
-8.6%
Education -10.6%
-15.6%
28
Complete Findings Part 3
Key facts:
29
Complete Findings Part 3
Figure 13:
6
Negligent insiders are individuals who cause a data breach because of their carelessness, as determined in a post data breach investigation.
Malicious attacks can be caused by hackers or criminal insiders (employees, contractors or other third parties).
7
The most common types of malicious or criminal attacks include malware infections, criminal insiders, phishing/social engineering and SQL injection.
30
Complete Findings Part 3
Figure 14:
$170 $166
$132 $133
$128
$85
$43
$0
Malicious or criminal attack System glitch Human error
31
Complete Findings Part 3
Figure 15:
$4.60 $4.45
$4.30
$4.18
$4.09
$4.01
$2.30
$1.15
$0.00
FY 2015 FY 2016 FY 2017 FY 2018 FY 2019
32
Complete Findings Part 3
Figure 16:
60%
51%
42%
40%
30%
20%
10%
0%
FY2014 FY2015 FY2016 FY2017 FY2018 FY2019
33
Complete Findings Part 3
Key findings:
$1.42M 36%
The cost of lost business averaged $1.42 million,
or
or 36 percent of the total cost of a data breach for
companies studied.
The cost of lost business 36 percent of the total
Lost business has consistently been the largest cost averaged $1.42 million cost of a data breach
factor from the 2015 to 2019 studies, but has declined
slightly as a share of the total cost.
34
Complete Findings Part 3
Figure 17:
Data breach total cost broken down into four cost categories
Measured in US$ millions
35
Complete Findings Part 3
Figure 18:
36
Complete Findings Part 3
Key findings:
$360,000
The formation of the incident response (IR) team and
extensive tests of the IR plan reduced the average
total cost by as much as $360,000 and $320,000,
IR team reduced total cost by $360,000
respectively.
$320,000
Testing the IR plan reduced total cost by $320,000
$10.55 $10.96
A DevSecOps approach that instills security testing
and design into the development process saved
$10.55 per compromised record, while system
complexity increased costs by $10.96 per record. Development process System complexity
saved $10.55 per increased costs by
compromised record $10.96 per record
37
Complete Findings Part 3
Figure 19:
38
Complete Findings Part 3
Figure 20:
-$500K -$400K -$300K -$200K -$100K 0 $100K $200K $300K $400K $500K
Cost mitigators
39
Complete Findings Part 3
Key findings:
$360,000
Formation of the IR team lowered the total cost of a
data breach by an average of $360,000 from the mean
cost of $3.92 million.
IR team lowers the total cost
of a data breach by
an average of $360,000
$1.23M
Organizations that both formed an IR team and
extensively tested the IR plan saw the greatest
savings – $1.23 million less than organizations that
neither formed an IR team or tested the IR plan. Savings from IR teams
and testing the IR plan –
$1.23 million less than
organizations that neither
formed an IR team or
tested the IR plan.
40
Complete Findings Part 3
Figure 21:
$5.00 $4.74
$4.00
$3.56 $3.60
$3.51
$3.00
$2.00
$1.00
0
Formation of Extensive testing Both formation of the IR team Neither formation of the
the IR team of the IR plan and extensive testing of IR team or extensive testing
IR plan of the IR plan
Figure 21 shows the average total cost of a data breach extensive testing of the IR plan experienced a total
under four separate conditions pertaining to the com- cost of $3.60 million. Companies that both formed
pany’s incident response (IR) activities, namely: (1) the IR team and performed extensive testing of the IR
formation of the IR team, (2) extensive testing of the IR plan averaged a total cost of $3.51 million. In contrast,
plan, (3) both the formation of the IR team and companies that neither formed an IR team or tested
extensive testing, and (4) neither IR activity. Companies the IR plan had the highest total cost of data breach
that formed an IR team experienced an average total at $4.74 million.
cost of $3.56 million. Companies that only performed
41
Complete Findings Part 3
Key findings:
3.9% 3.4%
The global average customer turnover rate was 3.9
percent, an increase from last year’s report of customer
turnover rate of 3.4 percent.
