Slashdot Mirror

← Back to Stories (view on slashdot.org)

Data Breach Costs Top $200 Per Customer Record

Posted by CmdrTaco on from the that-adds-up dept.

alphadogg writes "The cost of a data breach increased last year to $204 per compromised customer record, according to the Ponemon Institute's annual study. The average total cost of a data breach rose from $6.65 million in 2008 to $6.75 million in 2009. The Ponemon Institute based its estimates on data from 45 companies that publicly acknowledged a breach of sensitive customer data last year and were willing to discuss it. In tallying the cost of a data breach, the Ponemon Institute looks at several factors, including: the cost of lost business because of an incident; legal fees; disclosure expenses related to customer contact and public response; consulting help; and remediation expenses such as technology and training."

37 of 54 comments (clear)

  1. "The Ponemon Institute" by Finallyjoined!!! · · Score: 4, Insightful

    For a second there I thought I'd read "The Pokemon Institute"
    :-)

    --
    If I had an Ass, I'd call it Fanny Bottom, then I could slap my Ass; Fanny Bottom, on the Arse.
    1. Re:"The Ponemon Institute" by Pojut · · Score: 1, Funny

      "I got to buy it, I got to buy it, Chinpoko-MON"

      --
      Living With a Nerd
  2. Also by Tablizer · · Score: 5, Insightful

    A related question is: how much does it cost to prevent. Managers will ask.
       

    --
    Table-ized A.I.
    1. Re:Also by Overzeetop · · Score: 1

      Based on probability of a breach: too much. If your chance of a breach is low (say, in the 1% per year range), that's only $2 per account compromised, or a cost of $600k per year. And great security only reduces the chance - it does not eliminate it.

      There's also the lion attack argument: you only have to run faster than the slowest person being chased. Now, in this case, that might be the bottom 10%, but the goal is to be just enough better than the softest targets that you are unlikely to get hit. If you avoid the casual crackers and the working mafia, the only thing left to worry about is the one goof who is going to target _your_ system specifically. Since there is no perfect security system, you can ignore that last threat - it will hit you no matter how much you spend. You just have to be tight enough to make it unprofitable (or less profitable than other systems).

      Business Managers already know this. They also know that - provided all hell doesn't break loose - people have very short memories. A minor "oops" every once in a while isn't a big deal, financially speaking. Call it the cost of doing business.

      --
      Is it just my observation, or are there way too many stupid people in the world?
    2. Re:Also by mlts · · Score: 1

      Security isn't about how hardened your OS is, although it is a crucial ingredient (if you have bad apples, a chef can't make a good apple pie no matter how good. However, a bad chef can take perfectly good fruit and make something horrid.)

      What is lacking in a lot of companies is an actual security policy. Encryption is the easy stuff. Making sure there is a department-wide policy, making sure users adhere to it, and keeping some type of mechanism in place for recovery if an employee leaves is what is tough, and what a lot of companies will refuse to pay the bucks for.

      First line of security are the tools: You have firewalls, IDS systems, routers, and content filters to protect the network side. You have security guards, HID locks, Abloy PROTEC locks for backups, CCTV cameras, and alarms for the physical security. For data at rest protection, you have BitLocker, LUKS, EncFS, PGP, TrueCrypt, PointSec, or other mechanism to store data encrypted. For backups that go offsite, you have your hardware do the encryption (HP LTO-4 drives), or have the software have the government certified AES libraries (Retrospect, Backup Exec, TSM, Networker).

      However, you can be sitting on the best tools in the world, but if they are not used in a coherant form by clued employees, they won't help things. For example, a machine could be protected with PGP and require a smart card to boot it. However, if the machine doesn't have a firewall or protection from network attacks, the DAR (data at rest) protection is pointless. Similar if a laptop has extreme antivirus utilities, but is always left in coffee shops unattended.

      Obligatory car analogy: A company can pay millions for a fleet of semis, but without competant drivers, they will just sit in the parking lot and not do a thing.

      Security isn't something you can just buy off the shelf. You can buy tools, but it takes expertise to implement everything into a solid security gestalt that is workable and protects company (and employee) assets.

    3. Re:Also by jgtg32a · · Score: 1

      Less than the encryption solution we've been lusting for. Most of the notification laws are written such that if you've encrypted you don't have to tell anyone about the breach.

    4. Re:Also by jgtg32a · · Score: 1

      Unfortunately I think he's being honest, granted we would love to require that but its not going to happen.

    5. Re:Also by cyphercell · · Score: 1

      I might be talking out the wazoo, but if you added Lighttpd and got them in core you have a BSD compatible stack righty there yes sir! Possibly, an email server next?

