Feeds

UK data breach costs swell

PGP-sponsored estimates far exceed TJX reality

Internet Security Threat Report 2014

Updated The cost of data breaches for UK firms has risen from an average of £47 per record in 2007 to £60 ($86) in 2008, according to a new survey. But figures from a Ponemon Institute study, sponsored by PGP, are orders of magnitude higher than losses booked following the infamous TJX security breach, raising questions over how much weight can be placed on the figures.

Ponemon talked to 30 UK businesses across ten different industry sectors in developing its estimate. Security snafus leaked between 4,100 to more than 92,000 records in the cases considered.

Based on interviews with the firms involved, Ponemon reckons the total cost of a data breach in these cases ran from £160k to £4.8m in these cases, with an average cost of £60 per customer. More than half (53 per cent) of reported costs were due to lost business. Costs associated with detecting and responding to breaches, notification of customers, additional security measures and fees to security consultants and lawyers were also factored into the figure.

Financial costs due to fraud, lawsuits from aggrieved parties and other longer term factors were not considered because of their unpredictability.

The financial costs on a data breach ought to hit the balance sheet at some point. TJX's infamous security breach exposed a minimum of 45.7m records. The discount retailer set aside $118m to cover costs and potential liability arising from the breach in August 2007, later agreeing to make $40.9m of this fund available to square matters with banks hit by fraudulent losses connected to the attack, which was discovered in December 2006.

That works out at less than $3 a record, compared to the Ponemon's estimate of $86 per record in its UK study and $200 per record in its equivalent US study, also sponsored by PGP. The higher figures in the US are explained by higher notification costs, among other factors. Both the US and UK estimates exclude legal liability.

We asked PGP marketing manager Jamie Cowper to explain the discrepancy. He suggested that the TJX case was so huge that it was an "anomaly" and that "normal rules don't apply", while admitting we might have a point.

Larry Ponemon, chairman and founder of The Ponemon Institute, later contacted us to explain that the economic model is developed only worked for breaches in the 1,000 to 150K range. Its model takes into account the financial impact of abnormal customer churn following security breaches, among other factor, he explained.

Companies that spoke to Ponemon about the breaches were given anonymity and allowed to get an early copy of Ponemon's report, allowing them to benchmark their performance against other victims.

Whether even firms themselves have a good handle on the cost of breaches, or customer churn effects, is by no means certain. Estimating the cost of viral infection, to take another example, is a notoriously inexact science, and much the same problems may apply to gauging the cost of customer information disclosure breaches.

The media, in particular, are hungry for figures on the cost of security breaches, so it's hard to blame firms too much for trying to supply an answer. It's just that these surveys (on viral infection costs, software piracy etc) include buried assumptions that reduce their results to honest guesstimates, rather than hard facts. ®

Beginner's guide to SSL certificates

More from The Register

next story
Bono apologises for iTunes album dump
Megalomania, generosity and FEAR of irrelevance drove group to Apple deal
HBO shocks US pay TV world: We're down with OTT. Netflix says, 'Gee'
This affects every broadcaster, every cable guy
Facebook, Apple: LADIES! Why not FREEZE your EGGS? It's on the company!
No biological clockwatching when you work in Silicon Valley
Arab States make play for greater government control of the internet
Nerds told to get lost in last-minute power grab bid at UN meeting
Apple SILENCES Bose, YANKS headphones from stores
The, er, Beats go on after noise-cancelling spat
Doctor Who's Flatline: Cool monsters, yes, but utterly limp subplots
We know what the Doctor does, stop going on about it already
Zippy one-liners, broken promises: Doctor Who on the Orient Express
Series finally hits stride, but Clara's U-turn is baffling
Don't bother telling people if you lose their data, say Euro bods
You read that right – with the proviso that it's encrypted
America's super-secret X-37B plane returns to Earth after nearly TWO YEARS aloft
674 days in space for US Air Force's mystery orbital vehicle
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Win a year’s supply of chocolate
There is no techie angle to this competition so we're not going to pretend there is, but everyone loves chocolate so who cares.
Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.