Average Cost of a Data Breach: 2026 Statistics

💰 Key Data Breach Cost Numbers

The IBM Cost of a Data Breach Report 2025 — based on 604 organizations across 17 countries — reports a global average data breach cost of $4.44 million. This is a 9% decline from the prior year's $4.88 million and the first drop in five years. The average breach lifecycle fell to 241 days, a nine-year low, driven by AI and automation adoption.

Despite the global decline, US breach costs reached $10.22 million — an all-time high and 2.3x the global average. Healthcare breaches cost $7.42 million, maintaining the industry's 15-year position as the most expensive sector. Organizations with extensive AI/automation pay $3.62 million per breach versus $5.52 million without, saving $1.9 million per incident.

What IBM's Report Covers

IBM's Cost of a Data Breach Report, now in its 19th year and conducted by the Ponemon Institute, studies real-world breach costs across 604 organizations in 17 countries. It measures four cost categories: detection and escalation, notification, post-breach response, and lost business. The data represents actual financial impact, not theoretical risk models.

The 2025 report introduced significant new analysis on AI-related breaches, shadow AI, and the governance gaps that amplify costs. It also tracks cost factors (what increases or decreases breach costs) and breach lifecycle metrics (how long it takes to detect and contain). These data points are the foundation of every data breach cost statistic in this article.

A note on methodology: IBM's figures represent the average cost across 604 studied breaches. Individual breach costs vary enormously — from sub-$1M incidents at small organizations to $375M+ mega-breaches. The median is lower than the average because a small number of catastrophic breaches pull the mean upward. Industry, geography, attack vector, detection speed, and security controls all influence where a specific breach falls on the cost spectrum.

The report covers 16 industries and 17 countries, providing the broadest cross-sectional view of breach costs available. No other annual publication matches its scope. We supplement IBM's data with Verizon DBIR (attack vectors and breach patterns), CrowdStrike Global Threat Report (adversary tactics), Sophos State of Ransomware (recovery data), and WEF Global Cybersecurity Outlook (workforce and geopolitical context).

📊 How Much Does a Data Breach Cost?

The $4.44 million global average breaks down into four cost components. Detection and escalation accounts for $1.47 million — the cost of forensic investigation, assessment, and audit services. Lost business and downtime costs another $1.47 million, covering revenue loss, system downtime, and customer churn. Post-breach response adds $1.11 million for helpdesk, credit monitoring, and legal costs. Notification costs $0.39 million, covering regulatory requirements and communications.

70% of breaches are caused by external actors (Verizon DBIR 2025). 70% of breaches cause significant operational disruption (IBM 2024). After a breach, 50% of organizations plan to raise prices to offset costs (IBM 2025), and 32% face regulatory fines — nearly half of which exceed $100,000.

Mega-Breaches: When Costs Become Catastrophic

The $4.44 million average masks the extreme tail risk. Mega-breaches involving 50-60 million records cost an average of $375 million (IBM 2025). The cost per record decreases at scale (fixed costs spread across more records), but the absolute cost is devastating. The largest breaches in history — Yahoo (3 billion records), Equifax (147 million), Change Healthcare (100 million) — generated multi-billion-dollar total costs including settlements, remediation, and brand damage.

76% of organizations take more than 100 days to recover from a breach. Only 2% achieve recovery in under 50 days. 32% of breaches result in regulatory fines, and nearly half of those fines exceed $100,000 (IBM 2025). Post-breach, 50% of organizations plan to increase prices to offset costs, and 49% plan to increase security investment — down from 63% the prior year, suggesting budget fatigue even as threats escalate.

The Hidden Costs Beyond the Average

The $4.44M average captures measurable costs but understates total impact. Unmeasured costs include: executive time diverted to breach response, employee productivity loss during system downtime, long-term customer trust erosion, competitive disadvantage from stolen intellectual property, and increased insurance premiums post-breach. Some estimates put the true total cost at 2-3x the measured average.

Customer churn is particularly difficult to quantify. IBM's “lost business” category ($1.47M) captures some of this, but long-term brand damage can persist for years. Equifax's 2017 breach still affects its brand perception nearly a decade later. Organizations in consumer-facing industries (retail, healthcare, financial services) face the highest customer churn risk, while B2B organizations face contract renegotiation and audit requirements from enterprise customers post-breach.

