In a world of uncertainty and change, it’s a comfort that some things are consistent year after year. Now in its 15th year, the annual Cost of a Data Breach Report, with research by the Ponemon Institute and published by IBM Security, continues to provide a detailed view of the financial impacts security incidents can have on organizations, with historical data revealing trends in data breach causes and consequences.

This year’s study analyzed 524 breaches that occurred between August 2019 and April 2020, in organizations of all sizes, across 17 geographies and 17 industries. The 2020 Cost of a Data Breach Report shows some consistency with past research, including the global total cost of a data breach, which averaged $3.86 million in the 2020 study, down about 1.5% from the 2019 study, but in line with previous years. The average time to identify and contain a data breach was 280 days in the 2020 study, nearly identical to the average of 279 days in 2019.

Yet 2020 has been an exceptional year. In response to the global coronavirus pandemic that has disrupted so many businesses, economies and lives, many organizations have shifted to remote work models. According to survey results in the 2020 Cost of a Data Breach Report, 76% of respondents whose organizations have shifted to remote work expect that working from home could increase the time it takes to identify and contain a data breach. Additionally, 70% of respondents expect remote working could increase the cost of a data breach.

As organizations continue to adjust to COVID-19, to protect their employees’ health, continue to serve customers and adapt to rapid changes in business models, the need to assess and mitigate cybersecurity risks has never been higher. The Cost of a Data Breach Report offers insights and recommendations to help you along the way.

See the 2020 Cost of a Data Breach report and calculator

The real value of this research is not pegging the cost of a breach to a single average, but in highlighting the numerous factors that impact those costs, so that organizations can identify the best possible strategies for mitigation. Here we offer some highlights of the report.

New Insights, Remote Working and Vulnerability Testing

Each year, Ponemon Institute asks participating organizations to estimate costs* on hundreds of factors that impact the cost of a data breach, from lost business to detection and response activities, to notification activities and many more. To keep up with changing business needs, new technologies and new threats, the 2020 report explores previously unexamined factors including various types of threats, organizational factors and security measures.

This year, the research added analysis of the cost impact of vulnerability testing and red team testing, which uses an adversarial approach to penetration testing. Compared to the average total cost of $3.86 million, organizations that conducted red team testing said their average costs were about $243,000 lower, while organizations with vulnerability testing said they experienced costs that were on average about $173,000 less than the global average.

And for the first time, the research explores the cost impact of remote work and the security skills shortage, both of which were found to have a cost amplifying effect. Organizations with remote work arrangements cited costs that were nearly $137,000 higher than the global average of $3.86 million, while organizations estimated that the security skill shortage increased costs by an average of $257,000 compared to the global average.

You can explore the impacts of these cost factors and more – some that amplify costs and others that mitigate costs – using the interactive cost calculator that is a companion to this year’s report. You can register to access the full calculator to see the estimated impact of 25 cost factors on the average cost of a data breach in 17 geographies and 14 industries.

Download the webinar to learn more key findings and best practices from the 2020 Cost of a Data Breach Report

Key Findings That May Surprise You

Here are five of the key findings from the 2020 Cost of a Data Breach Report, including several new areas of research.

1. Security automation and incident response readiness are effective at mitigating costs

Detecting a breach as quickly as possible through the use of automation, and responding to contain the breach faster with a trained and prepared incident response (IR) team, were found to significantly limit the financial damages of a data breach.

In the 2020 study, the average cost of a data breach at organizations that have deployed security automation technologies – such as artificial intelligence, machine learning, analytics, and automated orchestration – was far less than at organizations that have not yet deployed these technologies. In fact, the average cost of a breach at organizations with fully deployed security automation was $2.45 million, compared to $6.03 million at organizations with no security automation, or a difference of $3.58 million.

Meanwhile, organizations with IR teams who regularly test their IR plans through simulated breach exercises experienced an average data breach cost of $3.29 million, while organizations without IR teams or IR testing experienced an average data breach cost of $5.29 million – a difference of $2 million on average.

2. Customer PII drives costs more than other record types

For the first time, the report drills down into the per record cost of a data breach** based on the type of records involved. Customer personally identifiable information (PII) was the most expensive type of record, costing an average $150 per lost or stolen record, compared to the per record cost of intellectual property ($147), anonymized customer records ($143) or employee PII ($141). Customer PII was the most frequently compromised type of data, present in 80% of the breaches analyzed.

