The 2025 Cost of a Data Breach Report by IBM reveals a drop in the worldwide average data breach cost. However, the cost of U.S. data breaches increased by 9.2% to $10.22 million. It was $9.36 million in 2024. The increased costs of U.S. data breaches were mostly because of higher regulatory penalties. and detection and escalation expenses. Internationally, data breach costs dropped for the first time to an average of $4.44 million in five years.
IBM released data breach cost reports in the past 20 years. This 2025, the study involved 600 institutions of different sizes from 16 nations and geographic locations. Of the 600 institutions contributing to the study, 16% were based in the U.S. and Canada. The report is based on data from institutions in 17 sectors, and 2% were from the healthcare sector, including HIPAA-compliant entities.
The cost of healthcare data breaches in the U.S. dropped by $2.35 million year-over-year to $7.42 million. Although the cost of a healthcare data breach dropped considerably, healthcare data breaches have remained the most expensive of all sectors for the past 14 years.
Throughout the world, the time to identify and contain a data breach is 241 days, lower by 17 days in comparison to 2024. IBM stated that the drop in average containment time was mostly because of a greater number of institutions discovering the data breach internally instead of getting a ransom note. Healthcare data breaches took more days to identify and contain, averaging 279 days, compared to the average breach lifecycle worldwide.
The initial access vectors in 2025 are as follows: phishing is about 16% of data breaches, supply chain compromise is 15%, and then stolen credentials (10%). Ransomware is still a challenge for healthcare companies; nevertheless, more companies are deciding not to give ransom payments. In 2024, 59% of companies that encountered a ransomware attack did not pay the ransom, growing to 63% this 2025. With fewer companies making payments, attackers demand high ransoms, averaging $5.08 million. Fewer ransomware attack victims reported to law enforcement, even though law enforcement assistance lowered data breach costs by about $1 million last year. 52% of ransomware victims reported to law enforcement in 2024, and it is 40% in 2025.
Data breaches almost always cause operational problems, with nearly all breached companies reporting some operational disruption because of a breach. Most breached companies spent over 100 days getting back up from a data breach. Although breached companies usually absorb data breach costs, this 2025, nearly 50% of companies that encountered a data breach stated they would be increasing the cost of goods and services, with nearly one-third intending to raise costs by 15% or up as a result of the data breach.
Every year, the cost of a data breach report identifies the primary contributors to the cost of data breaches. Here is this year’s report:
- Identification and escalation – $1.47 million
- Lost income – $1.38 million
- After-breach response – $1.2 million
IBM says that identification and escalation costs dropped by about 10% in comparison to last year, and lost income and after-breach response costs likewise dropped.
Based on the $4.88 million global average breach cost, the primary variables for lowering data breach costs include the following:
- Implementing a DevSecOps approach – $227K
- AI-driven and ML-driven information – $223K
- Security statistics or SIEM – $212K
- Threat intelligence – $211K
- Data encryption – $208K
The major factors that elevated breach costs include the following:
- Supply chain breaches – $227K
- Complexity of security systems – $207K
- Shadow IT – $200K
- Adoption of AI tool – $193.5K
Shadow IT refers to the unauthorized use of software programs and devices. This was included in 2025’s top three variables that increase the cost of data breaches. Shadow IT grows the attack surface and creates a security dead spot. IBM states that many companies are unable to identify shadow IT, thus it stays undiscovered and gives attackers an easy, exploitable entry point into systems. Typically, companies with more shadow IT spend more than $670K on data breach costs compared to companies with less shadow IT.
The 2025 IBM report investigated the use of AI and discovered that AI use is outdoing governance. Most companies that have used AI solutions stated they didn’t have AI governance guidelines to minimize or deal with the risk of AI. Companies without AI governance spent more when breached. IBM has confirmed that AI models and programs are increasing the attack surface, particularly with shadow AI. This 2025, 13% of companies noted a security incident relating to an AI model or software that led to a data breach, and 97% of the breached companies stated they didn’t have the appropriate AI access controls.
Threat actors have been increasingly using generative AI to speed up malware creation and generate text and graphics for social engineering and phishing campaigns. IBM studied the incidence of AI-driven attacks and discovered that attackers used AI in 16% of breaches, which involve deepfakes (35%) or phishing (37%).
In 2024, nearly two-thirds of companies stated they would spend more on cybersecurity in the subsequent 12 months; however, only 49% of companies are preparing to invest more over the following 12 months. Less than 50% of the companies planning to spend more on security mentioned they were concentrating on AI-driven options or services.