Regulatory fines are escalating as enforcement matures. GDPR fines exceeded $7.1 billion cumulative by 2026 (DLA Piper). SEC now requires breach disclosure within four business days. 13 new US state privacy laws took effect in 2024 alone. Each regulatory layer adds notification costs, legal fees, and potential penalties that compound the base breach cost.

🌍 Data Breach Cost by Country

Breach costs vary 4.1x between the most expensive country (US at $10.22M) and the least expensive in IBM's dataset (India at $3.2M). The United States has led global breach costs for 15 consecutive years. The Middle East ($7.29M) climbed to second place, reflecting escalating threats from state-sponsored actors and rapid digital transformation in the region.

Canada ($4.84M), the UK ($4.14M), and Australia ($4.20M) cluster around the global average. Germany ($4.03M), France ($3.73M), and Japan ($3.65M) sit slightly below. Brazil ($4.00M) reflects Latin America's growing digital economy and expanding attack surface.

Why the US Leads by Such a Wide Margin

The $10.22 million US average reflects three compounding factors. First, regulatory costs: breach notification requirements exist in all 50 states, each with different rules. Federal agencies (FTC, SEC, HHS) layer additional requirements. Second, litigation: class-action lawsuits routinely follow major breaches, with settlements reaching hundreds of millions. Third, market pressure: US organizations experience larger-scale breaches because they hold more customer data per organization than most international counterparts.

The Middle East's rise to second place ($7.29M) reflects rapid digitalization across the Gulf states, where critical infrastructure and financial services are expanding attack surfaces faster than security controls can scale. The region also faces heightened state-sponsored threat activity. The UK ($4.14M) sits near the global average despite strong GDPR enforcement, suggesting that regulatory maturity moderates costs even in high-target environments.

🏥 Average Data Breach Cost by Industry

Healthcare has held the top position for 15 consecutive years at $7.42 million per breach, though this dropped $2.35 million from 2024's $9.77 million. Financial services follows at $5.56 million, driven by the direct monetary value of financial data and heavy regulatory requirements. Industrial/manufacturing ranks third at $5.00 million, reflecting operational downtime pressure.

Energy ($4.83M), technology ($4.79M), and pharmaceuticals ($4.61M) round out the top six. Professional services ($4.56M) and entertainment ($4.43M) sit near the global average. Retail ($3.54M) is lowest among major sectors — payment card data is easier to invalidate than health records or intellectual property.

Healthcare's Cost Decline and What It Means

Healthcare breach costs dropped from $9.77 million (2024) to $7.42 million (2025) — a $2.35 million reduction. This is notable because healthcare held the top spot at $9+ million for years. The decline reflects increased AI adoption in clinical security, improved incident response maturity after high-profile attacks (Change Healthcare, Ascension), and better ransomware preparedness. However, at $7.42M, healthcare remains 67% above the global average.

Financial Services: The Regulatory Cost Driver

Financial services breaches cost $5.56 million, driven by stringent regulatory requirements (SEC, OCC, FFIEC), mandatory breach notifications to customers and regulators, and the direct monetary value of financial data. Financial institutions face 300x more attacks than other industries (KnowBe4 2025). 32% of breaches result in regulatory fines, and nearly half of those fines exceed $100,000.

Industries Bucking the Cost Decline Trend

While most industries reported year-over-year breach cost declines in 2025, several sectors saw costs increase: entertainment, media, hospitality, education, research, retail, and the public sector (IBM 2025). These sectors typically have lower security maturity, fewer AI/automation deployments, and smaller security teams. Their rising costs reflect the widening gap between AI-equipped and unequipped organizations.

🎯 Data Breach Cost by Attack Vector

Malicious insider attacks cost $4.92 million per breach — the highest of any initial attack vector. Ransomware and extortion breaches cost $5.08 million when including recovery costs. Supply chain compromises average $4.91 million, with third-party breaches doubling year-over-year to 30% of all incidents (IBM 2025).

Stolen and compromised credentials remain the most common vector, costing $4.81 million per breach. Phishing replaced credentials as the top initial attack vector at 16% of breaches (IBM 2025). AI-driven attacks cost $4.49 million, and one in six organizations experienced an AI-driven breach. Breaches spanning multiple environments cost $5.05 million — the highest among environmental factors.

