Form: Cost-of-Breach DisclosureSource: IBM 2025Filed: 28 Apr 2026
DataBreachCost.comOpen calc
Schedule 02 / Global StatisticsSource: IBM 2025 (n=600, 16 countries / regions)

Headline figure

The average breach cost $4.44M in 2025.

Down 9% from 2024's record $4.88M. The first significant decline in four years, attributed to AI-powered detection and faster response. The headline conceals regional divergence: US costs rose 9% to $10.22M.

Global average

$4.44M

Down 9% from 2024

US average

$10.22M

Record high, +9% YoY

Healthcare

$7.42M

#1 for 14 consecutive years

Mean detection

241 days

Lowest in 9 years

Section 02.1 / Year-over-year trend

Cost trend, 2017 - 2025

The 2017 study marked the first ever decline in the series, falling 10% to $3.62M. Costs then rose almost every year to a record $4.88M in 2024 before declining 9% to $4.44M in 2025. Behind the 2025 global figure: US costs rose 9% to $10.22M, reflecting expanding state regulation and litigation costs.

2017$3.62M
2018$3.86M
2019$3.92M
2020$3.86M
2021$4.24M
2022$4.35M
2023$4.45M
2024$4.88M
2025$4.44M

Primary source:IBM Cost of a Data Breach Report 2017-2025 (Ponemon Institute, activity-based costing). 2017 and 2018 figures from the original Ponemon study releases ($3.62M and $3.86M global average).

Section 02.2 / Cost per record by data type

What each record actually costs

Intellectual property carries the highest per-record cost at $178, reflecting long-term competitive damage and regulatory liability. Employee PII at $168 and customer PII at $160 are driven by notification costs, credit monitoring obligations, and class-action exposure. Even anonymized data sits at $115 because re-identification risks have raised regulatory scrutiny.

Intellectual property$178 / record
Customer PII$160 / record
Employee PII$168 / record
Anonymized data$115 / record

Primary source:IBM Cost of a Data Breach Report 2025.

Section 02.3 / Detection & containment

The 200-day cost cliff

Mean time to identify and contain dropped to 241 days in 2025, the lowest figure in nine years of IBM research. The 200-day threshold is not arbitrary: breaches detected before that mark cost $3.87M on average; those exceeding it cost $5.01M, a $1.14M (24%) premium.

Mean detection

241 days

Lowest in 9 years

Under 200 days

$3.87M

Fast detection saves

Over 200 days

$5.01M

24% more expensive

Breaches detected within 200 days are typically contained before lateral movement, large-scale exfiltration, or persistent access take hold. After that mark, the probability of regulatory notification triggers, customer churn, and litigation all increase, compounding costs across every category. Supply chain compromises take longest to identify and contain (267 days combined), followed by malicious insiders (260 days); breaches first identified by internal security teams are resolved fastest (172-day mean time to identify).

Primary source:IBM Cost of a Data Breach Report 2025.

Section 02.4 / Cost by initial attack vector

Malicious insiders lead at $4.92M

Malicious-insider breaches are the most expensive initial vector in IBM's 2025 analysis, reflecting detection difficulty and the access an insider already holds. Supply chain compromise follows at $4.91M and surged to the second most common vector (15% of breaches). Phishing replaced stolen credentials as the most common initial vector at 16% of breaches.

Malicious Insider$4.92M
Supply Chain Compromise$4.91M
Phishing$4.8M
Credential Theft$4.67M
Denial-of-Service$4.41M
Vulnerability Exploitation$4.24M

Primary source:IBM Cost of a Data Breach Report 2025; Verizon DBIR 2025.

Section 02.5 / AI impact

$1.9M saved, $670K shadow penalty

The 2025 report shows a widening gap between organizations that have embraced AI-powered security and those that have not. Companies with extensive AI deployment saved $1.9M per breach on average, the largest single-technology cost difference IBM has ever measured. Shadow AI (unauthorized AI tools used by employees) added $670K to costs, a new 2025 risk category most organizations have not addressed.

