The Average Cost of a Data Breach is Now $3.86 Million

The 2020 Cost of a Data Breach Report from IBM Security has revealed the global average cost of a data breach is now $3.86 million, down 1.5% from 2019. While data breach costs fell on average year-over-year, in healthcare they increased by 10.5% to $7.13 million per breach, on average. There was also considerable variation in breach costs from country to country, with the United States having the costliest breaches. In the US, the average breach cost was $8.64 million. The average time to identify and contain a breach rose by one day to 280 days.

For this year’s study, IBM Security commissioned the Ponemon Institute to conduct the research and 524 data breaches were analyzed and 3,200 interviews were conducted across 17 regions and 17 industry sectors.

The data was collected between August 2019 and April 2020, before the COVID-19 pandemic. Follow up questions asked during the pandemic confirmed that most respondents felt data breach costs would rise, largely due to remote working. 76% of respondents felt data breach identification and remediation would take longer due to remote working and 70% believed the cost of a data breach would increases as a result. IBM Security calculated an average increase of $137,000 per breach was likely due to COVID-19.

Malicious cyberattacks were the costliest type of breaches and malicious attacks by nation state hackers cost the most to resolve. Financially motivated breaches accounted for 53% of the 524 breaches analyzed for the report, with nation state and hacktivist attacks each accounting for 13% of attacks. Financially motivated attacks cost an average of $4.23 million, hacktivist attacks cost $4.28 million on average, and nation state attacks cost an average of $4.43 million.  Ransomware and destructive malware attacks cost even more to mitigate, with an average cost of $4.44 million and $4.52 million respectively.

The most common attack vectors, accounting for 19% of attacks each, were compromised credentials and cloud misconfigurations, with vulnerabilities in third party software responsible for 16% of breaches. Attacks involving compromised credentials cost the most at $4.77 million, followed by vulnerabilities in third party software $4.53 million, and cloud misconfigurations ($4.41 million).

The Cost of a Data Breach Report serves as a barometer for breach costs and identifies data breach trends, but one of the main benefits of the report is identify factors that either increase or decrease breach costs. The data for the report can be used by companies to help them make the right security decisions, and by making those decisions, identify and respond to breaches more quickly and keep the cost of remediation to a minimum.

One of the most important steps to take to reduce breach costs is implementing security automation technologies. The average cost of a data breach at organizations with fully deployed security automation was $2.45 million, compared to an average cost of $6.03 million at organizations with no security automation.  When organizations set up incident response (IR) teams and engage in IR testing, breach costs are reduced by about $2 million on average.

Factors that can increase or decrease data breach costs are detailed in the graph below:

Image Source: IBM Security

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of