Slashdot Mirror

← Back to Stories (view on slashdot.org)

Data Breach Costs Top $200 Per Customer Record

Posted by CmdrTaco on from the that-adds-up dept.

alphadogg writes "The cost of a data breach increased last year to $204 per compromised customer record, according to the Ponemon Institute's annual study. The average total cost of a data breach rose from $6.65 million in 2008 to $6.75 million in 2009. The Ponemon Institute based its estimates on data from 45 companies that publicly acknowledged a breach of sensitive customer data last year and were willing to discuss it. In tallying the cost of a data breach, the Ponemon Institute looks at several factors, including: the cost of lost business because of an incident; legal fees; disclosure expenses related to customer contact and public response; consulting help; and remediation expenses such as technology and training."

54 comments

  1. "The Ponemon Institute" by Finallyjoined!!! · · Score: 4, Insightful

    For a second there I thought I'd read "The Pokemon Institute"
    :-)

    --
    If I had an Ass, I'd call it Fanny Bottom, then I could slap my Ass; Fanny Bottom, on the Arse.
    1. Re:"The Ponemon Institute" by Pojut · · Score: 1, Funny

      "I got to buy it, I got to buy it, Chinpoko-MON"

      --
      Living With a Nerd
  2. Also by Tablizer · · Score: 5, Insightful

    A related question is: how much does it cost to prevent. Managers will ask.
       

    --
    Table-ized A.I.
    1. Re:Also by Anonymous Coward · · Score: 0

      Almost nothing if you're smart.

      All you need to use is:
                      OpenBSD + PostgreSQL + Python + even just a decent admin.

      So basically you're just using an OS that puts security first and foremost, using a high-quality database that is very easy to secure, using a well-developed and well-maintained programming language to develop any custom software, and having a competent human watch over everything and set the security policies.

      In the end, basically the only cost comes from your admin's salary, since the first three are free and open source.

    2. Re:Also by Overzeetop · · Score: 1

      Based on probability of a breach: too much. If your chance of a breach is low (say, in the 1% per year range), that's only $2 per account compromised, or a cost of $600k per year. And great security only reduces the chance - it does not eliminate it.

      There's also the lion attack argument: you only have to run faster than the slowest person being chased. Now, in this case, that might be the bottom 10%, but the goal is to be just enough better than the softest targets that you are unlikely to get hit. If you avoid the casual crackers and the working mafia, the only thing left to worry about is the one goof who is going to target _your_ system specifically. Since there is no perfect security system, you can ignore that last threat - it will hit you no matter how much you spend. You just have to be tight enough to make it unprofitable (or less profitable than other systems).

      Business Managers already know this. They also know that - provided all hell doesn't break loose - people have very short memories. A minor "oops" every once in a while isn't a big deal, financially speaking. Call it the cost of doing business.

      --
      Is it just my observation, or are there way too many stupid people in the world?
    3. Re:Also by Anonymous Coward · · Score: 0

      Almost nothing if you're smart.

      All you need to use is:

                      OpenBSD + PostgreSQL + Python + even just a decent admin.

      So basically you're just using an OS that puts security first and foremost, using a high-quality database that is very easy to secure, using a well-developed and well-maintained programming language to develop any custom software, and having a competent human watch over everything and set the security policies.

      In the end, basically the only cost comes from your admin's salary, since the first three are free and open source.

      It's hard to decide whether you are trolling or are just naive and honestly believe that what you posted fits for every business model.

    4. Re:Also by mlts · · Score: 1

      Security isn't about how hardened your OS is, although it is a crucial ingredient (if you have bad apples, a chef can't make a good apple pie no matter how good. However, a bad chef can take perfectly good fruit and make something horrid.)

      What is lacking in a lot of companies is an actual security policy. Encryption is the easy stuff. Making sure there is a department-wide policy, making sure users adhere to it, and keeping some type of mechanism in place for recovery if an employee leaves is what is tough, and what a lot of companies will refuse to pay the bucks for.