2019 abnormal 2018 abnormal customer
customer turnover rate turnover rate
42
Complete Findings Part 3
Figure 22:
$6.00
$5.70
$5.50
$5.10
$4.90
$4.60
$4.50
$4.50 $4.20
$3.90
$3.40
$1.50
$0.00
Less than 1% 1 to 2% 3 to 4% Greater than 4%
43
Complete Findings Part 3
Figure 23:
France 4.7%
Italy 4.5%
Japan 4.3%
Germany 3.5%
India 3.0%
Australia 2.8%
ASEAN 2.8%
Brazil 2.6%
Canada 2.4%
Turkey 2.4%
Scandinavia 2.2%
44
Complete Findings Part 3
Figure 24:
Health 7.0%
Financial 5.9%
Pharmaceuticals 5.5%
Services 5.0%
Technology 4.9%
Industrial 3.3%
Energy 3.3%
Communication 3.1%
Consumer 2.7%
Hospitality 2.5%
Retail 2.4%
Entertainment 2.3%
Education 2.2%
Transportation 2.1%
Research 1.9%
Media 1.8%
Public 0.4%
Figure 24, reports the abnormal customer turnover rate Companies in certain industries appear to be more
of 17 industries. The small sample size in this research vulnerable to turnover when customers could easily take
prevents us from generalizing the effect of industry on their business to another competitor. Customers seem
customer turnover rates. However, health, financial, to be more willing to take their business elsewhere in
pharmaceutical and service organizations experienced highly regulated industries, such as healthcare and
much higher than the average 3.9 percent rate of financial services. In contrast, the public sector, which
abnormal customer turnover. In contrast, public sector, had the lowest customer turnover, generally has no
media and transportation organizations experienced a competitors, leaving customers without other options.
relatively low abnormal customer turnover.8
Public sector organizations utilize a different customer turnover framework given that customers of government organizations typically do not have
8
an alternative choice.
45
Complete Findings Part 3
Key findings:
46
Complete Findings Part 3
Figure 25:
29.6%
30.0%
27.7% 27.9%
25.6%
24.8%
22.6%
22.5%
15.0%
7.5%
0.0%
FY2014 FY2015 FY2016 FY2017 FY2018 FY2019
47
Complete Findings Part 3
Figure 26:
29.6%
30.0%
22.5%
21.5%
Probability
15.0% 14.9%
9.3%
7.5%
6.7%
4.4%
3.9%
2.5%
1.9%
Number of breached records 1.2%
0.0%
10,000 20,000 30,000 40,000 50,000 60,000 70,000 80,000 90,000 100,000
9
Estimated probabilities were captured from sample respondents using a point estimation technique. Key individuals such as the CISO or CPO who
participated in cost assessment interviews provided their estimate of data breach likelihood for 10 levels of data breach incidents (ranging from
10,000 to 100,000 lost or stolen records). The time scale used in this estimation task was the forthcoming 24-month period after the interview.
An aggregated probability distribution was extrapolated for each one of the 507 participating companies.
48
Complete Findings Part 3
Key findings:
The lifecycle of a data breach in the 2019 study was
279 days, 4.9 percent longer than the 2018 lifecycle 279days 4.9%
of 266 days
lifecycle of a 2019 lifecycle is 4.9 percent
data breach in 2019 longer than the 2018 lifecycle
of 266 days
314days 12.5%
The lifecycle of a breach caused by a malicious
attack was 314 days, 12.5 percent longer than the
average lifecycle
lifecycle of a breach longer than the
caused by a average lifecycle
malicious attack
$4.56M $3.34M
A breach with a lifecycle longer than 200 days was
VS
37 percent more expensive than a breach with a
lifecycle shorter than 200 days ($4.56 million vs.
