The Cost of a Data Breach in 2014: An Industry by Industry Breakdown

Thursday, December 04, 2014

Thu Pham


The average total cost of a data breach increased 15 percent in 2014 to $3.5 million, this according to the Ponemon Institute’s 2014 Cost of Data Breach Study: Global Analysis.

But how does that average vary from industry to industry, each with different types of consumer information and different data regulations? Also, how do data breaches affect related industries, such as the insurance or banking sectors that must shoulder some of the subsequent costs?

One uniting factor in data breaches from all types of industries is the fact that the most costly data breaches were the result of malicious and criminal attacks, according to Ponemon.

Let’s take a look at the costs associated with each type of data breach, including retail, financial/banking, healthcare and education:

Cost of a Financial/Banking Data Breach

  • JPMorgan Chase was breached this summer, and while financial/banking firms do not always release their own financial details, they did mention their increased investments in security improvements will cost them $250 million a year with a team of people dedicated to leading them, according to the International Business Times.
  • National industry groups, including the National Retail Federation (NRF), have lobbied Congress regarding fair and expansive cross-industry data breach standards. They argue that consumers have a right to know when they’ve been breached, regardless of where the risk arises.

Cost of a Healthcare Data Breach

  • New York Presbyterian Hospital and Columbia University, reported in May 2014 -$4.8 million in government fees, without any insight into other costs such as legal or investigation fees. This is the largest HIPAA settlement to date recorded by the Dept. of Health and Human Services.
  • Cignet Health Center was fined $4.3 million in October 2010, partly due to denying patient requests for their medical records and their failure to cooperate with the investigation.
  • Consequences of a healthcare data breach also affect other industries, including $80 billion yearly to the public insurance sector caused by criminals fraudulently receiving healthcare services by stealing medical identities and pretending to be insured, according to
  • While only the government fees are on record, other costs place the healthcare industry at the top when it comes to per capita data breach costs, followed by the education and pharmaceutical sectors, according to the Ponemon Institute.

Cost of an Education Data Breach

  • A hacked server at the Maricopa County Community College (MCCCD) cost them upwards of $19.7 million, with $2.3 going to lawyer’s fees; $300k to records management; and another $17.1 million spent on consulting, repairs, more lawyers, notification and credit monitoring. Two class action lawsuits were also filed in April, seeking $2.5k for each affected individual, that’s 2.5 million total.
  • The University of Maryland estimated costs of $6.2 million just in credit monitoring costs for students and staff affected by a data breach early this year. Adding encryption could raise costs to $20-30 million, in addition to consulting fees.
  • Other places universities and educational institutions take a hit is with their reputation and with rising student tuition costs to deal with unexpected breach expenses.

Cost of a Retail Data Breach

  • Target, reported in August 2014 - $148 million in associated data breach expenses, including legal, consulting and credit monitoring fees
  • Home Depot, reported in November 2014 - $43 million so far in associated data breach expenses spent in one quarter, including identity protection services, credit monitoring, increased call center staffing, legal and other professional services, according to their quarterly SEC filing.
  • Costs to other industries as a result of these retailer data breaches include heavy hits to the banks and credit unions. Credit unions spent $60 million in September after the Home Depot breach reissuing stolen cards, according to
  • According to a report from the Consumer Bankers Association, the cost of replacing credit and debit cards after the Target breach ran up a tally of $240 million.
  • The real business consequences to a retail organization may result in a hit to customer loyalty and trust, with lower profits and more reputation control costs to manage than other industries.

As we’ve witnessed over the past twelve months, attackers have hit large retailers and franchisors alike, stealing customer card data. This can be seen in the examples above — and the list goes on.

If you're interested in learning more about how to prevent a potential attack on financial data, please check out our free guide that provides a detailed overview of the retail industry's current state of security and recommendations on safeguarding customer financial information.

General Firewalls IDS/IDP Network Access Control Network->General SCADA Budgets Enterprise Security Policy Security Awareness Security Training Breaches
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.