      First line of security are the tools: You have firewalls, IDS systems, routers, and content filters to protect the network side. You have security guards, HID locks, Abloy PROTEC locks for backups, CCTV cameras, and alarms for the physical security. For data at rest protection, you have BitLocker, LUKS, EncFS, PGP, TrueCrypt, PointSec, or other mechanism to store data encrypted. For backups that go offsite, you have your hardware do the encryption (HP LTO-4 drives), or have the software have the government certified AES libraries (Retrospect, Backup Exec, TSM, Networker).

      However, you can be sitting on the best tools in the world, but if they are not used in a coherant form by clued employees, they won't help things. For example, a machine could be protected with PGP and require a smart card to boot it. However, if the machine doesn't have a firewall or protection from network attacks, the DAR (data at rest) protection is pointless. Similar if a laptop has extreme antivirus utilities, but is always left in coffee shops unattended.

      Obligatory car analogy: A company can pay millions for a fleet of semis, but without competant drivers, they will just sit in the parking lot and not do a thing.

      Security isn't something you can just buy off the shelf. You can buy tools, but it takes expertise to implement everything into a solid security gestalt that is workable and protects company (and employee) assets.

    5. Re:Also by jgtg32a · · Score: 1

      Less than the encryption solution we've been lusting for. Most of the notification laws are written such that if you've encrypted you don't have to tell anyone about the breach.

    6. Re:Also by jgtg32a · · Score: 1

      Unfortunately I think he's being honest, granted we would love to require that but its not going to happen.

    7. Re:Also by cyphercell · · Score: 1

      I might be talking out the wazoo, but if you added Lighttpd and got them in core you have a BSD compatible stack righty there yes sir! Possibly, an email server next?

      --
      Under the influence of Post-Cyberpunk Gonzo Journalism
    8. Re:Also by cyphercell · · Score: 0

      This is really the great thing about distributions like OpenBSD, Engarde Linux, Openwall, and other FOSS secure systems. They just don't buy into that shit. Oh and thank the US government for also giving a rats ass and providing us with SELinux too.

      --
      Under the influence of Post-Cyberpunk Gonzo Journalism
    9. Re:Also by Low+Ranked+Craig · · Score: 1

      A new car built by my company leaves somewhere traveling at 60 mph. The rear differential locks up. The car crashes and burns with everyone trapped inside. Now, should we initiate a recall? Take the number of vehicles in the field, A, multiply by the probable rate of failure, B, multiply by the average out-of-court settlement, C. A times B times C equals X. If X is less than the cost of a recall, we don't do one.

      Seemed applicable

      --
      I still cannot find the droids I am looking for...
    10. Re:Also by the_brobdingnagian · · Score: 1

      ....and having a competent human watch over everything and set the security policies.

      Ha!

    11. Re:Also by Anonymous Coward · · Score: 0

      Encryption is vastly overrated. Most data breaches involve hacked servers or last laptops. If you can log into a machine, an encrypted hard drive is unlikely to hide any data.

    12. Re:Also by Anonymous Coward · · Score: 0

      No amount of security is going to prevent stupid user X from finding a way to pester the management team until the security is relaxed so stupid user X can play youtube videos. It's even worse when stupid user is part of the management team.

    13. Re:Also by david_thornley · · Score: 1

      Another related question: how much does it cost the average individual whose data has been compromised? That would allow us to tell if the $200 cost is out of line with the results.

      It's not going to be easy to determine, of course. Probably most people don't suffer significantly from a compromise, but some people lose a lot of money, have to spend a lot of personal time trying to clean things up, and suffer great stress, which isn't going to be easy to monetize. Moreover, not everybody who loses money or is denied credit because of a data breach is going to know why.

      --
      "When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
    14. Re:Also by Impy+the+Impiuos+Imp · · Score: 1

      Except that's what Ford did with the Pinto, and once those documents were shown to the jury, the penalty award was set a lot higher. Thus those calculations don't work.

      --
      (-1: Post disagrees with my already-settled worldview) is not a valid mod option.
    15. Re:Also by Jane+Q.+Public · · Score: 1

      They would change their tune if they also had to pay all the customer costs of a data breach, which arguably they should be compelled to do.

      The cost to a single customer from a data breach could easily be in the tens of thousands of dollars. I bet that would wake these people up.

