Form: Cost-of-Breach DisclosureSource: IBM 2025Filed: 28 Apr 2026
DataBreachCost.comOpen calc
01 Calculator02 Statistics03 By Industry04 Breaches05 Prevention ROI06 Ransomware07 Small Business08 By Country09 Notification Laws10 Cost Breakdown
Schedule 03 / By IndustryIBM 2025, 16 sectors classified

Sector ranking

Healthcare costs $1.67x the global average.

Sector cost differences are not noise: they reflect data sensitivity, regulatory regime, and the speed at which an incident becomes a regulator's problem. IBM's 2025 figures, ranked by total average cost.

Section 03.1 / Sector ranking

Average breach cost by industry, IBM 2025

Healthcare / HIPAA$7.42M (-24%)
Financial Services / PCI DSS / GLBA$5.56M (-4%)
Pharmaceuticals / FDA / GxP$5.01M (+3%)
Technology / SOX / GDPR$4.97M (+2%)
Energy / NERC CIP$4.72M (+6%)
Services / Varies$4.43M (-1%)
Education / FERPA$3.8M (+5%)
Industrial / NIST / ICS$3.28M (-8%)
Government / FISMA / FedRAMP$2.83M (+1%)
Retail / PCI DSS$2.96M (-3%)

Primary source:IBM Cost of a Data Breach Report 2025.

Section 03.2 / Sector deep-dive

Why each sector pays what it does

Rank #01

Healthcare

Per record: $408 / Regulation: HIPAA / YoY: -24%

$7.42M

avg total cost

A full medical record sells for hundreds of dollars on the dark market versus $5 for a credit card. HIPAA mandates extensive notification and remediation, and patient-care disruption creates massive operational liability. Healthcare has been #1 for 15 consecutive years.

Key regulations

HIPAAHITECH ActState breach notification laws

Notable breaches

  • Change Healthcare (UnitedHealth) / 2024 / $2.45B
    Primary source: UnitedHealth Group 10-Q filings, 2024-2025
  • Anthem / 2015 / $260M
    Primary source: California AG settlement, $260M total
  • Premera Blue Cross / 2014 / $74M
    Primary source: OCR settlement, public regulator filing

Rank #02

Financial Services

Per record: $228 / Regulation: PCI DSS / GLBA / YoY: -4%

$5.56M

avg total cost

Financial data triggers immediate fraud risk and rapid regulatory response. PCI DSS compliance failures trigger steep fines. Customer churn is severe (account closures), and card reissuance costs banks $5-$15 per card. Regulators pursue penalties more aggressively than in most sectors.

Key regulations

PCI DSSGramm-Leach-BlileySOXGDPR / state laws

Notable breaches

  • Equifax / 2017 / $1.4B+
    Primary source: FTC settlement order, 2019; SEC 10-K filings
  • Capital One / 2019 / $300M+
    Primary source: OCC consent order; SEC 10-K filings
  • JPMorgan Chase / 2014 / $1B+ (program)
    Primary source: DOJ securities fraud indictment

Rank #03

Pharmaceuticals

Per record: $218 / Regulation: FDA / GxP / YoY: +3%

$5.01M

avg total cost

Pharma breaches often involve proprietary drug formulas and clinical-trial data. IP loss adds value far beyond PII. Regulatory scrutiny is high, and patient-safety implications elevate severity.

Key regulations

FDA 21 CFR Part 11GxPGDPRHIPAA (clinical)

Notable breaches

  • Merck (NotPetya) / 2017 / $1.35B
    Primary source: Merck SEC 10-K, 2017-2019
  • Pfizer employee data leak / 2020 / Undisclosed
    Primary source: California AG complaint

Rank #04

Technology

Per record: $196 / Regulation: SOX / GDPR / YoY: +2%

$4.97M

avg total cost

Tech firms hold massive volumes of third-party customer data, creating supply-chain liability. High-value IP (source code, AI model weights) amplifies damage beyond PII. Sophisticated attackers target tech firms as stepping stones to their customers.