Supply Chain Breaches Double Year-Over-Year

Third-party and supply chain breaches doubled to 30% of all incidents in 2025 (IBM). Supply chain compromises average $4.91 million, driven by extended detection timelines — organizations often cannot detect breaches originating in vendor systems as quickly as internal incidents. The attack surface compounds with each vendor relationship: a single compromised supplier can affect hundreds of downstream organizations.

Breaches spanning multiple environments (on-premises, cloud, hybrid) cost $5.05 million — the highest of any environmental factor. 62% of breaches involved data stored across multiple environments, complicating forensic investigation and containment. Organizations with on-premises-only environments pay $4.01M, while hybrid cloud environments reduce costs to $3.80M, suggesting that cloud-native security controls offset the complexity of distributed infrastructure.

⏱️ Time to Detect and Contain a Data Breach

The average breach lifecycle dropped to 241 days in 2025, down from 258 days in 2024 — a nine-year low. Organizations take 181 days to identify a breach and 60 days to contain it. Healthcare breaches take 279 days, 38 days longer than the global average. Public cloud breaches average 247 days.

Lifecycle directly correlates with cost. Breaches resolved in under 200 days cost $3.87 million, while those exceeding 200 days cost $5.01 million — a $1.14 million penalty. AI/automation reduces detection time from 72+ days to 51 days. XDR technology cuts the full lifecycle by 55 days. Only 2% of organizations recover in under 50 days, while 76% need more than 100 days.

Healthcare and Cloud: The Longest Lifecycles

Healthcare breach lifecycles average 279 days — 38 days longer than the 241-day global average. This reflects legacy system complexity, the difficulty of patching medical devices in clinical environments, and the challenge of securing electronic health records across distributed healthcare networks. The extended lifecycle directly correlates with healthcare's position as the costliest industry for breaches.

Public cloud breaches average a 247-day lifecycle, slightly above the global average. Multi-environment breaches (spanning on-premises, cloud, and hybrid infrastructure) take even longer to contain, as forensic teams must coordinate across different platforms, access controls, and logging systems. Organizations with XDR technology reduce their lifecycle by 55 days, making cross-platform threat detection and response the most impactful lifecycle reduction tool.

The $1.14 Million Question: Why Speed Matters

The $1.14 million gap between fast resolution ($3.87M for breaches under 200 days) and slow resolution ($5.01M for those exceeding 200 days) represents the clearest ROI calculation in cybersecurity. Every day an attacker spends inside the environment increases the scope of compromise. Lateral movement, privilege escalation, data staging, and exfiltration all compound with time. The 200-day threshold is not arbitrary — it represents the point at which containment costs, regulatory exposure, and customer notification obligations compound non-linearly.

Internal detection saves $900,000 versus attacker disclosure. Organizations that detect breaches through their own security monitoring have faster containment and lower costs than those where the attacker reveals the breach (through ransom demands or data publication). Only 2% of organizations recover in under 50 days, illustrating how rare truly fast incident response is. This underscores the value of tabletop exercises, automated playbooks, and pre-negotiated retainers with incident response firms.

🤖 AI Impact on Data Breach Costs

AI's impact on data breach costs is the most important finding in the IBM 2025 report. It operates on both sides: AI deployed defensively reduces costs by $1.9M per breach, while AI deployed by attackers creates new breach vectors costing $4.49M per incident. Shadow AI — unauthorized AI tools used by employees — adds $670K in additional cost. Understanding this dual dynamic is critical for every security leader in 2026.

AI and automation in security operations delivers the largest single cost reduction of any factor. Organizations with extensive deployment pay $3.62 million per breach versus $5.52 million without — a 34% reduction and $1.9 million in savings. Detection drops from 72+ days to 51 days with AI-powered tools.

Shadow AI presents the opposite risk. 20% of breaches involve shadow AI (unauthorized AI tools), adding $670,000 to the average breach cost. 97% of organizations lack proper AI access controls, and 63% have no AI governance framework. Shadow AI breaches expose PII at higher rates (65% vs 53% globally) and intellectual property more frequently (40% vs 33%). One in six organizations experienced AI-driven attacks in 2025, with AI-enabled breaches costing $4.49 million.

