Shostack + Friends Blog Archive


Cost of a Breach: $6, not $187?

So TJX recently announced a $118m setaside to deal with the loss of control of 45 million records. Now, I’m not very good at math (if I was, I’d say $2.62, not $3), but it seems to me that the setaside is less than $3 per record. That doesn’t line up with the $187 per record that’s going around. In fact, it’s off by a factor of 60. Even if I’m not good at math, I can see that.

So to every journalist who’s quoted $187, I ask: what’s up with that discrepancy?

[Update: Apparently, the cost was $196M before taxes, and a commenter linked to a Boston Globe article arguing costs could reach $1B. I’ve updated the title to $6 (it was $3), but even at $1B, that’s roughly $21 per record, not $187. Which is “only” off by a factor of 6, not 60.]

[Update2: Thurston has comments in “Why TJX and Ponemon disagree.”]

5 comments on "Cost of a Breach: $6, not $187?"

  • q says:

    it’s 256 million according to these guys:

  • Mordaxus says:

    You get discounts when you breach in bulk. $187 is retail, quantity one. $6 is what you pay for a site license.

  • Alex says:

    Gee, only $1bn US? I had heard $4.5 bn:
    blogs need sarcasm tags…

  • Blake says:

    Typically, those discrepancies are between direct and indirect costs. Most estimates of direct costs range in the $10-20 area, one hopes and expects there are economies of scale here. The fearmongers make up big numbers to be estimate of “lost revenue” or “brand impairment” or some other intangible that isn’t falsifiable. Which is noit to say that they are wrong, just that there is no (little) data. The lesson of the TJX breach appears to be that the vast majority of consumers (and maybe even a reasonable approximation of “all”) don’t care about security.

  • Mike Spinney says:

    For those reporters (and there were only a few) who bothered to ask Larry Ponemon about the costs, they got an answer that was in-line with the estimates TJX just announced. Ross Kerber’s reporting in the Boston Globe back in April ( should serve to demonstrate Ponemon’s grasp of the issue, and his own research. Others weren’t so bright, opting instead to simply multiply a breach that represented a statistical anomaly on the high end with the $183/per figure from our 2006 report. While the resulting figure was certainly sensational it was, as others have already pointed out, a misread of the information in the report.
    Economies of scale take over when the incident leaps from a sampling that included incidents numbering in the tens of thousands to a breach that was over 45 million.

Comments are closed.