      --
      Under the influence of Post-Cyberpunk Gonzo Journalism
    6. Re:Also by Low+Ranked+Craig · · Score: 1

      A new car built by my company leaves somewhere traveling at 60 mph. The rear differential locks up. The car crashes and burns with everyone trapped inside. Now, should we initiate a recall? Take the number of vehicles in the field, A, multiply by the probable rate of failure, B, multiply by the average out-of-court settlement, C. A times B times C equals X. If X is less than the cost of a recall, we don't do one.

      Seemed applicable

      --
      I still cannot find the droids I am looking for...
    7. Re:Also by the_brobdingnagian · · Score: 1

      ....and having a competent human watch over everything and set the security policies.

      Ha!

    8. Re:Also by david_thornley · · Score: 1

      Another related question: how much does it cost the average individual whose data has been compromised? That would allow us to tell if the $200 cost is out of line with the results.

      It's not going to be easy to determine, of course. Probably most people don't suffer significantly from a compromise, but some people lose a lot of money, have to spend a lot of personal time trying to clean things up, and suffer great stress, which isn't going to be easy to monetize. Moreover, not everybody who loses money or is denied credit because of a data breach is going to know why.

      --
      "When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
    9. Re:Also by Impy+the+Impiuos+Imp · · Score: 1

      Except that's what Ford did with the Pinto, and once those documents were shown to the jury, the penalty award was set a lot higher. Thus those calculations don't work.

      --
      (-1: Post disagrees with my already-settled worldview) is not a valid mod option.
    10. Re:Also by Jane+Q.+Public · · Score: 1

      They would change their tune if they also had to pay all the customer costs of a data breach, which arguably they should be compelled to do.

      The cost to a single customer from a data breach could easily be in the tens of thousands of dollars. I bet that would wake these people up.

    11. Re:Also by Low+Ranked+Craig · · Score: 1

      Lesson learned, "don't keep those documents anymore"

      --
      I still cannot find the droids I am looking for...
    12. Re:Also by MrMr · · Score: 1

      Yep, that is what we nowadays call 'document retention policy', it essentially means you get a license to burn evidence before the trial starts.

    13. Re:Also by cyphercell · · Score: 1

      Your comment has absolutely nothing whatsoever with what I just said. Nothing, I was just thanking the people that give a shit.

      --
      Under the influence of Post-Cyberpunk Gonzo Journalism
  3. $204 ... $20,400 -- wouldn't matter. by girlintraining · · Score: 4, Interesting

    The cost of a data breach increased last year to $204 per compromised customer record...

    Insurance covers most companies. Because of this, it has gone from being a threat that must be addressed to a cost of doing business. The only thing a business is concerned about is revealing the breach to the public because it could harm its reputation. Everything else can be mopped up in the insurance and legal departments. The costs of a data breach are thus passed on in aggregate to not just the company's customers, but to every business that purchases insurance from that insurance vendor. And given the lack of diversity in the insurance market (ie, most of the market is controlled by only a few businesses) -- more than likely, that's a lot of businesses.

    And that's how businesses manage risk -- and pass the costs on to you. And the problem will therefore never go away, because it's been put inside an SEP Field (Somebody Else's Problem), the most powerful repulsive force in the universe.

    --
    #fuckbeta #iamslashdot #dicemustdie
    1. Re:$204 ... $20,400 -- wouldn't matter. by BlueKitties · · Score: 1

      No, this is just such horrible thinking it makes me want to throw feces at you. This sort of ridiculous thinking is the entire reason there's a HealthCare problem in America. Insurance companies MAKE PROFIT. Therefor, RISING COSTS ON INSURANCE COMPANIES MEAN RISING COSTS FOR EVERYONE. When a hospital sends a bill to a patient's insurance for $100,000, where do you think the insurance company gets the money? When a big business sends a bill for 6mil to their insurance company, guess where the money comes from? Money does not grow on a tree.

      --
      "Sorrow is better than laughter, for by sadness of face the heart is made glad." [Ecclesiastes 7:3]
    2. Re:$204 ... $20,400 -- wouldn't matter. by Attila+Dimedici · · Score: 3, Insightful

      The cost of a data breach increased last year to $204 per compromised customer record...

      Insurance covers most companies. Because of this, it has gone from being a threat that must be addressed to a cost of doing business. .

      The thing is, the companies that provide that insurance want to make a profit. That means that they charge less to those companies that takes steps to minimize their risk. That means that it costs the company to be vulnerable, even if nobody hacks their system. SO, if a company does not mitigate its risk of a data breach and its competitor does, it is at a competitive disadvantage.