Shadow AI: The Hidden Cost Amplifier

Shadow AI — the use of unauthorized AI tools, models, and services by employees without security oversight — has emerged as a significant breach cost amplifier. 20% of breaches now involve shadow AI, adding $670,000 to the average cost. The problem is governance: 97% of organizations lack proper AI access controls, 63% have no AI governance framework, and only 37% have shadow AI detection policies.

Shadow AI breaches are more damaging because they expose sensitive data at higher rates. 65% of shadow AI breaches compromise PII (vs 53% globally), and 40% expose intellectual property (vs 33% globally). 29% of AI-related breaches originate from third-party SaaS services, and 26% from open-source AI models — both vectors that bypass traditional security controls.

📄 Data Breach Cost Per Record

Intellectual property records carry the highest per-record cost at $178, followed by employee PII at $168 and customer PII at $160. Anonymized or non-PII data costs $141 per record. Customer PII is involved in 53% of all breaches, making it both the most common and most consistently targeted data type.

At the mega-breach scale (50-60 million records), costs reach an average of $375 million per incident (IBM 2025). The per-record cost decreases at scale due to fixed incident costs being spread across more records, but the absolute cost becomes catastrophic. Shadow AI breaches expose PII at higher rates than non-AI breaches.

Why Customer PII Dominates Breaches

Customer PII is involved in 53% of all breaches (IBM 2025), making it both the most commonly targeted and most consistently compromised data type. At $160 per record, a breach involving 1 million customer records costs approximately $160 million in per-record costs alone — before adding fixed costs for detection, notification, and legal fees.

Employee PII ($168/record) carries a higher per-record cost because it often includes internal system credentials, payroll data, and health information that enables further attacks. Anonymized or non-PII data costs $141 per record, 12% less than customer PII, but is still valuable to attackers for training AI models, building customer profiles, or conducting competitive intelligence.

Protecting High-Value Records

Organizations holding intellectual property should implement data classification, DLP (Data Loss Prevention), and encrypted storage as baseline controls. IP records cost 11% more per record than customer PII ($178 vs $160), and unlike financial data, stolen IP cannot be cancelled or replaced. The damage is permanent competitive loss — a pharmaceutical company losing drug trial data, a tech company losing source code, or a defence contractor losing classified designs.

Employee PII ($168/record) deserves equal attention. Compromised employee credentials enable further attacks — lateral movement, privilege escalation, and access to customer data. Employee health records, payroll information, and internal communications carry both financial and reputational risk. Organizations should treat employee data protection with the same rigour as customer data protection.

🏢 SMB vs Enterprise Data Breach Costs

SMBs face a fundamentally different breach cost equation. While their absolute breach cost is lower ($3.31M average), the relative impact is disproportionately severe. 60% of small businesses fail within six months of a cyberattack (NCSA). 88% of SMB breaches involve ransomware (Verizon DBIR 2025), and many face bankruptcy post-attack.

The vulnerability gap is stark. 47% of SMBs lack incident response plans (Keeper). Many lack dedicated security staff, cyber insurance, or AI-powered detection tools that reduce enterprise breach costs by 34%. SMB downtime costs compound rapidly, and the average recovery cost reaches significant levels. Without the scale to absorb breach costs, a single incident can be existential.

Why SMBs Face Disproportionate Risk

The data breach cost gap between SMBs and enterprises is narrowing in absolute terms, but widening in relative impact. SMBs lack the three factors that most reduce breach costs: AI/automation (requires investment), dedicated IR teams (requires headcount), and DevSecOps (requires maturity). 88% of SMB breaches involve ransomware (Verizon DBIR 2025), compared to lower rates in large enterprises that have better backup and recovery infrastructure.

SMB-specific downtime costs compound rapidly. Without redundant systems, a ransomware attack can halt all operations. 47% lack incident response plans. Many cannot afford forensic investigators or legal counsel. Cyber insurance adoption is growing but remains uneven: larger SMBs (250-1,000 employees) have higher adoption rates than micro-businesses (10-50 employees). The result is a two-tier SMB security landscape where the largest small businesses survive attacks while the smallest do not.

📈 Cost Factors That Increase Data Breach Cost

Several factors amplify breach costs above the $4.44 million average. The most significant: cybersecurity skills shortages push breach costs to $5.22 million, a 17.6% premium. Breaches spanning multiple environments cost $5.05 million. Slow resolution (>200 days) adds $1.14 million versus faster containment. Compliance failures add approximately $500,000 in penalties and remediation costs.