    16. Re:Also by Low+Ranked+Craig · · Score: 1

      Lesson learned, "don't keep those documents anymore"

      --
      I still cannot find the droids I am looking for...
    17. Re:Also by MrMr · · Score: 1

      Yep, that is what we nowadays call 'document retention policy', it essentially means you get a license to burn evidence before the trial starts.

    18. Re:Also by cyphercell · · Score: 1

      Your comment has absolutely nothing whatsoever with what I just said. Nothing, I was just thanking the people that give a shit.

      --
      Under the influence of Post-Cyberpunk Gonzo Journalism
  3. $204 ... $20,400 -- wouldn't matter. by girlintraining · · Score: 4, Interesting

    The cost of a data breach increased last year to $204 per compromised customer record...

    Insurance covers most companies. Because of this, it has gone from being a threat that must be addressed to a cost of doing business. The only thing a business is concerned about is revealing the breach to the public because it could harm its reputation. Everything else can be mopped up in the insurance and legal departments. The costs of a data breach are thus passed on in aggregate to not just the company's customers, but to every business that purchases insurance from that insurance vendor. And given the lack of diversity in the insurance market (ie, most of the market is controlled by only a few businesses) -- more than likely, that's a lot of businesses.

    And that's how businesses manage risk -- and pass the costs on to you. And the problem will therefore never go away, because it's been put inside an SEP Field (Somebody Else's Problem), the most powerful repulsive force in the universe.

    --
    #fuckbeta #iamslashdot #dicemustdie
    1. Re:$204 ... $20,400 -- wouldn't matter. by BlueKitties · · Score: 1

      No, this is just such horrible thinking it makes me want to throw feces at you. This sort of ridiculous thinking is the entire reason there's a HealthCare problem in America. Insurance companies MAKE PROFIT. Therefor, RISING COSTS ON INSURANCE COMPANIES MEAN RISING COSTS FOR EVERYONE. When a hospital sends a bill to a patient's insurance for $100,000, where do you think the insurance company gets the money? When a big business sends a bill for 6mil to their insurance company, guess where the money comes from? Money does not grow on a tree.

      --
      "Sorrow is better than laughter, for by sadness of face the heart is made glad." [Ecclesiastes 7:3]
    2. Re:$204 ... $20,400 -- wouldn't matter. by Attila+Dimedici · · Score: 3, Insightful

      The cost of a data breach increased last year to $204 per compromised customer record...

      Insurance covers most companies. Because of this, it has gone from being a threat that must be addressed to a cost of doing business. .

      The thing is, the companies that provide that insurance want to make a profit. That means that they charge less to those companies that takes steps to minimize their risk. That means that it costs the company to be vulnerable, even if nobody hacks their system. SO, if a company does not mitigate its risk of a data breach and its competitor does, it is at a competitive disadvantage.

      --
      The truth is that all men having power ought to be mistrusted. James Madison
    3. Re:$204 ... $20,400 -- wouldn't matter. by Anonymous Coward · · Score: 0

      That's a load of crap.

      The equal sign between 'insurance' and 'data breach insurance' is false. Can you find a source saying that most companies have data breach insurance? I only found 2-3 references that minor companies had launched this type of insurance in 08-09.

      Saying that "there is no cost" is false. The average cost to companies is equal to the insurance premium. If this is as widespread and costly a problem as is claimed, the insurance premium would naturally be high, and the ongoing cost high. If the problem is quite rare, the insurance premium is lower. The worse the situation becomes, the greater the incentive becomes to not have insurance and protect yourself. Over time the sum cost of premiums should equal the sum cost of losses, so companies don't save money from insurance. A constant spiral where costs go up and up faster than premiums is unsustainable.

      The cost of data breaches is not passed on to "not just the company's customers, but to every business that purchases insurance from that insurance vendor". Firstly, insurance vendors are able to increase the price of one insurance independently of another insurance, if claims under the first one increases but the latter stays the same (except in year 1 of offering when the surprise comes). If your quote is true, a company that offers data breach insurance should have premiums on average higher across the board than another that doesn't offer data breach insurance, which is incorrect. If data breach insurance was not profitable the insurance companies would cease offering it, as is pointed out regularly in the case of chronically ill health care patients not being able to buy life insurance.

