Data Breach Cost-Per-Record Calculator
A quick, benchmark-based breach cost estimate: multiply the number of exposed records by the average cost per record for your industry. Choose your industry to load its published per-record figure, then adjust either number. This is the textbook linear method — fast and intuitive, but it assumes every record costs the same and carries no fixed cost. For a small or mid-sized business, compare it with the SMB-adjusted estimator. Numbers update as you type. Benchmarks as of Jun 25, 2026 — sources; both figures are editable.
| Step | Value |
|---|---|
| Records exposed | 10,000 |
| × Cost per record | $164 |
| = Estimated cost | $1,640,000 |
Estimated cost = records × cost per record
Default: 10,000 × $164 = $1,640,000
Cost per record is constant here — it does not change with the number of records (unlike the SMB-adjusted model).
How it works
The cost-per-record method is the simplest way to put a dollar figure on a data breach, and it is the one most people reach for first. You take the number of sensitive records that were — or could be — exposed, and multiply by a single average cost for each record. That average already bundles together everything a breach generates per record: notifying the person, offering them credit or identity monitoring, the share of legal and regulatory cost attributable to their data, and the slice of lost business their churn represents. Published industry research, principally the IBM/Ponemon Cost of a Data Breach study, reports this figure every year, both as a global average (around $164) and broken out by industry. That is where the dropdown gets its defaults.
The appeal of the linear method is its transparency. There is exactly one coefficient, you can see it, and you can change it. If your insurer, your forensics retainer, or your own prior incident gives you a better per-record figure, type it straight into the field and the total follows. Because the relationship is a straight line through the origin, doubling the records doubles the cost, and the cost per record never moves — a property that makes the method easy to reason about but also explains its main weakness.
That weakness is the absence of any fixed cost. In reality, the first dollar of a breach is expensive: you engage forensic investigators, retain breach counsel, stand up a crisis-management process and, often, a call center — and you pay for most of that whether ten records or ten thousand were exposed. The linear model spreads none of this. As a result it tends to understate the cost of a small breach (where fixed costs dominate) and, at the other extreme, can overstate a very large one (where genuine economies of scale kick in and the marginal per-record cost falls). The headline industry averages are themselves an average across breaches of every size, so applying one flat figure to your specific record count quietly inherits that mismatch.
The industry figure matters because the spread is wide. In the bundled benchmarks, the per-record cost ranges from $160 in the public sector up to $408 in healthcare — a difference of more than two and a half times for the same number of records. The driver is the sensitivity and regulatory weight of the data: health records (PHI) and financial records attract notification duties, monitoring obligations and liability that ordinary contact data does not. Picking the wrong industry, or using the global average for a healthcare provider, can therefore move your estimate by a large margin. The table below shows every industry in the dataset so you can sanity-check the figure you have selected.
| Industry | Cost per record |
|---|---|
| Healthcare | $408 |
| Financial services | $336 |
| Pharmaceutical | $295 |
| Technology / SaaS | $300 |
| Professional services | $290 |
| Energy / utilities | $280 |
| Manufacturing / industrial | $190 |
| Education | $220 |
| Retail / e-commerce | $200 |
| Public sector | $160 |
| Consumer / other services | $165 |
| Other | $164 |
Figures verified Jun 25, 2026 against IBM/Ponemon analysis. See the full dated reference: cost per record by industry.
A worked example
Suppose a mid-sized company discovers that a database holding 10,000 customer records has been exposed, and you want a fast, defensible first number to take into a planning meeting. You do not yet know the industry-specific cost, so you start with the published global average of $164 per record — which is the default loaded here under "Other".
- Records exposed = 10,000
- Cost per record = $164 (global average)
- Estimated cost = 10,000 × $164 = $1,640,000
Now refine it. If those records are health data and the business is a healthcare provider, switch the industry to Healthcare and the per-record cost jumps to $408, lifting the same 10,000 records to $4,080,000. That single change shows how much the industry assumption is doing. Finally, because this is a small-to-mid breach with a heavy fixed-cost tail, cross-check it against the SMB data breach cost estimator, which adds the fixed forensics-and-legal floor and a size factor — and against the cost-by-industry reference for the average total breach cost in your sector. The three numbers together bracket a realistic range far better than any one of them alone.
Frequently asked questions
What is the cost per record of a data breach?
Cost per record is the total cost of a breach divided by the number of records exposed. Published analysis puts the global average near $164 per record, but it ranges from roughly $160 in the public sector to about $408 in healthcare. Pick your industry above and the figure updates.
How is this calculated?
It is the textbook linear estimate: records × cost per record. For the default profile, 10,000 records × $164 = $1,640,000. There is no fixed cost and no size adjustment, so the per-record figure stays constant no matter how many records you enter.
Why does my real breach cost differ from this number?
Because a real breach has a large fixed cost — forensics, legal, crisis management — that you pay almost regardless of record count. The linear method spreads no fixed cost, so it understates small breaches and can overstate very large ones. For a small or mid-sized business, use the SMB-adjusted estimator, which adds a fixed component and a size factor.
Which cost-per-record figure should I use?
Use the one that matches the most sensitive data you hold. Health data (PHI) and financial data carry the highest per-record cost; basic contact data the lowest. The dropdown defaults to the published industry average, but the field is editable, so you can drop in your own figure or the one your insurer uses. See the full cost-per-record by industry table.
How current are these benchmarks?
The per-record figures were verified on Jun 25, 2026 against IBM/Ponemon Cost of a Data Breach. They are convenience defaults — every figure here is editable, so the calculator stays correct even as the benchmarks age.
Disclaimer. BreachCostLab provides cost and risk estimates for informational purposes only, based on published industry benchmarks (e.g. IBM/Ponemon Cost of a Data Breach, Verizon DBIR) and publicly available statutory figures as of the verification date shown (Jun 25, 2026). These figures are estimates for planning, not a prediction of the cost of any specific incident, and are not legal, financial, insurance, or compliance advice. Actual breach costs vary widely; for regulatory obligations consult qualified counsel. Always verify current figures with the cited sources.