Your legacy Access database has been running for years without incident. It's stable. Nobody touches it. The users know how to work around its quirks. Why spend money migrating something that isn't broken?
Because "isn't broken yet" is doing a lot of work in that sentence. And the longer you keep an .mdb database in production, the higher the bill you're running up — even when nothing appears to be going wrong.
Here's the actual cost of inaction.
Jet 4.0 — the database engine that powers every .mdb file — is end-of-life. Microsoft stopped developing it after Access 2003. It has documented security vulnerabilities (CVE-2018-8423, CVE-2019-1024, and others) that Microsoft has explicitly declined to patch because patching a deprecated engine doesn't fit their support model.
These aren't theoretical vulnerabilities. They include memory corruption issues that can allow remote code execution if an attacker can get a malformed .mdb file opened by a target system. If your .mdb is accessible via a network share, embedded in a web application, or processed by any automated workflow, it's an attack surface.
Data breaches carry significant financial consequences for small businesses — from regulatory fines to remediation costs and lost business. One Jet vulnerability exploit is not a theoretical risk — it's a question of exposure and attacker interest.
The .accdb format uses AES-256 encryption. Jet 4.0 uses a weak RC4 encryption. If your .mdb stores any sensitive data — customer records, employee information, financial data — that encryption is not protecting it.
Every time a new employee joins, every time a laptop gets replaced, every time a machine gets upgraded to Windows 11 — someone has to figure out how to get the old .mdb working again.
On a clean Windows 11 64-bit installation, Jet OLEDB 4.0 is not present. Opening an .mdb requires either:
If 10 machines need setup per year at 2 hours each at $100/hr IT rate: $2,000/year in recurring IT labor — just to keep a legacy database marginally functional. This scales with headcount and machine refresh cycles.
This isn't a one-time cost. Every OS update, every Office update, every new machine is a potential compatibility event. You're paying for it in IT time whether or not you track it explicitly.
Every major Windows update is a potential breaking event for .mdb databases. The specific risks:
Each of these events is a potential outage. The database that ran fine Monday morning may not run Tuesday after a Windows Update applied overnight — see our detailed breakdown of Windows 11 compatibility problems for specifics.
If your database supports 5 users at $50/hr loaded cost, and a Windows Update breaks it for 2 days while IT investigates: $4,000 in lost productivity from one incident. Plus IT time at $100/hr for 16 hours: $1,600. Total: $5,600 from one update event.
If your .mdb database stores any of the following, you likely have a compliance problem you're not aware of:
GDPR requires "appropriate technical measures" to protect personal data. Running personal data in an unpatched database engine with a broken encryption scheme is, at minimum, a documented risk that auditors will flag. At worst, it's a reportable breach if exploited.
HIPAA's technical safeguard requirements are similar. If a covered entity or business associate stores PHI in an .mdb database accessible over a network, that's an audit finding waiting to be discovered.
GDPR fines can reach 4% of global annual revenue or €20M, whichever is higher. HIPAA fines range from $100 to $50,000 per violation. Even a mild compliance finding during an audit triggers remediation costs. The cost of "appropriate technical measures" — migrating the database — is almost always lower than the cost of a finding.
This is the biggest hidden cost — and the one most often ignored until it materializes.
Legacy databases don't get migrated proactively. They get migrated when they break. And crisis migrations cost dramatically more than planned migrations, for compounding reasons:
Business operations that depend on the database are paused while IT works. Revenue, service delivery, reporting, payroll — whatever the database touches stops until it's fixed.
The person who built the database three VBA modules and a hundred queries ago has been gone for years. The documentation, if it existed, is in an email on a decommissioned laptop. IT is reverse-engineering live production code under deadline pressure.
A database that stopped opening may have been partially corrupted by the event that broke it — an interrupted write during an update, a file system error, a network disconnection mid-transaction. Recovery from a damaged file takes longer and may not be complete.
If the internal IT team can't solve it, external consultants called in for emergency database recovery charge premium rates — typically 1.5–2x standard consulting rates for urgent engagements.
10 users blocked for 3 days at $50/hr: $12,000. IT team at $100/hr for 40 hours: $4,000. External consultant emergency rate for 20 hours: $6,000. Total crisis cost: ~$22,000 — for a database that could have been migrated proactively for $500–2,000.
Let's put numbers on a realistic mid-size business scenario:
| Cost Category | Annual Estimate |
|---|---|
| IT compatibility overhead (new machines, updates) | $1,500–4,000 |
| Security risk carrying cost (exposure × probability) | $2,000–10,000 |
| Update-triggered outage risk (amortized) | $1,000–6,000 |
| Compliance remediation risk | $500–5,000 |
| Crisis migration probability × crisis cost | $2,000–8,000 |
| Total annual cost of inaction | $7,000–33,000 |
These are real costs — they just don't appear on a single line item in your budget because they're distributed across IT time, lost productivity, and amortized risk. That makes them easy to ignore. They're also cumulative: every year you keep the .mdb in production, you're running another year of this exposure.
A planned migration of a typical business Access database — tables, queries, forms, reports, VBA code — costs:
Compared to the annual cost of inaction ($7,000–33,000), a one-time migration cost of $500–3,000 pays back within weeks to months. The ROI on migration isn't marginal — it's decisive.
LegacyLeaps's free scan shows you the database's full contents, complexity, and any issues — so you can scope the migration accurately. No surprise bills.
Run Free ScanOr talk to us about a done-for-you quote — 100% money-back guarantee.
If you're an IT manager or operations lead who needs to get budget approval for a migration project, here's the framing that works:
"We're eliminating $22,000 in crisis migration risk for a one-time investment of $1,500" lands better than "we need to spend $1,500 to migrate a database." Both are true — one gets approved.
How many people use this database? What does their work stop for when it's unavailable? Every hour of unavailability has a real dollar cost. Make that number explicit.
Pull the IT ticket log for the last two years. How many tickets were "legacy database problem" tickets? Add up the hours. That's the maintenance tax you're already paying — migration eliminates it.
If you have any compliance obligations (GDPR, HIPAA, SOC 2, PCI), mention that Jet 4.0 has unpatched CVEs and inadequate encryption. Compliance-related risk gets budget approved faster than almost anything else.
Coming Soon
AI-powered code generation from .accdb files. Your data never leaves your machine.
A free consultation takes 30 minutes and gives you a clear scope, timeline, and price for your migration — everything you need to build an internal business case.
Book Free ConsultationPractical fixes for legacy Excel and Access problems. No spam.