A data breach involving 100 million user accounts can be a costly affair, which may blow a hole of as much as USD 199 million (about Rs.125 crore) for an organisation.

This is part of the findings by Verizon security analysts using a new assessment tool to measure the financial impact of a hacking attack.

The key takeaways came from the US-based firms’ 2015 Data Breach Investigations Report (DBiR), which analysed over 2,100 confirmed data breaches and some 80,000 reported security incidents between 2014 and 2015.

"Verizon security analysts used a new assessment model for gauging the financial impact of a security breach based on the analysis of nearly 200 cyber liability insurance claims," Verizon said, in a statement on Wednesday.

The model accounts for the fact that the cost per record stolen directly depends on the type of data and the total number of records compromised and shows high and low ranges for the same, it added.

"The model predicts that cost of a breach involving 10 million records will fall between USD 2.1 million and USD 5.2 million (95 per cent of the time) and depending on circumstances, could range up to as much as USD 73.9 million," the report stated.

"For breaches with 100 million records, the cost will drop between USD 5 million and USD 15.6 million (95 per cent of the time) and could top out at USD 199 million."

Verizon Enterprise Solutions VP (Global Security) Mike Denning said the new model for estimating the cost of a breach is ground-breaking although there is still room for refinement.

The report indicated that, in general, mobile threats are overblown.

Verizon security researchers explained that the bulk (96 per cent) of the nearly 80,000 security incidents analysed this year can be traced to nine basic attack patterns that vary from industry to industry.

The threat patterns include miscellaneous errors such as sending an e-mail to the wrong person or crimeware (various malware aimed at gaining control of systems) or Web app attacks, cyber espionage, point-of-sale intrusions and payment card skimmers.