What is the average cost of a data breach in 2025?

$4.44 million is the global average cost of a data breach in 2025, according to the IBM Cost of a Data Breach Report 2025. That is down 9% from the 2024 record of $4.88 million, the first decline in four years.

How much does a data breach cost in the United States?

$10.22 million is the average cost of a data breach in the United States in 2025, a record high and up 9% year over year. US costs run roughly 2.3 times the $4.44 million global average, per the IBM Cost of a Data Breach Report 2025.

Which industry has the highest data breach costs?

$7.42 million is the average breach cost in healthcare, the highest of any industry for the fourteenth consecutive year. Financial services follows at $5.56 million and industrial at $5.00 million, per the IBM Cost of a Data Breach Report 2025 (Figure 3).

How long does it take to detect a data breach?

241 days is the global mean time to identify and contain a breach in 2025, the lowest in nine years. Breaches contained in under 200 days averaged $3.87 million, versus $5.01 million for those taking longer, per the IBM Cost of a Data Breach Report 2025.

Filing 8-K / Item 1.05Material Cybersecurity IncidentDisclosure register, 2025 figures

Headline figure / IBM 2025

A breach now costs $4.44M on average.

Independent register of breach-cost intelligence. IBM's 2025 figures, the Verizon DBIR, and Sophos ransomware data, presented as browsable, citable web pages instead of gated PDFs. Calculate your specific exposure below.

File an estimate →View 2025 statistics

Global avg

$4.44M

-9% YoY

US avg

$10.22M

record high, +9%

Healthcare

$7.42M

#1 for 14 yrs

MTTD

241d

lowest in 9 yrs

AI savings

-$1.9M

extensive AI deploy

Shadow AI

+$0.67M

added breach cost

Source:IBM Cost of a Data Breach Report 2025, verified June 2026. 600 organizations, 16 countries and regions, 17 industries. Compiled by Oliver Wakefield-Smith.

Schedule A / Cost-of-Breach EstimatorReal-time / no submit

Section I / Filer Particulars

Breach inputs

Industry sector

Sector multiplier x1.67 vs $4.44M global average (HIPAA). IBM 2025, Figure 3.

Organization size

Records exposed

Customer / employee records at risk. IBM avg PII record value: $160.

Attack vector

Multiplier vs $4.44M baseline. IBM's attacker-disclosed extortion breach average ($5.08M).

Country / region

Detection speed

Section II / Security Controls (IBM 2025 cost-factor analysis)

Section IV / AI-Threat Exposure (IBM 2025)

The 2025 AI factors: shadow AI adds up to $0.67M, a security skills shortage up to $1.57M. Governance maturity scales how much shadow-AI exposure you carry.

Shadow-AI usage

No unsanctioned AI tools in use. IBM 2025, Figure 40 (shadow-AI breaches $4.63M vs $3.96M).

AI-governance maturity

Policy exists, controls inconsistently enforced. Scales shadow-AI exposure; IBM 2025: 97% of AI-model breaches lacked proper access controls.

Security skills shortage

Adequately staffed security team. IBM 2025, Figure 42 (high shortage $5.22M vs low $3.65M).

Estimated total exposure

$45,037,030

Critical exposure

vs IBM 2025 avg

1014%

Per record

$900.74

Records

50,000

Region mult.

x2.30

Schedule B / IBM cost-category split

Where the money goes

Lost business$13.96M (31%)

Detection & escalation$14.86M (33%)

Post-breach response$12.16M (27%)

Notification$4.05M (9%)

IBM Cost of a Data Breach Report 2025, four-category methodology.

Schedule C / File this estimate

Export the filing

Turn this estimate into a shareable artifact. Save as PDF via your browser print dialog, or copy a plain-text filing to paste into a board pack, ticket, or email.

Section VI / Comparison band

At $45.04M, your estimated exposure is 10.14x the global IBM 2025 average and 4.41x the US average. The United States regional cost factor is x2.30 (State-by-state).