    4. Re:$204 ... $20,400 -- wouldn't matter. by Anonymous Coward · · Score: 0

      Even if insurance didn't, the visible cost of a breach (and I'm meaning the tip of the iceberg) usually consists of PHBs calling consultants in to clean up the mess and perhaps charging that off of the quarterly numbers as a cost of doing business.

      If one looks at the things that are stealable by blackhats:

      Employee personal info: The employer really doesn't care. If employees have their credit record smacked by ID thieves in 3-6 months, the employer will not be sued for it.

      Trade secrets: At first, it won't cause any problems. Take the example of learning a secret formula that gives 50% yield of a chemical instead of 25%. The competition copying that would be evident in next quarter, and the way most US companies are run, that is an eternity away.

      Unreleased models of products: If the competition is ahead because they found out what exactly an unreleased product will have, blame the R&D and product design staff, perhaps threaten them with being fired and a Chinese ODM hired for future product design work.

      Sales pitches for clients: Similar. If the competition gets the Powerpoints and the clients don't buy, blame the salespeople for not being good enough to sell the product.

      Source code and build trees: PHBs don't know, nor care about this stuff. Plus, if someone swipes a program's source and makes an exact clone of it offshore, it is almost impossible to get caught, and even more impossible to recoup any losses. What a PHB will do is blame the programmers for not having a product better than the clone that just popped up and threaten them with firing and moving the work to India "where people will make 10,000 lines of bug free code per person a day for 50 cents an hour."

      Want to know how to get companies to actually give a shit about security? Pass laws that give prison time. However, since the US Supreme Court has effectively made all elected positions into places for auction by the highest bidder (foreign companies, anyone who can bring $$$ to the table) this won't be happening.

      So, expect computer security to be all about covering over breaches, and not about preventing them in the first place. If physical security were like computer security, most businesses would have a taped on poster with a picture of a safe covering an open window on their storefronts. It used to be a challenge for blackhats to get places. Now because of the attitude of the MBA brigade that security brings in no ROI, someone with script kiddie knowledge can probably compromise a sizable chunk of most Fortune 500 companies, assuming the compromised boxes are not someone else's turf (I've seen blackhats actually security harden their compromised machines so another group would not be able to take them.)

    5. Re:$204 ... $20,400 -- wouldn't matter. by girlintraining · · Score: 1

      The thing is, the companies that provide that insurance want to make a profit. That means that they charge less to those companies that takes steps to minimize their risk. That means that it costs the company to be vulnerable, even if nobody hacks their system. SO, if a company does not mitigate its risk of a data breach and its competitor does, it is at a competitive disadvantage.

      That's an oversimplification. Most insurance companies release guidelines that you have to comply with to get certain rates. For example, your auto insurance may be lower because you have a car alarm on it. That doesn't mean the car alarm works, or was from a reputable vendor, just that something on that car now meets the definition of "car alarm". Lots of checklists like this exist in the business world -- they add the appearance of security, but do nothing to actually create security. For example, the Sarbanes-Oxley Act contains lots of rules. One company I worked for decided to encrypt every desktop harddrive to meet one of the requirements of preventing data theft. Of course, that didn't prevent the nightly dumps of the pharmacy's customer records from being put in a world-readable/writable, anonymously, and remotely accessible share for a few hours at a go -- because that's how the backup program worked. You just had to know when and where to connect on the network. Did I mention this company's entire corporate intranet was accessible from kiosks and each store has wifi?

      Checklists don't improve security, they just give legal a way to say "we made a good faith effort." I stand by my original assertion -- Insurance is just a cost-shifting tactic that allows bad business practices to manifest because there's no real pressure to use good business practices.

      --
      #fuckbeta #iamslashdot #dicemustdie
    6. Re:$204 ... $20,400 -- wouldn't matter. by vlm · · Score: 1

      The thing is, the companies that provide that insurance want to make a profit. That means that they charge less to those companies that takes steps to minimize their risk. That means that it costs the company to be vulnerable, even if nobody hacks their system. SO, if a company does not mitigate its risk of a data breach and its competitor does, it is at a competitive disadvantage.

      One of my wife's friends, an insurance underwriter, once explained that underwriters are experts on applied statistics. They are like an experimentalist scientist whom doesn't know anything about the subject but is an expert at making predictions based on correlation coefficients and regression analysis. Maybe she was oversimplifying or drunk, whatever, thats just what I heard.

