Form: Cost-of-Breach DisclosureSource: IBM 2025Filed: 28 Apr 2026
DataBreachCost.comOpen calc
Schedule 03 / By IndustryIBM 2025, 17 sectors classified

Sector ranking

Healthcare costs $1.67x the global average.

Sector cost differences are not noise: they reflect data sensitivity, regulatory regime, and the speed at which an incident becomes a regulator's problem. IBM's 2025 figures, ranked by total average cost.

Direct answer / IBM 2025 average breach cost by industry

The IBM Cost of a Data Breach Report 2025 puts the global average breach at $4.44M. By industry, healthcare is the most expensive for the 14th consecutive year at $7.42M, followed by financial services $5.56M, industrial $5M, energy $4.83M, and technology $4.79M. Retail sits well below average at $3.54M, education at $3.8M, and the public sector lowest at $2.86M.

Healthcare$7.42M
Financial Services$5.56M
Technology$4.79M
Retail$3.54M
Education$3.8M
Public Sector$2.86M

Source: IBM Cost of a Data Breach Report 2025 (Figure 3, all 17 sectors below). Last verified June 2026.

Section 03.1 / Sector ranking

Average breach cost by industry, IBM 2025

Healthcare / HIPAA$7.42M (-24%)
Financial Services / PCI DSS / GLBA$5.56M (-9%)
Industrial / NIST / ICS$5M (-10%)
Energy / NERC CIP$4.83M (-9%)
Technology / SOX / GDPR$4.79M (-12%)
Pharmaceuticals / FDA / GxP$4.61M (-10%)
Services / Varies$4.56M (-10%)
Entertainment / Varies$4.43M (+8%)
Media / Varies$4.22M (+7%)
Hospitality / PCI DSS$4.03M (+5%)
Transportation / TSA / CISA$3.98M (-10%)
Education / FERPA$3.8M (+9%)
Research / Varies$3.79M (+7%)
Communications / FCC / GDPR$3.75M (-8%)
Consumer / CCPA / GDPR$3.72M (-5%)
Retail / PCI DSS$3.54M (+2%)
Public Sector / FISMA / FedRAMP$2.86M (+12%)

Primary source:IBM Cost of a Data Breach Report 2025.

Section 03.2 / Sector deep-dive

Why each sector pays what it does

Rank #01

Healthcare

2024: $9.77M / Regulation: HIPAA / YoY: -24%

$7.42M

avg total cost

A full medical record sells for hundreds of dollars on the dark market versus $5 for a credit card. HIPAA mandates extensive notification and remediation, and patient-care disruption creates massive operational liability. Healthcare has been #1 for 14 consecutive years.

Key regulations

HIPAAHITECH ActState breach notification laws

Notable breaches

  • Change Healthcare (UnitedHealth) / 2024 / $2.45B
    Primary source: UnitedHealth Group 10-Q filings, 2024-2025
  • Anthem / 2015 / $260M
    Primary source: OCR settlement, multistate AG settlement, SEC 10-K filings
  • Premera Blue Cross / 2014 / $74M
    Primary source: OCR settlement, public regulator filing

Rank #02

Financial Services

2024: $6.08M / Regulation: PCI DSS / GLBA / YoY: -9%

$5.56M

avg total cost

Financial data triggers immediate fraud risk and rapid regulatory response. PCI DSS compliance failures trigger steep fines. Customer churn is severe (account closures), and card reissuance costs banks $5-$15 per card. Regulators pursue penalties more aggressively than in most sectors.

Key regulations

PCI DSSGramm-Leach-BlileySOXGDPR / state laws

Notable breaches

  • Equifax / 2017 / $1.4B+
    Primary source: FTC settlement order, 2019; SEC 10-K filings
  • Capital One / 2019 / $300M+
    Primary source: OCC consent order; SEC 10-K filings
  • JPMorgan Chase / 2014 / $1B+ (program)
    Primary source: DOJ securities fraud indictment

Rank #03

Industrial

2024: $5.56M / Regulation: NIST / ICS / YoY: -10%

$5M

avg total cost

Manufacturing breaches increasingly target OT/ICS systems. IP theft of product designs, processes, and formulas is the primary risk. Supply-chain disruption costs multiply quickly. Ransomware impact on production lines can cost millions per day.

Key regulations

NIST CSFIEC 62443GDPR / CCPA

Notable breaches

  • Honda (EKANS ransomware) / 2020 / Undisclosed
    Primary source: Honda official disclosure to media

Rank #04

Energy

2024: $5.29M / Regulation: NERC CIP / YoY: -9%

$4.83M

avg total cost

Critical-infrastructure status means breaches can trigger national-security responses. Operational technology (OT/SCADA) intertwines with IT, extending blast radius. Physical-safety implications raise regulatory scrutiny dramatically.

