Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Breach costs: 'Chump change' to bottom lines of big players

Taylor Armerding | June 9, 2015
The direct costs of a data breach are barely a rounding error on the bottom line of the nation’s biggest organizations. But experts say indirect costs can still be significant. And for the vast majority of smaller players, the damage can be catastrophic


Virtually everything reported about data breaches is about how expensive they are.

But apparently not for everybody. CBS MoneyWatch reported recently that one of the prime reasons the biggest companies don't address their security vulnerabilities is that the cost of a breach -- even what is viewed as a catastrophic breach -- amounts to "chump change" as a percentage of overall revenue.

One example cited was the 2014 Home Depot breach, when hackers were able to steal 56 million credit and debit card numbers and 53 million email addresses. It cost the company, "only a net $28 million, after a $15 million insurance payment. That's less than 0.01 percent of the company's 2014 revenue," the report said. It also apparently cost only 50 cents per card compromised.

Of course $28 million is a lot of money. But convert the percentage loss to the personal income level, and it would amount to $100 for somebody making $100,000. More than a parking ticket, but yes, chump change, relatively speaking, especially if hardening your security defenses would cost two or three times that.

Even the costs of the high-profile breach of mega-retailer Target at the end of 2013 -- 40 million debit and credit card numbers and 70 million other records that included addresses and phone numbers -- didn't cut significantly into the company's bottom line.

The gross loss of $252 million during 2013 and 2014 was whittled down to $105 million after $90 million in insurance payments plus tax deductions. That amounted to about 0.1% of the company's 2014 revenue, and a net cost of less than $2 per record compromised.

Indeed, CSO reported last week that a 2014 Verizon survey of 191 insurance claims filed in 2014 concluded that the average cost per record was only 58 cents.

How can this be, in light of the Ponemon Institute's "2015 Cost of Data Breach Study: Global Analysis," which reported that the average cost per record compromised had increased from $159 to $174?

According to Larry Ponemon, chairman and founder of the institute, it is all about context and the study sample. The Ponemon survey covered only breaches that ranged from 5,000 to 100,000 records compromised, because that is the range for the vast majority of them. (Read the full story about the cost of a data breach according to two surveys.)

That leaves out the multi-billion-dollar companies that get the most headlines when they get breached. And the costs "do seem to flatten out at around $17 per record" once the number reaches into the millions, he said.

"These mega-breaches are rare," he said, "so they tend to skew the results."


1  2  3  Next Page 

Sign up for CIO Asia eNewsletters.