      The relevance to the story is, that no insurance underwriter can provide an honest intelligent evaluation of data breach costs, much less specialize the market into those whom spend more or less on security, or those whom use certain OS and apps vs others. Its just a bunch of anecdotes, not real statistics. Any goof can take a sum, and divide it by a quantity, but that doesn't imply it means anything.

      Now, marketing might try to spin it as they're experienced enough to do it, when they are actually not. Sales may use it as a negotiating tactic, they are not cutting the price by $100K because they're caving in, but because the client uses linux or whatever face saving claim they can make. Or the opposite, they were going to raise premiums by $100K anyway, but thankfully the fools had a breech, now we can blame the increase on the breech.

      Also most businesses self insure anyway. The little ones are too fly by night and poor to afford insurance and are judgment proof anyway, and the big ones take risks that are bigger than the insurers themselves and have large enough legal and lobbying departments to be above the law. So the only companies affected are vaguely medium sized. Think, like a small restaurant chain sized company, maybe a single plant manufacturing company.

      --
      "Science flies us to the moon. Religion flies us into buildings." - Victor Stenger
    7. Re:$204 ... $20,400 -- wouldn't matter. by girlintraining · · Score: 1

      I think you got enough capital letters in there, but can you add more exclamation points to your post please? My doctor says if I don't get enough each day I may start to believe what people say on the internet, and then I have to get a referral to a psychiatrist. Also, begging to differ with you -- but money does grow on trees if you make your standard currency the leaf. Our great, great ancestors used that currency for a short time. But then a crazy man chasing a chesterfield sofa across prehistoric fields appeared and caused some consternation. The Leaf fell from popularity shortly afterwards. I think his name was Arthur...

      --
      #fuckbeta #iamslashdot #dicemustdie
    8. Re:$204 ... $20,400 -- wouldn't matter. by Tanktalus · · Score: 1

      I checked into the savings I'd get on my house insurance if I got a house alarm. IIRC, it was about $30/year (~10% at the time). Cost of monitoring? $20+/month. So, basically, the savings on my house insurance are about 6 weeks of monitoring. I still have to fund the other 46 weeks.

      So the question a business will ask is whether the cost of securing their data is more or less than the loss of insecure data, insurance rates included. I'm betting the cost of securing data will be far, far more than any insurance savings they see.

    9. Re:$204 ... $20,400 -- wouldn't matter. by Attila+Dimedici · · Score: 1

      >

      Also most businesses self insure anyway. The little ones are too fly by night and poor to afford insurance and are judgment proof anyway, and the big ones take risks that are bigger than the insurers themselves and have large enough legal and lobbying departments to be above the law. So the only companies affected are vaguely medium sized. Think, like a small restaurant chain sized company, maybe a single plant manufacturing company.

      So, companies that self-insure are on the hook for the entire cost of the security breach, which re-enforces my point. Insurance does not remove the market consequences to a company not protecting its data from a data breach.

      --
      The truth is that all men having power ought to be mistrusted. James Madison
    10. Re:$204 ... $20,400 -- wouldn't matter. by thickdiick · · Score: 1

      Nothing in this world is free. There is a cost for everything. The good thing is that we found the cost of privacy breaches. The next step is to compare them to the cost of increasing current security. If it is found that the marginal benefit of having less breaches offsets the marginal cost of increasing security, then action should be taken to follow that course of action until we reach equilibrium.
      Privacy costs money. It is not a value that should be pursued no matter the cost; rather, the costs should be weighed with the benefits, and a rational decision must be made based on the information available.
      Second: one person buying an insurance policy from a company doesn't raise the premiums for everyone else; if anything, the premiums go down as the overhead fixed costs are spread between more clients. The cost of the insurance policy is determined statistically to cover the cost of the policy.
      This is elementary.

  4. bogus numbers by Lord+Ender · · Score: 2, Informative

    The vast majority of companies hide the fact that they are breached (constantly, in many cases). It costs them very little to just rebuild the hacked server, smack the admin who set root's password to 'root', and then pretend nothing happened.

