Survey: Data breaches from malicious attacks doubled last year

Ponemon survey of U.S. companies discloses its first reports that data-stealing malware caused breaches.

Elinor Mills Former Staff Writer
Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service and the Associated Press.
Elinor Mills
2 min read

Average cost per-record of a data breach, 2005-2009 Ponemon Institute/PGP

Data breaches at U.S. companies attributed to malicious attacks and botnets doubled from 2008 to 2009 and cost substantially more than breaches caused by human negligence or system glitches, according to a new Ponemon survey to be released on Monday.

The incidence of malicious attacks rose from 12 percent in 2008 to 24 percent last year, according to the 2009 Annual Study: U.S. Cost of a Data Breach survey conducted by the Ponemon Institute and sponsored by PGP Corp.

The cost per compromised record involving a criminal act averaged $215, about 40 percent higher than breaches from negligence and 30 percent higher than those from glitches, the survey found.

For the first time, companies reported in the survey that data-stealing malware caused their breaches.

"A surprising finding is that malicious or criminal attacks increased substantially. These attacks often utilized data-stealing malware or botnets," said Larry Ponemon, founder and chairman of the Ponemon Institute. "We never experienced this type of data breach in the prior five years. Hence, the nature of data breach incidents may be changing. In addition, these types of attacks are much more expensive for participating companies."

The average organizational cost of a data breach increased nearly 2 percent to $6.75 million in 2009, while the average cost per compromised record per breach rose only $2 to $204. The most expensive breach in the survey was nearly $31 million and the least expensive was $750,000.

Meanwhile, 42 percent of all cases reported in the survey involved mistakes made at third parties, such as outsourcers, and 36 percent of the cases involved lost or stolen laptops or other mobile devices.

For the study, 45 U.S. companies from 15 different industries were surveyed. The figures include business costs including expenditures for detection, notification, and response, as well as the economic impact of lost or diminished customer trust and confidence as measured by customer turnover rates.

Asked to comment on criticism that data breaches are over-estimated, Ponemon said, "We believe our figures are conservative, given that we exclude future costs such as remediation, legal defense, and fines."

Updated at 9:27 a.m. PST with comment from Ponemon.

Average organizational costs of a data breach, 2005-2009 Ponemon Institute/PGP