2015 Cost of Data Breach Study: Global Analysis

2014 will be remembered for such highly publicized mega breaches as Sony Pictures Entertainment and JPMorgan Chase & Co. Sony suffered a major online attack that resulted in employees’ personal data and corporate correspondence being leaked. The JPMorgan Chase & Co. data breach affected 76 million households and seven million small businesses. IBM and Ponemon Institute are pleased to release the 2015 Cost of Data Breach Study: Global Analysis.  According to our research, the average total cost of a data breach for the 350 companies participating in this research increased from 3.52 to $3.79 million2 . The average cost paid for each lost or stolen record containing sensitive and confidential information increased from $145 in 2014 to $154 in this year’s study.

In a recent Ponemon Institute study, 79 percent of C-level US and UK executives surveyed say executive level involvement is necessary to achieving an effective incident response to a data breach and 70 percent believe board level oversight is critical. As evidence, CEO Jamie Dimon personally informed shareholders following the JPMorgan Chase data breach that by the end of 2014 the bank will invest $250 million and have a staff of 1,000 committed to IT security.

For the second year, our study looks at the likelihood of a company having one or more data breach occurrences in the next 24 months. Based on the experiences of companies participating in our research, we believe we can predict the probability of a data breach based on two factors: how many records were lost or stolen and the company’s industry. According to the findings, organizations in Brazil and France are more likely to have a data breach involving a minimum of 10,000 records. In contrast, organizations in Germany and Canada are least likely to have a breach. In all cases, it is more likely a company will have a breach involving 10,000 or fewer records than a mega breach involving more than 100,000 records.

In this year’s study, 350 companies representing the following 11 countries participated: United States, United Kingdom, Germany, Australia, France, Brazil, Japan, Italy, India, the Arabian region (United Arab Emirates and Saudi Arabia) and, for the first time, Canada. All participating organizations experienced a data breach ranging from a low of approximately 2,200 to slightly more than 101,000 compromised records. We define a compromised record as one that identifies the individual whose information has been lost or stolen in a data breach.