The average cost of a data breach for U.S. companies jumped 9% to an all-time high of $10.22 million in 2025, as the global average cost fell 9% to $4.44 million, IBM said in its 20th annual Cost of a Data Breach Report Wednesday.
While shorter investigations are pushing down costs globally, reflecting the first decline in five years, IBM found higher regulatory fines, along with detection and escalation costs, are driving up the ultimate recovery price in the United States.
“This widening gap helps explain why U.S. organizations continue to face the highest breach costs globally, further compounded by more organizations in the U.S. reporting paying steeper regulatory fines,” Troy Bettencourt, global partner and head of IBM X-Force, said in an email.
The report underscores that organizations face an uneven burden in the wake of data breaches, even as detection and containment times improve. On average, it took organizations 241 days to identify and contain a breach through the one-year period ending in February — a nine-year low, according to IBM.
“Shorter breaches mean less disruption, faster containment, and fewer chances for attackers to access sensitive systems or data. Time really is money when it comes to breach impact,” Bettencourt said. “Faster detection is proving to be one of the most effective ways to reduce breach costs across the board.”
Average global costs for detection and escalation declined almost 10% to $1.47 million, remaining the largest cost driver for data breaches for the past four years. Other cost categories also declined, with lost business coming in at $1.38 million on average, followed by $1.2 million for post-breach response costs and notification costs of almost $390,000.
Despite a 24% year-over-year reduction in costs, health care remained the most heavily impacted industry overall for the 14th consecutive year, at $7.42 million. Organizations in the financial, industrial, energy and technology sectors rounded out the top five industries absorbing the highest costs from data breaches globally.
While most industries reported a year-over-year decline in data breach costs globally, organizations in entertainment, media, hospitality, education, research, retail and the public sector bucked that trend in 2025.
Just over half (51%) of data breaches were caused by malicious activities or cyberattacks. Human error accounted for 26% and IT failure was responsible for 23% of data breaches during the reporting period, according to IBM.
Phishing was the initial access vector in 16% of attacks resulting in a data breach, making it the most common root cause of attacks studied for this year’s report. Supply-chain compromises were the second-most prevalent attack vector at nearly 15%, followed by denial-of-service attacks at nearly 13%.
Nearly two-thirds of the data breaches experienced by 600 organizations IBM analyzed globally from March 2024 through February 2025 said they are still recovering from the data breach. Recovery efforts typically extend beyond 100 days, with roughly a quarter of impacted organizations recovering within 101 to 125 days and another quarter recovering within 126 and 150 days.
Organizations also continue to push back against ransom demands in greater numbers. The number of organizations hit with ransomware attacks who refused to pay a ransom jumped from 59% in 2024 to 63% this year, according to IBM.
The report, which was conducted for IBM by the Ponemon Institute, also looked at security incidents involving artificial intelligence. Breaches involving an AI model or application were reported by 13% of organizations, and 31% of those AI-related security incidents led to operational disruption with attackers gaining access to sensitive data, the report found.
IBM said nearly two-thirds of organizations lack AI governance policies, a deficiency that exacerbates the growing emergence of AI security as a target for attacks.
Written by Matt Kapko
Matt Kapko is a reporter at CyberScoop. His beat includes cybercrime, ransomware, software defects and vulnerability (mis)management. The lifelong Californian started his journalism career in 2001 with previous stops at Cybersecurity Dive, CIO, SDxCentral and RCR Wireless News. Matt has a degree in journalism and history from Humboldt State University.