Security Experts:

Connect with us

Hi, what are you looking for?



IBM: Average Cost of Data Breach Exceeds $4.2 Million

A global study commissioned by IBM Security shows that the average cost of a data breach exceeded $4.2 million during the coronavirus pandemic, which the company pointed out is the highest in the 17-year history of its “Cost of a Data Breach” report.

A global study commissioned by IBM Security shows that the average cost of a data breach exceeded $4.2 million during the coronavirus pandemic, which the company pointed out is the highest in the 17-year history of its “Cost of a Data Breach” report.

The report is based on information collected from 500 organizations worldwide between May 2020 and March 2021. It analyzes real data breaches and calculates costs associated with incidents based on various factors, including legal, regulatory and technical activities, as well as loss of customers, employee productivity and brand equity.

The average cost of a data breach increased by nearly 10% compared to the previous year, from $3.86 million to $4.24 million, but IBM noted that “costs were significantly lower for some of organizations with a more mature security posture, and higher for organizations that lagged in areas such as security AI and automation, zero trust and cloud security.”

The study found that these are also important factors when it comes to detecting and containing a breach. The average number of days to identify and contain an incident was 287, seven days more than in the previous year.

The largest part of breach costs represented lost business. This accounted for 38% of the total, or roughly $1.6 million. “Lost business costs included increased customer turnover, lost revenue due to system downtime and the increasing cost of acquiring new business due to diminished reputation,” IBM explained.

Another noteworthy finding is that the cost of a data breach was more than $1 million higher in the case of incidents where remote work contributed to the breach. In addition, companies where more than half of their employees had been working remotely took 58 days longer to contain a breach compared to firms where less than half of the workforce had been working remotely.

For the 11th year in a row, healthcare organizations incurred the highest costs, $9.23 million on average per breach, up from $7.13 million. However, in the energy sector the average data breach cost dropped to $4.65 million from $6.39 million.

Nearly half of the analyzed breaches involved compromised personally identifiable information (PII). For PII records, the average cost per record was $180, and the overall average cost per record was $161, up from $146 in the previous year.

Roughly 8% of breaches analyzed for the report involved ransomware, and the average cost of these incidents was $4.62 million, and slightly higher for attacks involving destructive wipers.

The study is based on breaches where between 2,000 and 101,000 records were compromised. However, the report has a section on mega breaches — incidents where more than 1 million records were impacted.

Fourteen companies in IBM’s study experienced a mega breach, and costs ranged between $52 million for breaches impacting up to 10 million records and $401 million for the largest breaches, which involved up to 65 million records.

Mega breach cost

The full Cost of a Data Breach Report is available for download in PDF format on IBM’s website.

Related: Financial Sector Remains Most Targeted by Threat Actors: IBM

Related: IBM: 44 Organizations Targeted in Attacks Aimed at COVID-19 Vaccine Cold Chain

Related: Cost of Data Breach in UK Increases More Than 41% in Two Years

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.