      --
      The truth is that all men having power ought to be mistrusted. James Madison
    3. Re:$204 ... $20,400 -- wouldn't matter. by girlintraining · · Score: 1

      The thing is, the companies that provide that insurance want to make a profit. That means that they charge less to those companies that takes steps to minimize their risk. That means that it costs the company to be vulnerable, even if nobody hacks their system. SO, if a company does not mitigate its risk of a data breach and its competitor does, it is at a competitive disadvantage.

      That's an oversimplification. Most insurance companies release guidelines that you have to comply with to get certain rates. For example, your auto insurance may be lower because you have a car alarm on it. That doesn't mean the car alarm works, or was from a reputable vendor, just that something on that car now meets the definition of "car alarm". Lots of checklists like this exist in the business world -- they add the appearance of security, but do nothing to actually create security. For example, the Sarbanes-Oxley Act contains lots of rules. One company I worked for decided to encrypt every desktop harddrive to meet one of the requirements of preventing data theft. Of course, that didn't prevent the nightly dumps of the pharmacy's customer records from being put in a world-readable/writable, anonymously, and remotely accessible share for a few hours at a go -- because that's how the backup program worked. You just had to know when and where to connect on the network. Did I mention this company's entire corporate intranet was accessible from kiosks and each store has wifi?

      Checklists don't improve security, they just give legal a way to say "we made a good faith effort." I stand by my original assertion -- Insurance is just a cost-shifting tactic that allows bad business practices to manifest because there's no real pressure to use good business practices.

      --
      #fuckbeta #iamslashdot #dicemustdie
    4. Re:$204 ... $20,400 -- wouldn't matter. by vlm · · Score: 1

      The thing is, the companies that provide that insurance want to make a profit. That means that they charge less to those companies that takes steps to minimize their risk. That means that it costs the company to be vulnerable, even if nobody hacks their system. SO, if a company does not mitigate its risk of a data breach and its competitor does, it is at a competitive disadvantage.

      One of my wife's friends, an insurance underwriter, once explained that underwriters are experts on applied statistics. They are like an experimentalist scientist whom doesn't know anything about the subject but is an expert at making predictions based on correlation coefficients and regression analysis. Maybe she was oversimplifying or drunk, whatever, thats just what I heard.

      The relevance to the story is, that no insurance underwriter can provide an honest intelligent evaluation of data breach costs, much less specialize the market into those whom spend more or less on security, or those whom use certain OS and apps vs others. Its just a bunch of anecdotes, not real statistics. Any goof can take a sum, and divide it by a quantity, but that doesn't imply it means anything.

      Now, marketing might try to spin it as they're experienced enough to do it, when they are actually not. Sales may use it as a negotiating tactic, they are not cutting the price by $100K because they're caving in, but because the client uses linux or whatever face saving claim they can make. Or the opposite, they were going to raise premiums by $100K anyway, but thankfully the fools had a breech, now we can blame the increase on the breech.

      Also most businesses self insure anyway. The little ones are too fly by night and poor to afford insurance and are judgment proof anyway, and the big ones take risks that are bigger than the insurers themselves and have large enough legal and lobbying departments to be above the law. So the only companies affected are vaguely medium sized. Think, like a small restaurant chain sized company, maybe a single plant manufacturing company.

      --
      "Science flies us to the moon. Religion flies us into buildings." - Victor Stenger
    5. Re:$204 ... $20,400 -- wouldn't matter. by girlintraining · · Score: 1

      I think you got enough capital letters in there, but can you add more exclamation points to your post please? My doctor says if I don't get enough each day I may start to believe what people say on the internet, and then I have to get a referral to a psychiatrist. Also, begging to differ with you -- but money does grow on trees if you make your standard currency the leaf. Our great, great ancestors used that currency for a short time. But then a crazy man chasing a chesterfield sofa across prehistoric fields appeared and caused some consternation. The Leaf fell from popularity shortly afterwards. I think his name was Arthur...

      --
      #fuckbeta #iamslashdot #dicemustdie
    6. Re:$204 ... $20,400 -- wouldn't matter. by Tanktalus · · Score: 1

      I checked into the savings I'd get on my house insurance if I got a house alarm. IIRC, it was about $30/year (~10% at the time). Cost of monitoring? $20+/month. So, basically, the savings on my house insurance are about 6 weeks of monitoring. I still have to fund the other 46 weeks.

      So the question a business will ask is whether the cost of securing their data is more or less than the loss of insecure data, insurance rates included. I'm betting the cost of securing data will be far, far more than any insurance savings they see.

