Monday, January 25, 2010
Data Breach Report: Malicious Attacks Doubled in 2009
These are the headlines from the 5th annual "Cost of a Data Breach" study by the Ponemon Institute.
The study shows that the total cost of a data breach rose to $204 from $202 per compromised record. Dr. Larry Ponemon, President and CEO of the Ponemon Institute, says the increase is a "big deal" because it shows that data breaches continue to be a costly event for all organizations. The Ponemon Institute is a privacy and information security research firm based in Traverse City, MI.
According to the latest study, of the $204 associated with compromised records, $144 is linked to indirect costs including abnormal turnover or "churn" of existing and future customers. Ponemon says this compares to 2009's average per victim cost of $202, with an average indirect cost at $152 per breach victim. This year direct costs rose to $60 from $50 in 2009.
The study does not try to draw definitive conclusions, Ponemon says, but looks at broad trends. Data breaches have three root causes: third party mistakes, malicious attacks, or a negligent insider or systems glitch. Ponemon notes that 42 percent of all cases in the study involved third-party mistakes or flubs. These breaches are the most expensive, especially if they occur offshore, he says. "This could be because more investigation is needed, along with consulting fees."
The number of malicious or criminal attack-related breaches was 24 percent -- double the 12 percent of the 2009 study. "They are the most costly, and the types of attacks we found included botnet attacks and data-stealing malware," Ponemon says. "There is more to worry about because I see this as a growing category. This number of criminal attacks will continue to increase in the foreseeable future."
The cost of a malicious breach ($215) is higher than that of a negligent insider or systems glitch, which average $154 and $166.
This study does not include those "catastrophic" data breaches such as Heartland or TJX, says Ponemon. "We're looking at a cost model that is comparable for big data breaches, but not catastrophic data breaches such as Heartland or TJX," he notes. The comparison would skew the results to a much lower number. "Trying to compare a catastrophic data breach's numbers with a regular data breach would be like trying to compare the budgets of the United States to Haiti's," he adds. A data breach in this study ranges from 5,000 records, but less than 101,000 records. bankinfosecurity