Shadow AI involvement adds $670,000 to breach costs. Third-party breaches doubled to 30% of all incidents in 2025, introducing supply chain complexity that slows detection and increases cost. On-premises-only environments cost $4.01 million, slightly below average but lacking the detection advantages of cloud-native security tooling.

Compliance Failures: A Preventable Cost Amplifier

Organizations with high levels of compliance failures pay approximately $500,000 more per breach than those in compliance (IBM 2025). 32% of all breaches now result in regulatory fines, and 48% of those fines exceed $100,000. This is not just a GDPR or HIPAA issue — SEC rules requiring disclosure within four business days, new state privacy laws, and AI governance regulations are expanding the compliance surface.

The cost amplification from compliance failures is particularly severe for organizations in regulated industries. Financial services, healthcare, and critical infrastructure face the highest regulatory scrutiny. Non-compliance extends the breach lifecycle as organizations scramble to meet notification deadlines, engage legal counsel, and remediate in parallel.

The Multi-Environment Challenge

Breaches spanning multiple environments (on-premises + public cloud + private cloud) cost $5.05 million — 14% above the global average. 62% of breaches now involve data stored across multiple environments. The forensic challenge is significant: investigating a breach across AWS, Azure, on-premises Active Directory, and SaaS applications requires different tools, different log formats, and different access controls. This extends detection time and increases analyst workload.

📉 Cost Factors That Decrease Data Breach Cost

AI and automation deliver the largest cost reduction at $3.62 million per breach (34% below organizations without it). DevSecOps approaches lower costs to $3.89 million. Fast resolution under 200 days saves $1.14 million versus slower containment. Hybrid cloud environments reduce costs to $3.80 million, below both on-premises and multi-environment averages.

Involving law enforcement saves an average of $990,000 per breach (IBM 2025). Internal breach detection (rather than attacker disclosure) saves $900,000. XDR technology reduces the breach lifecycle by 55 days, translating to meaningful cost savings. The consistent theme: faster detection, automated response, and practiced incident response plans all reduce costs significantly.

Building the Business Case for Security Investment

These cost-reduction factors provide the clearest business case for cybersecurity investment. A CFO asking “What is the ROI of our security spend?” can now reference specific IBM data: AI/automation saves $1.9M per breach, DevSecOps saves $550K, law enforcement engagement saves $990K, and fast detection saves $1.14M. These are not theoretical projections — they are measured outcomes from 604 organizations.

The most cost-effective investments for most organizations: (1) Deploy AI-powered threat detection — largest single ROI at $1.9M savings. (2) Test your incident response plan — reduces lifecycle and cost. (3) Involve law enforcement immediately after breach discovery — $990K savings with zero investment required. (4) Adopt DevSecOps — shifts security left, catches vulnerabilities before deployment. (5) Implement XDR — 55-day lifecycle reduction across multiple environments.

📅 Historical Data Breach Cost Trends (2019–2025)

IBM has published the Cost of a Data Breach Report for 19 consecutive years, studying 6,000+ organizations. The trend line shows steady escalation with two notable exceptions: a pandemic-related dip in 2020 ($3.86M) and the first decline in five years in 2025 ($4.44M). The 2023-2024 spike (+9.7%) was the steepest since the pandemic.

The 2025 decline to $4.44M reflects measurable improvements in breach detection and containment, with the average lifecycle dropping to 241 days (a nine-year low). AI and automation adoption is the primary driver. However, costs in 2025 remain 13% above 2019 levels ($3.92M), confirming the long-term upward trajectory. US-specific costs continue to rise, reaching $10.22M — an all-time high — despite the global decline.

Year-by-Year Analysis

2019 ($3.92M): Pre-pandemic baseline. This figure established the floor from which COVID-era costs would diverge. Organizations operated primarily on-premises with traditional security stacks. AI in security was nascent.

2020 ($3.86M): A pandemic-related dip. Reduced business activity meant fewer breach opportunities, but the shift to remote work planted the seeds for future increases. Shadow IT expanded rapidly as employees adopted unauthorized cloud services.

2021 ($4.24M): A 10% surge as pandemic-era vulnerabilities were exploited. Remote work infrastructure, hastily deployed VPNs, and expanded cloud attack surfaces drove costs up. Supply chain attacks (SolarWinds, Kaseya) demonstrated cascading breach economics.