    --
    A slashdotter who didn't build his own computer is like a Jedi who didn't build his own lightsaber.
    1. Re:bogus numbers by jgtg32a · · Score: 1

      And then if you get caught doing that you run afoul of the data breach notification laws, pay ~$204 per record and then get additional fines tagged on for trying to hide it.

    2. Re:bogus numbers by Anonymous Coward · · Score: 0

      What data breach laws? There are none that actually matter. Sarbanes-Oxley, HIPAA, and those can be easily gotten around by saying that "we used due diligence. We slapped Windows on every machine, and the OS is FIPS certified."

      California's data breach law doesn't apply if the data is encrypted. So people are escaping having to notify the press by saying plaintext data was ROT-13 encrypted. 158 times per database entry.

      If you have any legal expertise, every single American law about data security has holes in it you can drive a truck through. The only place where you will actually run into trouble is if a company is a contractor for US classified data and upwards. There, people actually take leaks seriously. Nowhere else in this country though.

    3. Re:bogus numbers by Tanktalus · · Score: 1

      Yeah, what kind of dumass has root's password set to 'root'? Mine is '123456'. I reserve 'root' for my regular user's password. No one will ever guess THAT.

    4. Re:bogus numbers by Lord+Ender · · Score: 1

      Well, what I see typically isn't "root/root" but rather "tomcat/tomcat" and "mysql/mysql". The sysadmins know their shit unless they're green or foreign, these days. It's the developers/app-people who have no clue about security.

      --
      A slashdotter who didn't build his own computer is like a Jedi who didn't build his own lightsaber.
  5. Who the heck is 'Top'??? by Muad'Dave · · Score: 4, Insightful

    Data Breach Costs Top $200 Per Customer Record

    My first reading of the headline left me wondering what company was named 'Top' and when was their data breach.

    --
    Tiller's Rule: Never use a word in written form that you've only heard and never read. You will end up looking foolish.
    1. Re:Who the heck is 'Top'??? by Em+Emalb · · Score: 1

      They make baseball/football/whatever cards.

      But yes, more to the point, it appears a monkey with bird flu banging on the keyboard while vomiting violently wrote the subject.

      --
      Sent from your iPad.
    2. Re:Who the heck is 'Top'??? by swanzilla · · Score: 1

      Confusing, are some verbs.

      --
      0 = 1 + e^(Alt something)
    3. Re:Who the heck is 'Top'??? by Anonymous Coward · · Score: 0

      It doesn't refer to one company, but to many. Top is being used to mean "over" and should be "tops." The title might be more clearly read as "data breaches now cost over $200 per customer."

  6. 1% Rise in Data Breach Costs per Customer Record by Quantumstate · · Score: 1

    The article says the costs increased by $2 since 2008. So the headline is actually referring to something that happened back before 2008.

  7. Gotta breach 'em all! by Anonymous Coward · · Score: 0

    Gotta breach 'em all!

  8. Want more details by edrobinson · · Score: 1

    before I believe this. How does one spend that much per record? A bit more detail would be nice...

    1. Re:Want more details by vlm · · Score: 1

      before I believe this. How does one spend that much per record? A bit more detail would be nice...

      (Made up number) / (Another made up number) = $204

      --
      "Science flies us to the moon. Religion flies us into buildings." - Victor Stenger
  9. The obvious solution... by B+Nesson · · Score: 1

    ...is to release more records per breach. Cost-per-record will plummet.

  10. Data Breach Costs Top $200 Per Customer Record by djupedal · · Score: 1

    And the current value of one individual's personal data is now estimated to be worth...wait for it...

    USD$200.00

    Whomever came up with the blinding revelation in Ponemon Institute's annual study didn't have to work too hard to arrive at that number. One google search and they took the rest of the day off...nice! Way to make tee time :)

  11. Why don't they just pay that $204 directly to cust by Anonymous Coward · · Score: 0

    People will be standing in line to get their data breached.

  12. Pain in the rear. by Anonymous Coward · · Score: 0

    "Data Breach Costs Top $200 Per Customer Record"

    I can just image Vaseline cost are a big part of it.

  13. what about costs to customers? by Anonymous Coward · · Score: 0

    I have a feeling that the averaged cost might be used to justify lax standards unfortunately, but for the few that are badly affected with ruined credit the costs will be much higher, certainly higher than "the cost of doing business."