Key regulations

NERC CIPTSA Pipeline directivesGDPR

Notable breaches

  • Colonial Pipeline / 2021 / $15M+
    Primary source: DOJ FBI press release; Colonial board statements
  • Norsk Hydro / 2019 / $71M
    Primary source: Norsk Hydro Q1 2019 earnings disclosure

Rank #05

Technology

2024: $5.45M / Regulation: SOX / GDPR / YoY: -12%

$4.79M

avg total cost

Tech firms hold massive volumes of third-party customer data, creating supply-chain liability. High-value IP (source code, AI model weights) amplifies damage beyond PII. Sophisticated attackers target tech firms as stepping stones to their customers.

Key regulations

GDPRCCPASOX (public companies)

Notable breaches

  • SolarWinds / 2020 / $100M+
    Primary source: SEC enforcement action; SolarWinds 10-K
  • Yahoo / 2013 / $470M+
    Primary source: Verizon acquisition price reduction; SEC filings
  • Facebook / Meta / 2019 / $5B FTC fine
    Primary source: FTC consent order, 2019

Rank #06

Pharmaceuticals

2024: $5.1M / Regulation: FDA / GxP / YoY: -10%

$4.61M

avg total cost

Pharma breaches often involve proprietary drug formulas and clinical-trial data. IP loss adds value far beyond PII. Regulatory scrutiny is high, and patient-safety implications elevate severity.

Key regulations

FDA 21 CFR Part 11GxPGDPRHIPAA (clinical)

Notable breaches

  • Merck (NotPetya) / 2017 / $1.35B
    Primary source: Merck SEC 10-K, 2017-2019
  • Pfizer employee data leak / 2020 / Undisclosed
    Primary source: California AG complaint

Rank #07

Services

2024: $5.08M / Regulation: Varies / YoY: -10%

$4.56M

avg total cost

Professional and managed-service firms hold client data subject to that client's regulations. Contract penalty clauses and the loss of enterprise relationships drive cost. Reputation damage compounds because trust is the product.

Key regulations

Varies by client industryGDPRCCPA

Notable breaches

  • Accenture / 2021 / Undisclosed
    Primary source: LockBit ransomware leak site, public confirmation

Rank #08

Entertainment

2024: $4.09M / Regulation: Varies / YoY: +8%

$4.43M

avg total cost

Rank #09

Media

2024: $3.94M / Regulation: Varies / YoY: +7%

$4.22M

avg total cost

Rank #10

Hospitality

2024: $3.82M / Regulation: PCI DSS / YoY: +5%

$4.03M

avg total cost

Rank #11

Transportation

2024: $4.43M / Regulation: TSA / CISA / YoY: -10%

$3.98M

avg total cost

Rank #12

Education

2024: $3.5M / Regulation: FERPA / YoY: +9%

$3.8M

avg total cost

Education records contain long-lived sensitive data, SSNs, financial aid, mental health records, that persists for decades. Under-resourced IT departments create vulnerability. FERPA compliance adds notification requirements.

Key regulations

FERPACOPPAHIPAA (campus health)State laws

Notable breaches

  • Los Angeles Unified School District / 2022 / Undisclosed
    Primary source: Public LAUSD board statements
  • Lincoln College (forced closure) / 2022 / Closure
    Primary source: Lincoln College official closure announcement

Rank #13

Research

2024: $3.54M / Regulation: Varies / YoY: +7%

$3.79M

avg total cost

Rank #14

Communications

2024: $4.09M / Regulation: FCC / GDPR / YoY: -8%

$3.75M

avg total cost

Rank #15

Consumer

2024: $3.91M / Regulation: CCPA / GDPR / YoY: -5%

$3.72M

avg total cost

Rank #16

Retail

2024: $3.48M / Regulation: PCI DSS / YoY: +2%

$3.54M

avg total cost

Retail typically holds payment card data with lower per-record value than healthcare. High volume partially offsets lower per-record cost. PCI DSS provides a clear compliance framework. Customer churn is moderate as loyalty is often price-driven.

Key regulations

PCI DSSGDPR / CCPAState breach laws

Notable breaches

  • Target / 2013 / $292M
    Primary source: Target SEC 10-K filings 2013-2017
  • Home Depot / 2014 / $198M
    Primary source: Home Depot SEC 10-K 2014; AG settlements
  • TJX / 2007 / $256M
    Primary source: TJX SEC filings; FTC settlement

Rank #17

Public Sector

2024: $2.55M / Regulation: FISMA / FedRAMP / YoY: +12%

$2.86M

avg total cost

Lower per-record cost but enormous volumes and political consequences. Government breaches can compromise national security. Remediation is slow due to procurement processes.

Key regulations

FISMAFedRAMPOMB guidance

Notable breaches

  • OPM / 2015 / $133M+
    Primary source: OPM IG report; House Oversight hearings
  • SolarWinds (federal agencies) / 2020 / Undisclosed
    Primary source: CISA Emergency Directive 21-01

Primary source:IBM Cost of a Data Breach Report 2025. Notable breach cost figures sourced from public SEC filings, regulator orders, AG settlements, and OCR enforcement actions. Last verified June 2026.

Index / Companion schedules

Healthcare breach lifecycle

279 days

Longest of any sector to identify and contain

Schedule F / Reference Q&A

Frequently Asked Questions