$3.34 million) Cost of a breach with Cost of a breach with
lifecycle longer than lifecycle shorter than
200 days 200 days
49
Complete Findings Part 3
Figure 27:
FY2019 206 73
FY2018 197 69
FY2017 191 66
FY2016 201 70
FY2015 206 69
Figure 27, shows that, since the 2018 study the MTTI
and MTTC of a data breach increased. In this year’s study,
the MTTI was 206 days and the MTTC was 73 days for a
combined 279 days, an increase of 4.9 percent from last
year’s study when the MTTI and MTTC were 197 and
69 days (combined 266 days), respectively.
50
Complete Findings Part 3
Figure 28:
$5.00
$4.56
$4.15
$3.75
$3.75 $3.61
$3.32 $3.34
$3.21
$2.79
$2.65
$2.54
$2.50
$1.25
$0.00
FY 2015 FY 2016 FY 2017 FY 2018 FY 2019
51
Complete Findings Part 3
Figure 29:
Malicious or
230 84
criminal attack
52
Complete Findings Part 3
Figure 30:
France 225 87
Japan 232 79
Turkey 216 90
Scandinavia 225 74
India 221 77
Italy 213 70
Australia 200 81
ASEAN 190 69
Canada 176 65
Germany 131 39
53
Complete Findings Part 3
Figure 31:
Health 236 93
Public 231 93
Entertainment 224 90
Retail 228 83
Consumer 226 81
Industrial 220 82
Services 210 76
Education 212 71
Media 201 80
Transportation 203 72
Hospitality 200 75
Pharmaceuticals 191 66
Energy 197 57
Communication 191 60
Technology 187 59
Research 187 57
Financial 177 56
54
Complete Findings Part 3
Key findings:
67%
About two-thirds of the cost of a data breach
occured in the first year for 86 of the
companies studied
53%
But in highly-regulated environments, just over
half of breach costs occured in the first year
for 86 of the companies studied
55
Complete Findings Part 3
Figure 32:
Year 1 67%
30%
Year 2 22%
27% >2
add years
TIME ELAPSED Callout 11%
Total 100%
23%
19%
15%
14%
11%
9%
8%
7%
8%
3%
2%
0
3-months 6-months 9-months 12-months 15-months 18-months 21-months 24-months > 2-years
56
Complete Findings Part 3
Figure 33:
24%
23%
23%
16%
17% 15% 15%
15%
11%
10%
11%
8%
8%
5%
4% 4%
3%
2% 1% 1%
0
3-months 6-months 9-months 12-months 15-months 18-months 21-months 24-months > 2-years
57
Complete Findings Part 3
Key findings:
52% 95%
52 percent of companies The average total cost of Technology and financial services organizations
studied had security data breach was 95 percent studied had the highest percentage of full
automation partially or higher in organizations deployment of automation
fully deployed without security
automation deployed
58
Complete Findings Part 3
Figure 34:
40%
38%
36% 36%
34%
30%
20%
16%
15%
13%
12%
10%
0%
Fully deployed Partially deployed Plan to deploy Not deployed
FY 2018 FY 2019
59
Complete Findings Part 3
Figure 35:
$6.00
$5.16
$4.50 $4.43
$3.86
$3.39
$3.00 $2.88
$2.65
$1.50
$0.00
Fully deployed Partially deployed Not deployed
FY 2018 FY 2019
60
Complete Findings Part 3
Figure 36:
61
Complete Findings Part 3
Figure 37:
62
Complete Findings Part 3
Key findings:
The cost of a mega breach of more than 1 million records
was estimated at $42 million in the 2019 report, an
increase of nearly 8 percent over the 2018 report
$42M 8%
Estimated at $42 million An increase of nearly 8
in the 2019 report percent over the 2018 report
63
Complete Findings Part 3
Figure 38:
$400 $388
$345 $350
$325
$309
$300
$279
$225
$200
$200
$163
$148
$100
$39 $42
$0
1 million 10 million 20 million 30 million 40 million 50 million
2018 Total Cost (US$ Millions) 2019 Total Cost (US$ Millions)
64
Steps
Analyzing
to Help
the Minimize
Attack Surface
Financial Consequences of a Data Breach Part 4
1
65
Steps to Help Minimize Financial Consequences of a Data Breach Part 4
66
Steps to Help Minimize Financial Consequences of a Data Breach Part 4
67
How We Calculate the Cost of a Data Breach Part 5
68
How We Calculate the Cost of a Data Breach Part 5
Direct cost – the direct expense outlay to accomplish Indirect cost – the amount of time, effort and other
a given activity. organizational resources allocated to data breach
resolution, but not as a direct cash outlay.
