Data breaches have compromised nearly seven million UK credit and debit cards over the last three years, with breached businesses each paying out almost a million in forensic and remediation costs, payments processor Worldpay has calculated.

Data breach costs fly around the ether every day of the week but the ones from Worldpay are worth paying more attention to – the firm sees 44 percent of all plastic transactions that happen in the UK.

According to Wordpay, the three-year average per breached firm is now £878,000 ($1,475 million), which it calculated by summing a combination of forensic costs and fines generated by incidents it was aware of through industry reporting systems.

Fines would include everything from those levied by the Information Commissioner’s Office (ICO) but also by global card networks such as Visa and Mastercard, Worldpay said.

This is not a total data breach cost; that would have to take into account loss of reputation, the cost of extra IT staff and any upgrades that were needed to overhaul security after an incident.

The bottom line was that 3 million cards had been put at risk by breaches in 2013 alone, a hefty 1,518 percent rise since 2012 when the number was a now trifling-looking 200,000. Since 2011, the total number of cards put at risk was “at least” 6.57 million, excluding incidents either not known about or not disclosed.

Worldpay said it was particularly concerned about small businesses, which accounted for 61 percent of breached firms.

“While most large companies are strengthening their safety measures, there’s been only a marginal improvement amongst small businesses,” commented  Worldpay managing director, Dave Hobday.

“Fraudsters go after low-hanging fruit. Small businesses are easy prey, so it’s a real worry so many small businesses still don’t see the value in compliance. If we want to see genuine change, it’s important we support small business owners.”

The firm’s figures showed that small UK online companies would face costs of £6,400-£12,000 for an incident, a potentially significant bill.

“A data breach can be financially crippling – just the investigation alone can cost thousands of pounds, not to mention fines and loss of reputation,” said Hobday.

The number of breached cards is shocking, as the possibility that this can run up big bills for the firms involved. Less commented on, of course, is the effect of this on the customers behind these cards, many of whom will also have lost sensitive personal data such as names, addresses, and dates of birth that cannot easily be reset or recovered. A stolen credit card can be cancelled, a stolen identity can't.

Under a previous guise, RBS WorldPay (as it was then) was the victim of an infamous November 2008 attack that targeted its US network of 2,100 ATM machines during which £6 million in cash was stolen. In 2010, the Russian authorities arrested members of the gang accused of carrng out the raid.

Later that year, WorldPay was sold to Bain Capital and Advent International, dropping the RBS part of the name and making it a private company.