The Hidden Costs of a Data Breach

August 27, 2019 - Ensighten

Discover why the long-term damage of a data breach is much greater than fines and customer compensation

There have been several high-profile data breaches hitting the headlines recently, with much of the coverage devoted to the immediate financial consequences of a breach.

The average cost of a data breach is now put at $3.92 million – an increase of 12 percent over the past five years – according to the just-released 2019 Cost of a Data Breach Report from IBM and the Ponemon Institute. 

While the media tends to focus on the financial penalties imposed by the authorities – particularly following the introduction of GDPR last year – and the potential pay-outs to victims, the cost of a data breach is often much more widely-felt and have a long-lasting impact on the business.

In fact, the biggest contributor to data breach costs in 2019 is lost business, with the average cost put at $1.42 million – 36 percent of the $3.92 million cost. The study also found that breaches caused abnormal customer turnover of 3.9 percent in 2019.

Elsewhere the report examined the long tail financial impact of a data breach, discovering that their effects can be felt for years. While 67 percent of data breach costs were realized within the first year after a breach, 22 percent accrued in the second year and another 11 percent accumulated more than two years after a breach.




Detection, escalation, notification and post data breach response

The four main activities that follow a data breach are detection, escalation, notification and post data breach response – and they all mean additional costs to an organization.

Detection and escalation: Activities that enable a company to detect and report a breach to appropriate personnel within a specified time period.

  • Forensic and investigative activities
  • Assessment and audit services
  • Crisis team management
  • Communications to executive management and board of directors


Notification costs: Activities that enable the company to notify individuals who had data compromised in the breach (data subjects) as regulatory activities and communications.

  • Emails, letters, outbound telephone calls, or general notice to data subjects that their personal information was lost or stolen
  • Communication with regulators; determination of all regulatory requirements, engagement of outside experts


Post data breach response: Processes set up to help individuals or customers affected by the breach to communicate with the company, as well as costs associated with redress activities and reparation with data subjects and regulators.

  • Help desk activities / Inbound communications
  • Credit report monitoring and identity protection services
  • Issuing new accounts or credit cards
  • Legal expenditures
  • Product discounts
  • Regulatory interventions (fines)


Lost business cost: Activities associated with the cost of lost business, including customer turnover, business disruption, and system downtime.

  • Cost of business disruption and revenue losses from system downtime
  • Cost of lost customers and acquiring new customers (customer turnover)
  • Reputation losses and diminished goodwill

This last point is important, as once an organization has lost the trust of their customers, it is very difficult to win it back, with 64 percent of consumers saying they are unlikely to do business with a company where their financial or sensitive data was stolen.




Increase in third-party website breaches

Aside from these figures, there are two other important points to take away from the findings:

  • The percentage of malicious or criminal attacks as the root cause of data breaches in the report crept up from 42 to 51 percent over the past six years of the study, a 21 percent increase
  • Breaches originating from a third party – such as a partner or supplier – cost companies $370,000 more than average

The increase in third-party vulnerabilities emphasizes the need for companies to closely vet the security of the companies they do business with, align security standards, and actively monitor third-party access.

Global beauty brand Sephora was forced to email online customers to inform them of that their personal information may have been exposed to unauthorized third parties, including first and last name, date of birth, gender, email address, and encrypted password, as well as data related to beauty preferences.

As this example demonstrates, your company website is one area where third parties can present an access point to your customers’ sensitive information – and yet it is often overlooked by the security team. However, it is important to mitigate any threat from third party vendors by creating an allowlist and a blocklist that allow you to only share data with trusted vendors.

With the loss or theft of more than 11.7 billion records in the past three years alone, the Ponemon report urges companies to be aware of the full financial impact that a data breach can have on their bottom line – and focus on how they can reduce these costs.

Speak to us about how we can help manage and secure all your third-party vendor technologies to prevent unauthorized data collection and prevent a potentially disastrous data breach within your organization.

Some more of the report’s headlines findings include:

  • Malicious breaches: More than 50 percent of data breaches resulted from malicious cyberattacks and cost companies $1 million more on average than those originating from accidental causes
  • Mega breaches: While less common, breaches of more than 1 million records cost companies a projected $42 million in losses; and those of 50 million records are projected to cost companies $388 million.
  • Practice makes perfect: Companies with an incident response team that also extensively tested their incident response plan experienced $1.23 million less in data breach costs on average than those that had neither measure in place.
  • U.S. breaches cost double: The average cost of a breach in the U.S. is $8.19 million, more than double the worldwide average.




Founded in 2009, Ensighten is the global cybersecurity leader providing client-side protection against data loss, ad injection, and intrusion while enhancing website performance.

Learn more about Ensighten and our solution

Web-based attacks guide

Learn more about web-based attacks and how the most common methods for exposing data are often overlooked

Read Now

Online skimming blog

Learn why third-party components on your website could be leaving you vulnerable to online skimming attacks

Read Now

Online demo

See the Ensighten solution in action to learn how we can help protect against malicious data breaches

Book Now