Figure 39:
69
How We Calculate the Cost of a Data Breach Part 5
70
Organization Characteristics Part 6
Organization Characteristics
This year’s annual study was conducted in
507 organizations in 16 countries or regional
samples: the United States, India, the United
Kingdom, Germany, Brazil, Japan, France, the
Middle East, Canada, Italy, South Korea, Australia,
Turkey, ASEAN, South Africa, and, for the first
time, Scandinavia.
Represented industries
There were 17 industries represented in the sample.
71
Organization Characteristics Part 6
Figure 40:
United States
4%
India 4% 13%
United Kingdom 4%
Germany 4%
Brazil 9%
Japan 5%
France
Middle East 5%
Canada 9%
Italy
5%
South Korea
Australia 7%
6%
Turkey
ASEAN
6% 7%
South Africa
6% 7%
Scandinavia
72
Organization Characteristics Part 6
Figure 41:
Financial
Services
1 1 1
2% 1
2% 15%
Industrial
3%
Technology
5%
Public
Retail
5%
Transportation
Communication 14%
5%
Energy
Consumer
5%
Pharmaceuticals
Hospitality
Media 7%
13%
Education
Health
7%
Entertainment 13%
Research
73
Research Limitations Part 7
Research Limitations
Our study utilizes a confidential and proprietary benchmark
method that has been successfully deployed in earlier
research. However, there are inherent limitations with this
benchmark research that need to be carefully considered
before drawing conclusions from findings.
Company-specific information:
The benchmark information is sensitive and confidential.
Thus, the current instrument does not capture compa-
ny-identifying information. It also allows individuals to use
categorical response variables to disclose demographic
information about the company and industry category.
Unmeasured factors:
To keep the interview script concise and focused, we
omitted other important variables from our analyses
such as leading trends and organizational characteristics.
The extent to which omitted variables might explain
benchmark results cannot be determined.
74
Next steps
Next steps
75
If you have questions or comments about this The Cost of a Data Breach Report is sponsored, analyzed and reported by IBM Security.
research report or you would like to obtain Previous years’ Cost of a Data Breach Reports are available at ibm.com/security/data-breach
additional copies of the document (including
permission to quote or reuse this report), Ponemon Institute LLC
Advancing Responsible Information Management
please contact by letter, phone call or email:
Ponemon Institute is dedicated to independent research and education that advances responsible
information and privacy management practices within business and government. Our mission is to conduct
Ponemon Institute LLC
high quality, empirical studies on critical issues affecting the management and security of sensitive
Attn: Research Department information about people and organizations.
2308 US 31 North
Traverse City, Michigan 49686 USA We uphold strict data confidentiality, privacy and ethical research standards. We do not collect any
personally identifiable information from individuals (or company identifiable information in our business
1.800.887.3118
research). Furthermore, we have strict quality standards to ensure that subjects are not asked extraneous,
research@ponemon.org irrelevant or improper questions.
IBM Security offers one of the most advanced and integrated portfolios of enterprise security products and
services. The portfolio, supported by world-renowned IBM X-Force research, provides security solutions to
help organizations stop threats, prove compliance, and grow securely.
IBM operates one of the broadest and deepest security research, development and delivery organizations.
It monitors more than two trillion events per month in more than 130 countries and holds more than 3,000
security patents. To learn more, visit ibm.com/security.