Key regulations

GDPRCCPASOX (public companies)

Notable breaches

  • SolarWinds / 2020 / $100M+
    Primary source: SEC enforcement action; SolarWinds 10-K
  • Yahoo / 2013 / $470M+
    Primary source: Verizon acquisition price reduction; SEC filings
  • Facebook / Meta / 2019 / $5B FTC fine
    Primary source: FTC consent order, 2019

Rank #05

Energy

Per record: $191 / Regulation: NERC CIP / YoY: +6%

$4.72M

avg total cost

Critical-infrastructure status means breaches can trigger national-security responses. Operational technology (OT/SCADA) intertwines with IT, extending blast radius. Physical-safety implications raise regulatory scrutiny dramatically.

Key regulations

NERC CIPTSA Pipeline directivesGDPR

Notable breaches

  • Colonial Pipeline / 2021 / $15M+
    Primary source: DOJ FBI press release; Colonial board statements
  • Norsk Hydro / 2019 / $71M
    Primary source: Norsk Hydro Q1 2019 earnings disclosure

Rank #06

Services

Per record: $183 / Regulation: Varies / YoY: -1%

$4.43M

avg total cost

Professional and managed-service firms hold client data subject to that client's regulations. Contract penalty clauses and the loss of enterprise relationships drive cost. Reputation damage compounds because trust is the product.

Key regulations

Varies by client industryGDPRCCPA

Notable breaches

  • Accenture / 2021 / Undisclosed
    Primary source: LockBit ransomware leak site, public confirmation

Rank #07

Education

Per record: $170 / Regulation: FERPA / YoY: +5%

$3.8M

avg total cost

Education records contain long-lived sensitive data, SSNs, financial aid, mental health records, that persists for decades. Under-resourced IT departments create vulnerability. FERPA compliance adds notification requirements.

Key regulations

FERPACOPPAHIPAA (campus health)State laws

Notable breaches

  • Los Angeles Unified School District / 2022 / Undisclosed
    Primary source: Public LAUSD board statements
  • Lincoln College (forced closure) / 2022 / Closure
    Primary source: Lincoln College official closure announcement

Rank #08

Industrial

Per record: $155 / Regulation: NIST / ICS / YoY: -8%

$3.28M

avg total cost

Manufacturing breaches increasingly target OT/ICS systems. IP theft of product designs, processes, and formulas is the primary risk. Supply-chain disruption costs multiply quickly. Ransomware impact on production lines can cost millions per day.

Key regulations

NIST CSFIEC 62443GDPR / CCPA

Notable breaches

  • Honda (EKANS ransomware) / 2020 / Undisclosed
    Primary source: Honda official disclosure to media

Rank #09

Government

Per record: $134 / Regulation: FISMA / FedRAMP / YoY: +1%

$2.83M

avg total cost

Lower per-record cost but enormous volumes and political consequences. Government breaches can compromise national security. Remediation is slow due to procurement processes.

Key regulations

FISMAFedRAMPOMB guidance

Notable breaches

  • OPM / 2015 / $133M+
    Primary source: OPM IG report; House Oversight hearings
  • SolarWinds (federal agencies) / 2020 / Undisclosed
    Primary source: CISA Emergency Directive 21-01

Rank #10

Retail

Per record: $142 / Regulation: PCI DSS / YoY: -3%

$2.96M

avg total cost

Retail typically holds payment card data with lower per-record value than healthcare. High volume partially offsets lower per-record cost. PCI DSS provides a clear compliance framework. Customer churn is moderate as loyalty is often price-driven.

Key regulations

PCI DSSGDPR / CCPAState breach laws

Notable breaches

  • Target / 2013 / $292M
    Primary source: Target SEC 10-K filings 2013-2017
  • Home Depot / 2014 / $198M
    Primary source: Home Depot SEC 10-K 2014; AG settlements
  • TJX / 2007 / $256M
    Primary source: TJX SEC filings; FTC settlement

Primary source:IBM Cost of a Data Breach Report 2025. Notable breach cost figures sourced from public SEC filings, regulator orders, AG settlements, and OCR enforcement actions. Last verified April 2026.

Index / Companion schedules

01 Calculator

Estimate a specific industry & size combination.

02 Statistics

Global averages and methodology context.

04 Biggest breaches

Verified cost figures for 22 mega-breaches.

09 Notification laws

Regulation-specific reporting timelines.

10 Cost breakdown

The IBM four-category framework.

08 By country

Same industry can cost very differently across regions.

Healthcare per record

$408

Highest per-record figure tracked

Schedule F / Reference Q&A

Frequently Asked Questions