General security

"Cost of a Data Breach Report" - our analysis

Susan Morrow
August 26, 2019 by
Susan Morrow


Each year, an important study is performed by the Ponemon Institute that is sponsored by IBM Security. The report generated from the study is known as the Cost of a Data Breach Report, and the 2019 publication of the report is the 14th edition. 

The results of the report are important for security professionals everywhere. They offer a detailed analysis of how much cybercrime and data loss cost an organization. The report output covers a multitude of industries and gives a glimpse into the type of attack areas and vectors which generate these costs. This is invaluable when calculating the financial burden of data loss in an organization. This evidence can then be used to justify cybersecurity spending and focus your efforts in the right areas.

FREE role-guided training plans

FREE role-guided training plans

Get 12 cybersecurity training plans — one for each of the most common roles requested by employers.

Here, we’ll take a look at some of the highlights of the report.

The Cost of a Data Breach Report findings 2019

The report is based on interviews with 507 organizations around the world. The results reflect the situation in terms of the costs of a data breach between July 2018 and April 2019. 

Key findings include:

Average costs of a data breach

The likelihood of an organization experiencing a data breach in the next two years is around 30%. This chance has increased steadily, year-on-year, since 2014. How much these breaches cost in 2019 is staggering. The average cost on a global basis is:

  • The 2019 average cost of a data breach is $3.92 million per incident
  • This is a small increase of 1.3% on the 2018 figure. In the Infosec analysis of the 2018 report, we found an increase of 6.6% on the 2017 figures
  • The cost of a “mega-breach”
    • 1 million+ lost data records — $42 million
    • 50+ million records lost — $350 million

This cost figure was contributed to from four categories (percentage contribution to costs in brackets): 

  1. Detection and escalation (31.1%)
  2. Post-breach response (27.3%)
  3. Notification (5.4%)
  4. Lost business (36.2%)

The “lost business” category contributed the greatest amount at $1.42 million of the $3.92 million total, which is 36.2% of the cost of a data breach. 

Other findings in the cost analysis:

  • Greater costs were incurred from data breaches in industries with more stringent data protection regulations, like healthcare and financial
  • Malicious attacks cost over one-third more than system glitches or human error-based incidents
  • The identification and containment of a data breach timescales have increased by 4.9% over the 2018 figures. It now takes a cumulative 279 days to fully contain a breach
    • Malicious attacks are the most time-consuming to contain
    • Two-thirds of the cost of a breach occurs in the first year

 The analysis of the components that make up the average loss offers insight into a mitigation strategy to reduce costs. 

Organizations that focus on using trust as a key factor in their company strategy can expect to reduce the cost of a data breach. This trust factor can be established by employing various systems to improve overall customer satisfaction and faith in the brand. This includes employing privacy specialists and offering victims an identity protection package after a breach.

Data breach cost overview

Geography and costs

This winner of the highest cost of a data breach goes to the U.S., with a 130% increase in average costs from 2006 to 2019. The U.S. average cost is now $8.19 million, whereas in 2006 it was $3.54 million. The top five countries in terms of data breach costs are:

  1. USA ($8.19 million)
  2. Middle East ($5.97 million)
  3. Germany ($4.78 million)
  4. Canada ($4.44 million)
  5. France ($4.33 million)

Brazil, at $1.35 million average cost of a data breach, came in as the lowest-cost country in the list of 16 countries.

The USA also had the highest cost per record breach, at $242 per record.

Geography with largest average number of breached records

The Middle East comes off worst in terms of the highest average number of records lost, at 38,800 per breach. The global average is 25,575.

The worst industry for data breach costs

Healthcare came off the worst in terms of the average cost per data breach, at 65% higher than the industry standard.

Relative costs per size of organization

The smaller the organization, the higher the relative costs per breach. Organizations with 500-1000 employees experienced costs of $3,533 per employee, while organizations with 25,000+ employees saw costs of, on average, $204 per employee.

Data breach costs by sector/record

Health comes out top of the stack for costs at $6.45 million on average per breach. The top ten sectors in the report for breach costs are:

  1. Healthcare ($6.45 million)
  2. Financial ($5.86 million)
  3. Energy ($5.60 million)
  4. Industrial ($5.20 million)
  5. Pharma ($5.20 million)
  6. Technology ($5.05 million)
  7. Education ($4.77 million)
  8. Services ($4.62 million)
  9. Entertainment ($4.32 million)
  10. Transportation ($3.77 million)

The report noted that those industries that had more stringent data protection requirements had much higher costs than non-regulated industries.

The highest data breach costs were also reflected in the most regulated industries. Costs per record lost are:

  • Healthcare — $429 (U.S. figures only)
  • Finance — $210
  • Technology — $183

As a comparison to the 2018 report findings:

  • Healthcare — $408
  • Finance — $206
  • Technology — $170

 The mean cost per lost record across all sectors is $150.

The causes of data breaches

The Cost of a Data Breach Report also looks at the costs incurred by different types of data breaches. The report looked at three key types of breach and how they impact an organization:

  1. Malicious (51%)

    Cost per record lost: $166

    Total cost for type of breach: $4.45 million
  2. System glitch (25%)

    Cost per record lost: $132

    Total cost for type of breach: $3.24 million
  3. Human error (24%)

    Cost per record lost: $133

    Total cost for type of breach: $3.5 million

Looking back to 2015, there is a general pattern of malicious attacks costing significantly more than glitches or human error.


What can we learn from IBM’s Cost of a Data Breach Report?

The results are a mix of factors, including mitigation exercises versus threat types versus regulatory and customer needs.

The report pointed out that there are new factors that have entered this year’s report. Factors such as the use of DevSecOps reducing the cost of a compromised record by $10.55 on average. However, this was offset by system complexity increasing costs by $10.96 per record.

The creation and use of an Incident Response (IR) team reduces the overall cost of a data breach by $360,000. If that IR plan is fully tested, the total savings per breach amounted to a significant $1.2 million.

The fact that loss of business accounts for over one-third of the costs of a breach is one of the most significant outcomes from the report. It is vital to ensure that your organization has effective post-breach customer retention processes in place to stem the flow.

A final report recommendation is that security automation can significantly decrease the cost of a security breach. Organizations who do not deploy security automation found that breaches cost 95% more than those companies that use security automation tools.

Check out how much a data breach could cost your organization using the IBM data breach calculator.

FREE role-guided training plans

FREE role-guided training plans

Get 12 cybersecurity training plans — one for each of the most common roles requested by employers.



  1. 2019 Cost of a Data Breach Report, IBM
  2. IBM Data Breach Calculator, IBM
Susan Morrow
Susan Morrow

Susan Morrow is a cybersecurity and digital identity expert with over 20 years of experience. Before moving into the tech sector, she was an analytical chemist working in environmental and pharmaceutical analysis. Currently, Susan is Head of R&D at UK-based Avoco Secure.

Susan’s expertise includes usability, accessibility and data privacy within a consumer digital transaction context. She was named a 2020 Most Influential Women in UK Tech by Computer Weekly and shortlisted by WeAreTechWomen as a Top 100 Women in Tech. Susan is on the advisory board of Surfshark and Think Digital Partners, and regularly writes on identity and security for CSO Online and Infosec Resources. Her mantra is to ensure human beings control technology, not the other way around.