IBM: Average cost of a data breach in US shoots to record $10 million

For the first time in five years, the average costs associated with a data breach globally has fallen, dropping to $4.4 million, according to data from IBM.

But the numbers were not the same in every country and — unfortunately for Americans — the costs of a breach in the U.S. grew precipitously to more than $10 million. 

The cost increases in the U.S. were driven by steeper regulatory penalties and the rising cost of detection systems. 

The global average cost of a data breach fell from $4.88 million in 2024, a 9% decrease that now matches numbers seen in 2023. Globally, organizations are becoming faster at identifying breaches and containing them using automated tools. 

IBM said organizations around the world are conducting shorter breach investigations — which push down the cost of detection that include assessments, audits, crisis management and more. 

This is IBM’s 20th year of releasing data breach research and studied breaches at about 600 organizations between March 2024 and February 2025. Researchers also interviewed thousands of business leaders about their response to a breach. 

The breaches ranged from about 3,000 stolen files to more than 113,000 — covering organizations across 16 different countries and regions. IBM noted that the global average would have been lower if not for the numbers seen in the U.S. — which was 9% higher than last year. 

Researchers found that many countries outside of the U.S. saw a significant decrease in average cost.  Italy, Germany and South Korea all saw the cost of an average breach fall by at least 21%. 

Image: IBM

The healthcare industry saw the highest cost for breaches at $7.42 million. This is the 14th consecutive year that healthcare led all industries in highest average breach cost — even with a decrease from the $9.77 million average seen last year. 

Healthcare organizations on average took the longest to identify and contain breach incidents, needing 279 days to address attacks. That figure is five weeks longer than the global average. 

The report included several other interesting notes:

• At least one third of organizations paid regulatory fines because of breaches and U.S. organizations paid the highest fines. About half of the fines were more than $100,000.
• The most expensive attack vector was malicious insider incidents, which cost an average of nearly $5 million. Third-party vendor breaches and supply chain compromises caused almost as much losses. 
• Supply chain attacks took the longest to resolve and detect — at 267 days — because they exploit the trust between vendors and customers.
• Detection costs fell on average to about $1.5 million, showing the steepest decline among the four categories IBM uses to classify costs. The other cost categories — notification, post attack response and lost business — also saw decreases.
• IBM noted that in its examination of ransomware incidents, 63% of respondents said they refused to pay a ransom, an increase from the 59% polled in 2024. Ransomware incidents are still some of the most costly attacks, typically requiring more than $5 million in recovery costs. 
• IBM noted that more organizations are deciding against involving law enforcement when dealing with a ransomware incident — even though data shows law enforcement involvement lowered the average cost of a breach.