Will HMRC breach cost £625 million?

gallery

In addition to revealing holes in security practices, will the growing number of public sector data losses put an even bigger hole in the public purse?

A study into UK data breaches has suggested the average cost per record of a data breach is £47 - even higher for financial firms and third-party breaches.

With that in mind, the cost associated with the HM Revenue and Customs child benefit data loss could easily exceed £600 million, a figure that, if accurate, would ultimately have to be covered from the public purse.

Putting a number on such scandals is no easy task, said security firm McAfee's Greg Day. "I honestly think that every incident is different," he said. "It depends on what level of data it was and what type."

But Guy Bunker, analyst at study-sponsor Symantec, said the average rate was a good start. "It you put your finger in the air, it's a good a place to start as any," he said. "It's tangible evidence that data loss costs money."

The cost is broken down into three main areas. The first cost is notification, just £1 per record - not surprising, given it's often little more than sending a letter. Detection and other activities add £15 per record, post discovery activity (such as protecting accounts) adds £15, while the cost of lost business adds another £17 - for a total cost of £47 per record on average, across sector.

"When you start to go up to a million [lost records], just notification is a huge expense," Symantec's Bunker noted. "Losses have a big effect on reputation, but a lot of other things have a bigger effect than this."

Bob Tarzey, of analyst firm Quocirca, said: "This is really going to vary. For example, there is no evidence that the HMRC data loss last year cost anything it terms of the data actually being use to exploit tax payers as it is not even clear that the data reached the public domain, however, the cost to HMRCs reputation was immense, if it had been a company this may well have led to a share price drop. On the other hand, a commercial organisation might be able to keep real data loss and exploitation under wraps (as far as the press in concerned), so whilst real money is lost damage reputation may be zero."

The study said end-cost was also affected by who caused the incident. If the records were lost by the organisation itself, the average cost fell to £42. Data breaches caused by third-party organisations are more costly, at an average £59.

Another cost differential is sector. Not surprisingly, losses by financial firms were more expensive than others, averaging out at £55.

The study noted it covered 21 breaches in size from 2,500 to 125,000 records - clearly leaving out the HMRC breach last year, which hit 25 million people.

So just how much would some of the most infamous breaches of the past year cost, according to the Ponemon study?

HMRC Child Benefit Records: £625 million

With some 25 million people affected by just two lost discs, this was the government scandal that kicked off months of disclosures. Using the study's average cost of £42 per record for an internal loss, the cost of that scandal could top a billion pounds.

Email to a friend

Print this page