3. Compromised credentials and cloud misconfiguration are biggest attack vectors

Malicious attacks were responsible for 52% of breaches in the 2020 study, a slight increase from 51% in 2019. For the first time, the 2020 report took a deeper dive into the types of malicious attacks, analyzing the cost and frequency of nine initial attack vectors. The most frequent initial attack vectors included compromised credentials (19% of malicious breaches), cloud misconfiguration (19%) and vulnerabilities in third-party software (16%). These three attack vectors are also the costliest, with breaches due to compromised credentials averaging $4.77 million, vulnerabilities in third-party software averaging $4.53 million and cloud misconfiguration breaches averaging $4.41 million.

4. Ransomware and destructive attacks are more expensive than average breaches

Not all data breaches involve the theft or leakage of data – sometimes records are destroyed or held hostage for a ransom. For the first time, the report analyzed the cost of breaches involving destructive malware and ransomware. The average destructive malware breach cost $4.52 million and the average ransomware breach cost $4.44 million. The overall average cost of a malicious breach was $4.27 million.

5. Nation state attacks are uncommon but costliest malicious breaches

For the first time, the 2020 report analyzed malicious breaches based on the type of threat actor believed to be responsible for the breach. The most common type of malicious breach was caused by financially motivated attackers (53% of malicious breaches), compared to nation state threat actors (13%) and hacktivist threat actors (13%). Although less common, the average cost of a breach was higher for state-sponsored breaches ($4.43 million) and hacktivist breaches ($4.28 million) than financially motivated breaches ($4.23 million).

Discover More in the 2020 Cost of a Data Breach Report

The Cost of a Data Breach Report contains more information and insights this year than ever before. To make the report more accessible and interactive, IBM Security offers an interactive calculator, a global map and other tools for exploring the data for insights and recommendations. Visit the website at to view an infographic with key highlights and register for the report to use the calculator, see industry recommendations, download data charts and access the complete report as a PDF document.

See the 2020 Cost of a Data Breach report and calculator

If you are experiencing a cybersecurity incident, contact the X-Force IRIS U.S. hotline 1-888-241-9812; Global hotline (+001) 312-212-8034. Visit IBM X-Force Incident Response and Intelligence Services to learn more.

* To preserve confidentiality, the Ponemon Institute does not use actual financial records, but asks people with knowledge of the breach to estimate costs for a range of direct and indirect costs. For a more thorough explanation of the methodology, see the Research methodology section of the full Cost of a Data Breach Report.

** The breaches studied in the Cost of a Data Breach Report ranged from approximately 3,000-100,000 records. The cost per record of data breaches of this size should not be used to extrapolate the cost of larger data breaches, which have a lower per record cost. The largest data breaches were studied in a separate analysis. See the complete Cost of a Data Breach Report for more information.

More from Threat Intelligence

Grandoreiro banking trojan unleashed: X-Force observing emerging global campaigns

16 min read - Since March 2024, IBM X-Force has been tracking several large-scale phishing campaigns distributing the Grandoreiro banking trojan, which is likely operated as a Malware-as-a-Service (MaaS). Analysis of the malware revealed major updates within the string decryption and domain generating algorithm (DGA), as well as the ability to use Microsoft Outlook clients on infected hosts to spread further phishing emails. The latest malware variant also specifically targets over 1500 global banks, enabling attackers to perform banking fraud in over 60 countries…

Threat intelligence to protect vulnerable communities

2 min read - Key members of civil society—including journalists, political activists and human rights advocates—have long been in the cyber crosshairs of well-resourced nation-state threat actors but have scarce resources to protect themselves from cyber threats. On May 14, 2024, the Cybersecurity and Infrastructure Security Agency (CISA) released a High-Risk Communities Protection (HRCP) report developed through the Joint Cyber Defense Collaborative that addresses the threat to these vulnerable groups, with findings contributed by the X-Force Threat Intelligence team.Cyber criminals seek stolen credentialsThe HRCP…

Hive0051 goes all in with a triple threat

13 min read - As of April 2024, IBM X-Force is tracking new waves of Russian state-sponsored Hive0051 (aka UAC-0010, Gamaredon) activity featuring new iterations of Gamma malware first observed in November 2023. These discoveries follow late October 2023 findings, detailing Hive0051's use of a novel multi-channel method of rapidly rotating C2 infrastructure (DNS Fluxing) to deliver new Gamma malware variants, facilitating more than a thousand infections in a single day. An examination of a sample of the lures associated with the ongoing activity reveals…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today