Reduce your exposure

Partner

Two levers move the numbers above: transferring residual risk, and shortening the detection-to-containment window. Compare cyber-insurance cover or incident-response retainers.

Cyber-insurance cover

→

Compare standalone cyber policies and what breach-response costs they reimburse.

Incident-response retainer

→

How pre-negotiated IR retainers cut the 241-day detection-to-containment clock.

Independent register. Links above are neutral educational resources (CISA), not paid placements. This slot is labelled and disclosed; any future sponsored partner will be marked as such.

Schedule D / Results explained (plain text)

Your estimate, in words

Based on the IBM Cost of a Data Breach 2025 report, a breach of a 501 - 5,000 employees Healthcare organization in United States, exposing 50,000 records via Ransomware / Extortion, carries an estimated total exposure of $45,037,030. That is 1014% of the IBM 2025 global average breach cost of $4.44M (the US average is $10.22M), or 10.14x the global figure, and works out to $900.74 per record. The Healthcare sector averaged $7.42M in IBM 2025, and the United States regional cost factor is x2.30 relative to the global average. Detection assumption: Over 200 days ($5.01M basis). This estimate is classified as critical exposure.

AI-threat factors add an estimated $0 to this exposure. Shadow-AI usage is set to None / sanctioned only (IBM 2025 found shadow-AI breaches cost $4.63M versus $3.96M without, a $0.67M premium), AI-governance maturity to Partial (IBM 2025 found 97% of AI-model breaches occurred at organizations lacking proper AI access controls), and the security skills shortage to Low / none (IBM 2025 found a high shortage cost $5.22M versus $3.65M for low, a $1.57M premium).

Cost category	Estimated amount	Share
Lost business	$13,961,479	31%
Detection & escalation	$14,862,220	33%
Post-breach response	$12,159,998	27%
Notification	$4,053,333	9%
Estimated total exposure	$45,037,030	100%

IBM Cost of a Data Breach Report 2025. Cost-category split uses IBM's four-category methodology (detection 33%, lost business 31%, post-breach 27%, notification 9%). Verified June 2026.

Schedule C / Cost by industry sector

Average breach cost, all 17 sectors

Brick-red bars sit above the $4.44M global average; steel bars below it. Healthcare leads for the fourteenth consecutive year. Figures are the IBM 2025 averages, unmodified.

Primary source:IBM Cost of a Data Breach Report 2025, Figure 3 (industry averages). Verified June 2026.

Index / Companion SchedulesLast verified June 2026

02 Global statistics

→

$4.44M global, $10.22M US, 241-day MTTD, year-over-year trends, attack-vector costs, AI impact.

03 By industry

→

Healthcare $7.42M (#1, 14 years). Financial $5.56M. Industrial $5.00M. Tech $4.79M. All 17 sectors.

04 Biggest breaches

→

Equifax, Marriott, Change Healthcare, MOVEit, 22 verified mega-breaches with sourced cost figures.

05 Prevention ROI

→

AI/automation (-$1.9M), DevSecOps (-$227K), SIEM (-$212K). IBM 2025 cost factors ranked.

06 Ransomware costs

→

$5.08M attacker-disclosed extortion breach. $1.32M median demand, 63% refuse to pay.

07 Small business

→

60% close within 6 months. $15K-$3.31M cost ranges by size, common attacks, affordable defence.

08 By country / region

→

16 IBM regions. US 2.30x global, Brazil 0.27x. GDPR impact and US state notification map.

09 Notification laws

→

GDPR 72h, all 50 US states + DC, California SB 446 (30 days), penalties for late filing.

10 Cost breakdown

→

33% detection, 31% lost business, 27% post-breach, 9% notification. The 5-year cost tail.

11 50-state laws

→

All 50 states + DC, one page each: statute citation, deadline, AG threshold, private right of action, penalties.

