The cost of a data breach has risen 12% over the past five years and now costs $3.92 million on average, a new report from IBM Security finds

If retailers think putting good security measures and technology in place to stop data breaches is expensive, perhaps they should consider the cost of a data breach.

New research released Tuesday by IBM Security and conducted by Ponemon Institute finds the cost of a data breach for retailers is $1.84 million. The average time for retailers to identify a breach is 228 days and the average time to contain one is 83 days.

IBM and Ponemon recruited 507 organizations that have experienced a breach in the last year and interviewed more than 3,211 individuals who are knowledgeable about the data breach incident in these organizations for its study. The analysis takes into account cost factors including legal, regulatory and technical activities, as well as loss of brand equity, customers and employee productivity. The study spanned 16 countries and 17 industries, including bricks-and-mortar retailers and online retailers, healthcare, financial and hospitality. Healthcare had the highest global industry average cost of a breach at a steep $6.45 million.

The study, in its 14th year, also finds small businesses are hit especially hard by breaches. For example, in the study, companies with fewer than 500 employees suffered losses of more than $2.5 million on average, IBM says. That’s compared with $5.11 million for companies with more than 25,000 employees. That means smaller companies have higher breach costs relative to their size.

Overall, the cost of a data breach has risen 12% over the past five years and now costs $3.92 million on average globally, up from $3.5 million in 2014.


“These rising expenses are representative of the multiyear financial impact of breaches, increased regulation and the complex process of resolving criminal attacks,” IBM says.

The United States posted the highest average cost of a data breach of all countries analyzed at $8.19 million, up from $7.91 million in 2018 and more than double the worldwide average. In the U.S., businesses pay on average $242 per lost record. The time for a U.S. business to identify and contain a breach is 245 days.

Globally, the cost per lost record is $150. The average time globally for a business to identify and contain a breach is 279 days, with companies taking 206 days to first identify a breach after it occurs and an additional 73 days to contain the breach. That’s up from 266 days in 2018. However, companies in the study who were able to detect and contain a breach in less than 200 days spent $1.22 million less on the total cost of a breach, IBM says.

For the first time this year, the report also examined the long-term financial impact of a data breach, finding the effects of a breach last for years. While an average 67% of data breach costs were accrued within the first year after a breach, 22% were realized in the second year and another 11% accumulated more than two years after a breach. The long-term costs were higher in the second and third years for organizations in highly regulated environments, such as healthcare, financial services, energy and pharmaceuticals.


“Cybercrime represents big money for cybercriminals, and unfortunately that equates to significant losses for businesses,” says Wendi Whitmore, global lead for IBM X-Force Incident Response and Intelligence Services. “With organizations facing the loss or theft of over 11.7 billion records in the past three years alone, companies need to be aware of the full financial impact that a data breach can have on their bottom line and focus on how they can reduce these costs.”

The report also finds:

  • 51% of data breaches in the study resulted from malicious cyberattack, and these types of attacks cost companies $1 million more on average than those originating from accidental causes. That’s in part because it takes longer to identify and contain a malicious breach—314 days compared with 279 days for the average breach. The percentage of malicious or criminal attacks as the root cause of data breaches in the report crept up from 42% to 51% over the past six years of the study (a 21% increase).
  • “Mega Breaches,” or breaches of more than 1 million records, cost companies a projected $42 million in losses; and those breaches of 50 million records are projected to cost companies $388 million.
  • Companies with incident response teams that also extensively tested their incident response plan experienced $1.23 million less in data breach costs on average than those that had neither measure in place. Encryption was also a top cost-saving factor, reducing the total cost of a breach by $360,000.
  • Misconfiguration of cloud servers contributed to the exposure of 990 million records in 2018, representing 43% of all lost records for the year, according to IBM.
  • The average cost of lost business from breaches was $1.42 million or about 36% of the total breach cost average of $3.92 million.
  • Breaches originating from a third party—such as a vendor or supplier—cost companies $370,000 more than an average breach.

Additionally, inadvertent breaches from human error and system glitches were the cause of nearly half (49%) of the data breaches in the report, costing companies $3.50 million and $3.24 million, respectively. Such breaches from human and machine error represent an opportunity for improvement, IBM says. For example, security awareness training for staff, technology investments and testing services can identify accidental breaches early on, IBM says.