Calculating the Cost of a Databreach

Estimating the cost of data breaches.

UK government studies aim to identify the financial costs of dealing with a data breach.

The full financial costs of a data breach are not easy to work out.  Consider the simple example of a ransomware attack.  If the ransom is promptly paid the affected network should be swiftly back in action with negligible loss of working time.  Even here the cost is not simply the ransom paid.  The system is known to be vulnerable and could suffer a subsequent similar attack if funds are not allocated to discover the source of the original breach and methods put in place to reduce the chance of it happening again.

Having some means of quantifying data breaches allows the relative severity of attacks to be considered and anaysis made on the scale of the problem.

The UK Department for Digital, Cultural, Media and Sport undertook a survey into the cost of cyber security breaches in August 2020.  The costing tool used to evaluate these financial costs  prompts for costs within business areas that might be affected.   Costs were divided into 3 areas (note that there will be some overlap between the categories).

Immediate losses:

  • Assets stolen, ransoms paid and staff costs for those who were unable to continue with their usual work roles.
  • Costs from loss or reduction in services such as business websites being unavailable.
  • The value of data permanently lost or the cost of its recovery.
  • Lost income from a drop in competitive advantage through stolen intellectual property or other sensitive information.
  • Loss or damage to equipment.
  • Any insurance excess paid.

Legal or regulatory costs:

  • Fines for breaking data protection regulations.
  • Additional legal advice following legal action as a result of the breach.
  • Staff time costs in dealing with police and regulators.
  • Staff time costs in dealing with customers and suppliers affected by the breach.

Technical costs:

  • The costs involved in shutting down and repairing services.
  • Additional staff or consultant costs to repair the breach.
  • Putting new cyber security measures in place.
  • Increased cyber security staff and staff training costs.

A summary of 15 respondents to the survey  indicates that the question format had evolved during the survey but that it was generally useful.  The smallest loss calculated was £20 for a response to a single phishing email demanding a payment which was actioned but not eventually paid.  The highest £300,000 concerned a ransomware attack that took a network off-line for four days.   In this case the ransom was not paid.  The costs being made up of staff unable to work, damaged data and equipment together with changes being put in place to reduce the chance of a subsequent similar attack.

More recently a 2022 UK government investigation of cyber breaches  indicates that a version of the cost tool is still being used.  The information was based on a telephone survey of 1,243 UK businesses, 424 UK charities and 420 education institutions.  The results have been ‘weighted’ to ‘improve’ the statistical results.  Calculated costs are in section 5.5. For those who reported a breach or attack within the previous 12 months the mean costs of a breach were £1,200 (550 cases). Some breaches had no financial impact.  The mean cost for those breaches with a financial outlay was £4,200 (129 cases).

Except in the case of an operation forced out of business due to a data breach there will be a degree of estimation involved in predicting the cost of a data breach.  This in turn needs to be weighed against the likelihood of any attack scenario coming to fruition.  As an experienced data security consultancy Kindus can offer help and advice with predicting the cost of data loss.

More from Recovery & Security


eCommerce Shop Scams

Data from Security Research Labs has revealed a China based fake shopping network that they have named ‘BogusBazaar.’  They claim that: ‘As of April …

Read post


Lockbit Ransomware Takedown

In February 2024 the UK National Crime Agency released details of how the NCA and other international policing agencies had disrupted the actions of …

Read post


UK Cyber security breaches survey 2024

Lies, damned lies, and statistics (attributed to Disraeli) The UK Cyber Security Breaches Survey 2024 was published on 9th April 2024.  Not surprisingly it …

Read post


Digital Gift Card Issues

Both Apple and Google offer gift card services for use on their App stores.  Just as it states on the tin the card can …

Read post

Sign Up

Sign up to our newsletter list here.

    Successful sign up

    Thank you for signing up to our newsletter list.

    Check your inbox for all the latest information from Kindus