AI / automation savings

-$1.9M

Per breach, extensive deploy

Shadow AI cost

+$0.67M

Unauthorized AI tool risk

Lifecycle reduction

80 days

Faster detect & contain

The organizations benefiting most from AI security are those with mature implementations integrated into their security operations. Buying AI-branded tools without integration yields minimal benefit. Capabilities driving the savings: automated alert triage (reducing false-positive investigation by 90%+), AI-assisted incident investigation (correlating indicators across data sources in seconds), and predictive risk scoring that prioritizes the vulnerabilities most likely to be exploited.

The shadow AI risk is new for 2025. Employees adopt unauthorized AI tools (ChatGPT, Copilot, Gemini) for work tasks and input sensitive data into systems outside the security perimeter. IBM finds breaches involving shadow AI cost an additional $670K on average, driven by expanded attack surface, data leakage through model inputs, and the difficulty of detecting unauthorized tool usage.

Primary source:IBM Cost of a Data Breach Report 2025.

Section 02.6 / Ransomware recovery cost

Ransomware recovery cost $1.53M in 2025

The average cost to recover from a ransomware attack in 2025 was $1.53 million, excluding any ransom paid. That is a 44% fall from $2.73M in 2024, per the Sophos State of Ransomware 2025 survey of 3,400 IT and security leaders across 17 countries. Recovery cost covers downtime, forensics, restoration, and lost business, and is separate from the ransom itself.

Mean recovery cost

$1.53M

Excl. ransom, down 44% YoY

Attacker-disclosed breach

$5.08M

IBM 2025 extortion benchmark

Refused to pay

63%

IBM 2025, up from 59%

The $1.53M recovery figure is the mean cost to restore operations after a ransomware attack, excluding the ransom. The 44% year-over-year drop, the largest Sophos has recorded, tracks the same driver as the falling breach average: faster detection and a maturing reliance on backups over payment. Sophos' 2025 median ransom demand was $1.32M, while the median ransom actually paid fell to roughly $1M for larger organisations.

On the IBM side, a breach where the attacker publicly disclosed the incident, the report's extortion benchmark, averaged $5.08M, well above the $4.44M all-breach average. 63% of organisations refused to pay in IBM's 2025 sample, up from 59% the year before. See the ransomware schedule for full payment economics.

Primary source:Sophos State of Ransomware 2025 (June 2025, 6th annual, n=3,400 across 17 countries); IBM Cost of a Data Breach Report 2025 (attacker-disclosed breach average and refusal rate).

Section 02.7 / Methodology

How IBM measures these figures

The IBM Cost of a Data Breach Report is conducted annually by the Ponemon Institute using activity-based costing (ABC) methodology. The 2025 report analyzed 600 organizations that experienced real data breaches between March 2024 and February 2025, across 16 countries and regions and 17 industries. This is not a survey of hypothetical costs, it measures actual expenditures.

Costs are categorized into four areas: detection and escalation (forensics, investigation, audit, crisis management), notification (contacting affected individuals and regulators), post-breach response (help desk, credit monitoring, legal, identity protection), and lost business (customer churn, revenue loss, reputation damage). Each cost is tracked over two years following the breach, recognising that litigation and customer churn extend well beyond the initial incident.

Several limitations apply. The sample skews toward larger organizations, so small-business costs may differ significantly. The study relies on estimates from organizational representatives, which may not capture all hidden costs (opportunity cost, executive distraction, long-term competitive damage). Breaches in the study ranged between 2,960 and 113,620 compromised records, so the $4.44M average excludes mega-breach incidents, and IBM cautions against multiplying its per-record figures across breaches involving millions of records.

Primary source:IBM Cost of a Data Breach Report 2025. Last verified: June 2026.

Index / Companion schedules

Schedule F / Reference Q&A

Frequently Asked Questions