It’s always exciting to announce the results of our annual Cost of a Data Breach Report, and this year, the 14th report conducted by the Ponemon Institute, the 2019 Cost of a Data Breach Report offers new and innovative ways to analyze the financial impacts, root causes and mitigating factors of data breaches on a global scale.

Download the Cost of a Data Breach Report

In this year’s report, we studied the costs associated with breaches that occurred between July 2018 and April 2019 at 507 organizations in 16 countries and regions and across 17 industry sectors. The global average cost of a data breach for the 2019 study is $3.92 million, a 1.5 percent increase from the 2018 study. As shown in the following chart, the average total cost of a data breach climbed from $3.5 million in 2014, showing a growth of 12 percent between 2014 and 2019.

Cost of a Data Breach Highlights

Some of the other key findings from the 2019 Cost of a Data Breach Report are consistent with past years of the study. Just as it was last year, the most expensive country in terms of average total cost of a data breach is the U.S. at $8.19 million, more than twice the global average. Healthcare was again the most expensive industry for data breach costs, with the total cost of a data breach in 2019 averaging $6.45 million.

Yet we also found characteristics of data breaches in the study showing how difficult it is for organizations to recover from breaches. This year, we found that the time it takes organizations to identify and contain a breach — what we call the data breach life cycle — is 279 days. The 2019 life cycle is 4.9 percent longer than the 266 day average in 2018. In addition, we found that the longer a breach’s life cycle is, the greater the total cost. This is especially true in the case of malicious and criminal attacks, which take an average of 314 days to identify and contain.

As we found in our research, malicious and criminal attacks are the leading root cause of data breaches in 2019 at 51 percent. The other two categories of root causes are system glitches — breaches caused by technology failures not attributable to a human, such as a vulnerability — and human error — breaches caused by neglect or error by a person. System glitches cause 25 percent of data breaches in 2019, and human error is the root cause of 24 percent of breaches. While much attention in the security world is placed on malicious attacks, it’s worth noting that breaches caused by system glitches and human error can have consequences that are just as serious.

However, as mentioned, breaches attributed to malicious attacks do tend to take longer to identify and contain, potentially making them more costly than other breaches. Our research found that the cost of a breach with a life cycle of more than 200 days is $1.2 million higher than a breach with a life cycle of less than 200 days.

Top Cost Mitigating Factors: Incident Response Teams, Plans and Encryption

Our research has traditionally looked at factors that either increase or decrease the cost of a data breach. In this year’s report, we added some new cost factors into the mix to flesh out more findings about what areas businesses could look at to mitigate the financial impacts of a data breach.

This year, we examined the impact of testing an incident response plan, which we found to be one of the most effective factors for mitigating data breach costs, reducing the average total cost of a breach by $320,000 compared to the mean total cost of a data breach ($3.92 million). The top cost-mitigating factor out of the 26 cost factors included in our analysis is the formation of an incident response team, which reduced the average total cost of a data breach by $360,000. Extensive use of encryption was also found to reduce the total cost of a data breach by $360,000.

Several other cost-mitigating factors worth noting are business continuity management, a DevSecOps approach, artificial intelligence (AI) platforms and good, old-fashioned employee education.

On the other side of the ledger, we found that the involvement of a third-party partner tends to increase the total cost of a data breach by about $370,000. Other factors found to increase the average total cost of a data breach include compliance failures, extensive cloud migration, operational technology (OT) infrastructure and system complexity.

The Long-Tail Costs of a Data Breach

We frequently examine in our reports the year-over-year comparisons of cost trends, but our research methodology generally does not study the same organizations year after year. This year, for the first time, we examined breach costs over several years at 86 organizations. Our findings revealed that data breach costs have a long tail: Although the majority of breach costs occur in the first year after a data breach, about one-third of costs are incurred more than a year after a breach.

Even more striking is the comparison between the long-tail cost of a breach at organizations in highly regulated environments — those in the healthcare, financial and energy industries — with those in environments with lower levels of regulation. Data breach costs are much less concentrated in the first year for organizations in those highly regulated industries, with 47 percent of breach costs occurring more than a year after the data breach incident.

We believe one factor contributing to the longer tail in those highly regulated industries is legal and regulatory costs, such as class action lawsuits and regulatory fines, that come well after a data breach occurs. Healthcare and financial services, both highly regulated industries, are also more impacted by lost business than other industries, which could be a factor in data breach costs extending long after a breach incident. Healthcare organizations in this year’s study had an abnormal customer turnover of 7 percent, and financial services had abnormal customer turnover of 5.9 percent versus an average customer turnover of 3.9 percent. Lost business is the biggest contributor to data breach costs, accounting for 36 percent of the average total cost.

Complete Findings From the 2019 Cost of a Data Breach Report

There are so many more illuminating ways to look at the cost of a data breach, and the 2019 Cost of a Data Breach Report offers much more than I can cover in single blog post. For example, the report goes into great detail about the regional and industry differences in total cost, customer turnover, data breach size and data breach life cycle. Plus, we looked in greater depth at the impacts of an effective incident response strategy. We also examined the cost impacts of security automation using technologies such as AI, machine learning, analytics and automated post-breach orchestration. These are topics worthy of further investigation, and we will continue to come back for more in the next Cost of a Data Breach Report.

In the meantime, I encourage you to sign up to access the full report and the data breach cost calculator, which you can toggle to drill down into the data by country, industry and cost factor.

See the 2020 Cost of a Data Breach report and calculator

More from Advanced Threats

Phishing kit trends and the top 10 spoofed brands of 2023

4 min read -  The 2024 IBM X-Force Threat Intelligence Index reported that phishing was one of the top initial access vectors observed last year, accounting for 30% of incidents. To carry out their phishing campaigns, attackers often use phishing kits: a collection of tools, resources and scripts that are designed and assembled to ease deployment. Each phishing kit deployment corresponds to a single phishing attack, and a kit could be redeployed many times during a phishing campaign. IBM X-Force has analyzed thousands of…

Grandoreiro banking trojan unleashed: X-Force observing emerging global campaigns

16 min read - Since March 2024, IBM X-Force has been tracking several large-scale phishing campaigns distributing the Grandoreiro banking trojan, which is likely operated as a Malware-as-a-Service (MaaS). Analysis of the malware revealed major updates within the string decryption and domain generating algorithm (DGA), as well as the ability to use Microsoft Outlook clients on infected hosts to spread further phishing emails. The latest malware variant also specifically targets over 1500 global banks, enabling attackers to perform banking fraud in over 60 countries…

A spotlight on Akira ransomware from X-Force Incident Response and Threat Intelligence

7 min read - This article was made possible thanks to contributions from Aaron Gdanski.IBM X-Force Incident Response and Threat Intelligence teams have investigated several Akira ransomware attacks since this threat actor group emerged in March 2023. This blog will share X-Force’s unique perspective on Akira gained while observing the threat actors behind this ransomware, including commands used to deploy the ransomware, active exploitation of CVE-2023-20269 and analysis of the ransomware binary.The Akira ransomware group has gained notoriety in the current cybersecurity landscape, underscored…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today