Size and cost of data breaches continues to rise

07 August 2018

Data breaches are getting larger and costlier, according to an annual study of data breaches from IBM and the Ponemon Institute.

The average global cost of a data breach increased to USD 3.86 million over the past 12 months, a rise of 6% since the 2016 study; while the average cost per lost or stolen record rose almost 5% to USD 148. In the past 12 months, the average size of a data breach also increased by 2.2% to 24,615.

The study also revealed that the more records lost, the higher the cost of the breach. For a mega data breach (over one million records) costs were an average of USD 40 million, while a breach of over 50 million records resulted in an average total cost of USD 350 million. Breaches in the health sector were the most costly at USD 408 per capita, followed by financial services at USD 206, both figures substantially higher than the overall average.


US data breaches continue to be the most expensive, at more than double the global total average. The average total cost of a data breach in the US was USD 7.91 million and the average per record costs were USD 233. Notification costs are also highest in the US at USD 740,000.

The next highest average total breach cost was recorded in the Middle East (USD 5.31 million), followed by Canada (USD 4.74 million), Germany (USD 4.67 million), France (USD 4.27 million) and the UK (USD 3.68 million). The consolidated average per capita cost was also highest in the US (USD 233), followed by Canada (USD 202) and Germany (USD 188).

Subscribe to our  Latest Cyber Decoder newsletter


The study also showed that the faster a data breach can be identified and contained, the lower the costs. The global average time taken to identify a data breach was 197 days, while the average time taken to contain a breach was 69 days. Companies that identified a breach within 100 days saved USD 1 million, while those that contained a breach in less than 30 days saved over USD 1 million.

The deployment of a breach response team and the use of encryption were the two most effective methods of reducing breach costs. The average cost savings of using an incident response team was USD 14 per record, while the use of encryption reduced costs by USD 13 per capita. The involvement of business continuity management and training each lowered the cost of a breach by USD 9.

Third party involvement in a data breach, cloud migration at the time of the breach, and compliance failures were the most significant causes of increased cost. Third party involvement added USD 13 to the cost of a breach, while cloud migration and compliance failures added almost USD 12 apiece.


Malicious cyber attacks were the most expensive attacks to resolve, and also the main cause of data breaches in the study (48% of breaches followed a cyber attack, compared with 27% for human error and 25% for glitches). The average cost per record to resolve a malicious or criminal attack was USD 157 (USD 258 in the US), compared with USD 131 following a system glitch and USD 128 for a breach caused by human error or negligence.

The likelihood of a recurring material breach over the next two years is 27.9%, more or less the same likelihood as the 2017 study. Organisations in South Africa have the highest probability of experiencing a data breach (at 43%), while Germany has the lowest probability of having a future data breach (at 14.3%).

Download Cyber Decoder

For further information, please contact Sarah Stephens, Head of Cyber, Content and New Technology Risks on