New register / State notification statutes

Data breach notification laws by state: 51 statutes, no federal floor.

A multi-state breach can trigger up to 51 separate statutes, each with its own deadline, attorney general threshold, and penalty structure. One source-cited page per state: California, Texas, New York, Florida, and the rest of the 50 plus DC. Verified June 2026.

Open the 50-state register →

Jurisdictions

Strictest

30d

Federal

None

Schedule 11 / Industry Drilldowns7 sectors with bespoke per-record economics

Healthcare

→

$7.42M average, 14 years at #1. Change Healthcare, Anthem, Premera.

Financial Services

→

$5.56M average, #2 sector. Equifax, Capital One, JPMorgan.

Technology

→

$4.79M average. Supply-chain blast radius driving downstream cost.

Retail

→

$3.54M average. PCI DSS economics. Target, Home Depot, TJX.

Education

→

$3.80M average, +9% YoY. FERPA + state laws. Lincoln College closure precedent.

Government

→

$2.86M average, lowest tracked sector. FISMA + FedRAMP. OPM national-security cost.

Energy

→

$4.83M average. OT/IT convergence. Colonial Pipeline regulatory aftermath.

Schedule 12 / Notable Case Studies12 mega-breaches with sourced cost composition

Equifax 2017

→

$1.4B+ total cost. 147M records. Apache Struts CVE-2017-5638.

Anthem 2015

→

$260M+ total cost. 78.8M records. $16M OCR HIPAA settlement (then record).

Target 2013

→

$292M cumulative. 40M cards + 70M records. HVAC vendor pivot.

Capital One 2019

→

$300M+ total cost. 106M records. Cloud-misconfig precedent.

Change Healthcare 2024

→

$2.45B+ disclosed. 190M records. Largest healthcare in US history.

MOVEit 2023

→

$2.7B aggregate. 2,700+ orgs. Cl0p zero-day supply chain.

Marriott 2018

→

$350M+ cumulative. 500M Starwood guests. 4-year undetected dwell.

T-Mobile 2021

→

$500M+ total cost. 77M records. $150M security investment mandate.

23andMe 2023

→

$30M+ settlement. 6.9M affected. Credential stuffing, board resigned, bankruptcy.

Snowflake 2024

→

~165 customers hit. Ticketmaster, AT&T. Stolen credentials, no MFA on cloud warehouse.

MGM Resorts 2023

→

~$100M impact. Scattered Spider / ALPHV. 10-day operational outage via social engineering.

SolarWinds 2020

→

18,000 customers. SUNBURST supply-chain backdoor. SEC enforcement case dismissed 2024.

Schedule 13 / Regulator Profiles5 regimes with penalty structure detail

GDPR breach fine

→

4% global revenue or 20M EUR. Meta 1.2B EUR (largest). 72-hour notification.

HIPAA breach penalty

→

4-tier structure: $145 to $2.19M annual cap (2026). OCR Wall of Shame portal.

CCPA breach fine

→

$2,500 negligent, $7,500 intentional. $100-$750 private action.

PCI DSS breach cost

→

$5K-$100K monthly fines + $5-$15 per card reissuance.

SEC Item 1.05

→

4-business-day cyber disclosure. Stock-price 2-7% typical impact.

Schedule 14 / Cost-Component Drilldowns5 line-item analyses with vendor pricing

Cost per record

→

$178 IP down to $115 anonymized data. When per-record is reliable, when it breaks.

Notification cost

→

$1-$3 per letter, $20-$80 per call. Multi-state regulator filing economics.

Credit monitoring

→

$10-$30 retail, $4-$12 enterprise bulk. Settlement-mandated enrolment.

Forensics investigation

→

$200-$2,000/hour. Mandiant, CrowdStrike, Kroll, Unit 42 rate cards.

Class-action settlement

→

$100M-$400M for mega-breaches. $1.50-$5 per class member typical.