    7. Re:$204 ... $20,400 -- wouldn't matter. by Attila+Dimedici · · Score: 1

      >

      Also most businesses self insure anyway. The little ones are too fly by night and poor to afford insurance and are judgment proof anyway, and the big ones take risks that are bigger than the insurers themselves and have large enough legal and lobbying departments to be above the law. So the only companies affected are vaguely medium sized. Think, like a small restaurant chain sized company, maybe a single plant manufacturing company.

      So, companies that self-insure are on the hook for the entire cost of the security breach, which re-enforces my point. Insurance does not remove the market consequences to a company not protecting its data from a data breach.

      --
      The truth is that all men having power ought to be mistrusted. James Madison
    8. Re:$204 ... $20,400 -- wouldn't matter. by thickdiick · · Score: 1

      Nothing in this world is free. There is a cost for everything. The good thing is that we found the cost of privacy breaches. The next step is to compare them to the cost of increasing current security. If it is found that the marginal benefit of having less breaches offsets the marginal cost of increasing security, then action should be taken to follow that course of action until we reach equilibrium.
      Privacy costs money. It is not a value that should be pursued no matter the cost; rather, the costs should be weighed with the benefits, and a rational decision must be made based on the information available.
      Second: one person buying an insurance policy from a company doesn't raise the premiums for everyone else; if anything, the premiums go down as the overhead fixed costs are spread between more clients. The cost of the insurance policy is determined statistically to cover the cost of the policy.
      This is elementary.

  4. bogus numbers by Lord+Ender · · Score: 2, Informative

    The vast majority of companies hide the fact that they are breached (constantly, in many cases). It costs them very little to just rebuild the hacked server, smack the admin who set root's password to 'root', and then pretend nothing happened.

    --
    A slashdotter who didn't build his own computer is like a Jedi who didn't build his own lightsaber.
    1. Re:bogus numbers by jgtg32a · · Score: 1

      And then if you get caught doing that you run afoul of the data breach notification laws, pay ~$204 per record and then get additional fines tagged on for trying to hide it.

    2. Re:bogus numbers by Tanktalus · · Score: 1

      Yeah, what kind of dumass has root's password set to 'root'? Mine is '123456'. I reserve 'root' for my regular user's password. No one will ever guess THAT.

    3. Re:bogus numbers by Lord+Ender · · Score: 1

      Well, what I see typically isn't "root/root" but rather "tomcat/tomcat" and "mysql/mysql". The sysadmins know their shit unless they're green or foreign, these days. It's the developers/app-people who have no clue about security.

      --
      A slashdotter who didn't build his own computer is like a Jedi who didn't build his own lightsaber.
  5. Who the heck is 'Top'??? by Muad'Dave · · Score: 4, Insightful

    Data Breach Costs Top $200 Per Customer Record

    My first reading of the headline left me wondering what company was named 'Top' and when was their data breach.

    --
    Tiller's Rule: Never use a word in written form that you've only heard and never read. You will end up looking foolish.
    1. Re:Who the heck is 'Top'??? by Em+Emalb · · Score: 1

      They make baseball/football/whatever cards.

      But yes, more to the point, it appears a monkey with bird flu banging on the keyboard while vomiting violently wrote the subject.

      --
      Sent from your iPad.
    2. Re:Who the heck is 'Top'??? by swanzilla · · Score: 1

      Confusing, are some verbs.

      --
      0 = 1 + e^(Alt something)
  6. 1% Rise in Data Breach Costs per Customer Record by Quantumstate · · Score: 1

    The article says the costs increased by $2 since 2008. So the headline is actually referring to something that happened back before 2008.

  7. Want more details by edrobinson · · Score: 1

    before I believe this. How does one spend that much per record? A bit more detail would be nice...

    1. Re:Want more details by vlm · · Score: 1

      before I believe this. How does one spend that much per record? A bit more detail would be nice...

      (Made up number) / (Another made up number) = $204

      --
      "Science flies us to the moon. Religion flies us into buildings." - Victor Stenger
  8. The obvious solution... by B+Nesson · · Score: 1

    ...is to release more records per breach. Cost-per-record will plummet.

  9. Data Breach Costs Top $200 Per Customer Record by djupedal · · Score: 1

    And the current value of one individual's personal data is now estimated to be worth...wait for it...

    USD$200.00

    Whomever came up with the blinding revelation in Ponemon Institute's annual study didn't have to work too hard to arrive at that number. One google search and they took the rest of the day off...nice! Way to make tee time :)