2022 ($4.35M): Continued moderate growth. Ransomware matured as a business model with RaaS (Ransomware-as-a-Service) lowering barriers to entry. Critical infrastructure targeting increased.

2023 ($4.45M): Costs stabilized as organizations began deploying AI-powered security tools at scale. The GenAI boom introduced new attack surfaces (prompt injection, model theft) while also providing new defense capabilities.

2024 ($4.88M): The steepest increase since the pandemic (+9.7%). Lost business costs and post-breach customer response drove the spike. Shadow AI emerged as a new cost amplifier.

2025 ($4.44M): The first decline in five years (-9.0%). AI/automation adoption in security operations was the primary driver. The average breach lifecycle dropped to 241 days, a nine-year low. However, US-specific costs reached an all-time high of $10.22M, demonstrating that the decline is not universal.

🔮 Breach Cost Predictions and Future Trends

Global cybercrime costs are projected to reach $15.63 trillion by 2029 (Cybersecurity Ventures). The cybersecurity market is forecast to grow to $562 billion by 2034 (Precedence Research). IDC projects security spending will reach $377 billion by 2028. These projections assume continued escalation in AI-enabled attacks, supply chain complexity, and regulatory requirements.

AI will shape both sides of the breach cost equation. Gartner projects 17% of cyberattacks will use GenAI by 2027. Shadow AI and agentic AI are emerging as new attack surfaces. Simultaneously, AI-powered defense is the primary factor driving breach costs down. Organizations that adopt AI security controls early will widen the cost gap further, while those without will face escalating premiums.

What Will Drive Breach Costs Higher

Several forces will push breach costs upward. AI-enabled attacks are accelerating in sophistication and volume — Gartner projects 17% of cyberattacks will use GenAI by 2027. Supply chain complexity continues to grow as organizations rely on more SaaS vendors and cloud services. Regulatory requirements are expanding: the EU AI Act, new SEC disclosure rules, and state-level privacy laws (13 new state laws in 2024 alone) will add compliance costs to every breach.

Agentic AI — autonomous AI systems that can take actions without human oversight — represents the next attack surface. SentinelOne projects agentic phishing will account for 42% of global breaches by 2026. Shadow AI governance gaps will widen as employees adopt AI tools faster than security teams can evaluate them.

What Will Drive Breach Costs Lower

AI-powered defense is the primary countervailing force. As more organizations deploy AI/automation in security (currently adopted by a growing majority of security teams), the average detection time will continue falling. XDR, SOAR, and AI-native SIEM platforms are reducing mean-time-to-detect and mean-time-to-respond. The cybersecurity skills gap may narrow as AI augments existing teams, enabling smaller security operations to match larger ones in coverage.

Cyber insurance maturation will also moderate costs. As insurers require better security controls (MFA, endpoint detection, backup verification), the baseline security posture improves. The global cyber insurance market is approaching $20 billion (Munich Re 2024), creating financial incentives for security investment. Organizations with cyber insurance have both financial coverage and mandated security hygiene.

Breach Cost Projections: 2026-2030

Based on the 2019-2025 trajectory (2.1% CAGR) and adjusting for AI adoption acceleration, we project the global average breach cost will remain in the $4.2-4.8M range through 2027 for AI-equipped organizations, while rising to $5.5-6.0M for those without AI security controls. The divergence between these groups will be the defining trend in breach economics.

US-specific breach costs are likely to continue rising regardless of global trends, driven by regulatory complexity, litigation costs, and the concentration of high-value targets. Healthcare costs may stabilize in the $7-8M range as AI adoption matures in clinical settings. Financial services costs will face upward pressure from new SEC and OCC requirements. The public sector and education, currently among the lowest-cost industries, face the steepest upward trajectory as they lag in AI/automation adoption.

Supply chain and third-party breach costs will grow fastest. As organizations integrate more AI-powered SaaS services, each vendor relationship adds attack surface. The organizations that implement continuous vendor risk monitoring, zero-trust network architecture, and AI governance frameworks will avoid the worst cost escalation. Those that do not will face compounding costs from both direct breaches and third-party compromises.

✅ Key Takeaways

Actionable Recommendations by Role

❓ Frequently Asked Questions