Form: Cost-of-Breach DisclosureSource: IBM 2025Filed: 28 Apr 2026
DataBreachCost.comOpen calc
01 Calculator02 Statistics03 By Industry04 Breaches05 Prevention ROI06 Ransomware07 Small Business08 By Country09 Notification Laws10 Cost Breakdown
Filing 8-K / Item 1.05Material Cybersecurity Incident

Headline figure / IBM 2025

A breach now costs $4.44M on average.

Independent register of breach-cost intelligence. IBM's 2025 figures, the Verizon DBIR, and Sophos ransomware data, presented as browsable, citable web pages instead of gated PDFs. Calculate your specific exposure below.

File an estimate View 2025 statistics

Global avg

$4.44M

-9% YoY

US avg

$10.22M

record high, +9%

Healthcare

$7.42M

#1 for 15 yrs

MTTD

241d

lowest in 9 yrs

AI savings

-$1.9M

extensive AI deploy

IR team

-$2.66M

biggest single saver

IBM Cost of a Data Breach Report 2025. 604 organizations, 17 countries, 16 industries.

Schedule A / Cost-of-Breach EstimatorReal-time / no submit

Section I / Filer Particulars

Breach inputs

Per-record cost: $408 (HIPAA). IBM 2025.

Customer / employee records at risk. IBM avg PII record value: $160.

Multiplier vs $4.44M baseline. Encrypted systems with ransom demand

Section II / Security Controls (IBM 2025 verified savings)

Estimated total exposure

$63,529,592

Critical exposure

vs IBM 2025 avg

1431%

Per record

$1270.59

Records

50,000

Region mult.

x2.30

Schedule B / IBM cost-category split

Where the money goes

Lost business$24.14M (38%)
Detection & escalation$18.42M (29%)
Post-breach response$17.15M (27%)
Notification$3.81M (6%)

IBM Cost of a Data Breach Report 2025, four-category methodology.

Section IV / Comparison band

At $63.53M, your estimated exposure is 14.31x the global IBM 2025 average and 6.22x the US average. The United States regional cost factor is x2.30 (State-by-state).

Index / Companion SchedulesLast verified April 2026

02 Global statistics

$4.44M global, $10.22M US, 241-day MTTD, year-over-year trends, attack-vector costs, AI impact.

03 By industry

Healthcare $7.42M (#1, 15 years). Financial $5.56M. Pharma $5.01M. Tech $4.97M. All 10 sectors.

04 Biggest breaches

Equifax, Marriott, Change Healthcare, MOVEit, 22 verified mega-breaches with sourced cost figures.

05 Prevention ROI

MFA (32x), employee training (15x), AI/automation (6.3x). 10 controls ranked by ROI multiple.

06 Ransomware costs

$5.08M average. $1.32M median demand, $115K-$1M payment range, 64% refuse to pay.

07 Small business

60% close within 6 months. $15K-$3.31M cost ranges by size, common attacks, affordable defence.

08 By country / region

14 IBM regions. US 2.30x global, Brazil 0.31x. GDPR impact and US state notification map.

09 Notification laws

GDPR 72h, all 50 US states + DC, California SB 446 (30 days), penalties for late filing.

10 Cost breakdown

38% lost business, 29% detection, 27% post-breach, 6% notification. The 5-year cost tail.

Schedule 11 / Industry Drilldowns7 sectors with bespoke per-record economics

Healthcare

$7.42M average, $408 per PHI record. 15 years at #1. Change Healthcare, Anthem, Premera.

Financial Services

$5.56M average, $228 per record. 12 years at #2. Equifax, Capital One, JPMorgan.

Technology

$4.97M average, $196 per record. Supply-chain blast radius driving downstream cost.

Retail

$2.96M average, $142 per record. PCI DSS economics. Target, Home Depot, TJX.

Education

$3.80M average, $170 per record. FERPA + state laws. Lincoln College closure precedent.

Government

$2.83M average, $134 per record. FISMA + FedRAMP. OPM 2014-2015 national-security cost.

Energy

$4.72M average. OT/IT convergence. Colonial Pipeline regulatory aftermath.

Schedule 12 / Notable Case Studies8 mega-breaches with sourced cost composition

Equifax 2017

$1.4B+ total cost. 147M records. Apache Struts CVE-2017-5638.

Anthem 2015

$260M+ total cost. 78.8M records. $16M OCR HIPAA settlement (then record).

Target 2013

$292M cumulative. 40M cards + 70M records. HVAC vendor pivot.

Capital One 2019

$300M+ total cost. 106M records. Cloud-misconfig precedent.

Change Healthcare 2024

$2.45B+ disclosed. 190M records. Largest healthcare in US history.

MOVEit 2023

$2.7B aggregate. 2,700+ orgs. Cl0p zero-day supply chain.

Marriott 2018

$350M+ cumulative. 500M Starwood guests. 4-year undetected dwell.

T-Mobile 2021

$500M+ total cost. 77M records. $150M security investment mandate.

Schedule 13 / Regulator Profiles5 regimes with penalty structure detail

GDPR breach fine

4% global revenue or 20M EUR. Meta 1.2B EUR (largest). 72-hour notification.

HIPAA breach penalty

4-tier structure: $137 to $2.07M annual cap. OCR Wall of Shame portal.

CCPA breach fine

$2,500 negligent, $7,500 intentional. $100-$750 private action.

PCI DSS breach cost

$5K-$100K monthly fines + $5-$15 per card reissuance.

SEC Item 1.05

4-business-day cyber disclosure. Stock-price 2-7% typical impact.

Schedule 14 / Cost-Component Drilldowns5 line-item analyses with vendor pricing

Cost per record

$408 PHI down to $134 government. When per-record is reliable, when it breaks.

Notification cost

$1-$3 per letter, $20-$80 per call. Multi-state regulator filing economics.

Credit monitoring

$10-$30 retail, $4-$12 enterprise bulk. Settlement-mandated enrolment.

Forensics investigation

$200-$2,000/hour. Mandiant, CrowdStrike, Kroll, Unit 42 rate cards.

Class-action settlement

$100M-$400M for mega-breaches. $1.50-$5 per class member typical.