Maybe being number one in something isn’t always all it’s cracked up to be. For instance, the United States leads the world in the per capita cost—$233—of a data breach, finds the “2018 Cost of a Data Breach Study: Global Overview,” released Wednesday.
That figure bests Canada, at $202 per capita, and Germany, $188.
Sponsored by IBM Security, a unit of IBM Corp., and completed by the Ponemon Institute LLC, the study also found that U.S. organizations have the highest total average cost for dealing with data breaches at $7.91 million, much higher than costs in the Middle East, at $5.31 million. Brazil has the lowest total average cost, at $1.24 million.
Of the 17 industry sectors examined, financial-services organizations had a per capita cost of $206 for a data breach. Only health care, at $408, was higher.
Perhaps not surprisingly, as the number of records in a breach increases, so do the costs. Breaches involving less than 10,000 records cost on average $2.1 million, and escalate from there to $5.7 million for those with more than 50,000 records.
As for the root cause of these breaches, in the United States, 52% originate in a malicious or criminal attack. Twenty-three percent are because of a system glitch and 25% are because of human error.
It’s the malicious ones that cost the most to remedy, the study finds. The per capita cost in the United States is $207 for breaches stemming from malice, compared with $166 for those related to system glitches, and $169 for human-error causes.
For the first time, Ponemon looked at the cost of “mega” breaches, those involving more than 1 million records. The Equifax Inc. breach of approximately 145 million Social Security numbers is a mega-breach example.
The total cost of a breach of 1 million records has an average total cost of $39.5 million. Lost business accounts for $15 million of that. The total cost of a breach of 10 million records dramatically increases to $147.7 million. A breach of 50 million records has a total cost of $350.4 million. Exceptions to these findings include the $544 million Target Corp. paid to recover from a 2013 breach of 40 million credit and debit cards and 70 million non-card customer records.