For two decades, IBM’s Cost of a Data Breach Report has been pivotal in understanding the state (and, ahem, cost) of cybersecurity breaches around the world. The 2025 edition marks a turning point, focusing on artificial intelligence (AI) both as a defender and as a weapon in attackers’ arsenals. While the global average cost of a breach has dropped for the first time in five years, the report warns that rapid AI adoption without oversight is leaving organizations dangerously exposed.
The Average Cost of a Data Breach Falls Globally, but Not in the U.S.
Globally, the average cost of a data breach fell 9%, from $4.88 million in 2024 to $4.44 million in 2025. Much of this reduction stems from faster detection and containment, driven by security AI and automation. Organizations using AI tools extensively cut their breach lifecycle by 80 days and saved nearly $1.9 million on average.
However, the United States is moving in the opposite direction. Breach costs here hit a record $10.22 million—an increase of 9% from last year—fueled by higher regulatory fines and rising detection and escalation costs. While many regions, including Germany, Italy, and South Korea, saw costs fall significantly, the U.S. was joined by Canada and India, among a few others, in rising costs.
AI Adoption Outpaces Security
One of this year's report’s most urgent findings: organizations are racing ahead with AI adoption while neglecting governance and security.
- 97% of AI-related breaches occurred in organizations without proper AI access controls.
- 63% of organizations lack AI governance policies. Even among those with policies, few conduct regular audits or adversarial testing.
- Shadow AI, the unsanctioned use of AI by employees, was a factor in 20% of breaches, adding $670,000 to average costs and exposing large amounts of personally identifiable information (PII).
The gap between cybersecurity and AI adoption has created new, lucrative targets for attackers. The most common AI-related breach vectors include compromised apps, APIs, and plug-ins in the AI supply chain. The fallout ranges from unauthorized access to sensitive data to operational disruptions and reputational harm.
Attackers Use AI Too
The arms race cuts both ways. The report reveals that 1 in 6 breaches involved attackers using AI, most commonly for phishing (37%) and deepfake impersonation (35%). Generative AI enables adversaries to craft convincing phishing messages in minutes, not hours, making social engineering more dangerous than ever.
At the same time, ransomware remains a major concern. While more organizations are refusing to pay ransom demands (63% versus 59% last year), the average cost of an extortion or ransomware incident is still high at $5.08 million. Worryingly, fewer victims are involving law enforcement, despite data showing that doing so reduces costs.
Industry and Data Trends
Healthcare remained the industry with the highest average cost of a data breach at $7.42 million, even with a significant drop from last year’s $9.77 million. The sector’s reliance on sensitive patient PII, combined with long detection and containment times (279 days on average), keeps it in attackers’ crosshairs.
Phishing overtook stolen credentials as the most common initial attack vector, responsible for 16% of breaches at an average cost of $4.8 million. Supply chain compromise was close behind, costing $4.91 million and taking the longest to resolve at 267 days.
When it comes to stolen data, customer PII was by far the most frequently targeted, compromised in 53% of breaches. But intellectual property, though stolen less often, was the most expensive to lose at $178 per record.
Business Impact Beyond Costs
The true cost of a data breach extends far beyond regulatory fines and response costs. This year, 86% of organizations reported operational disruptions including delayed sales, interrupted services, or halted production. Meanwhile, 45% admitted to raising prices to offset breach expenses, although that figure is down from 63% last year as inflation concerns make passing costs to consumers riskier.
Recovery also remains a long road. While more organizations reported full recovery compared to last year (35% versus 12%), most said the process took more than 100 days, and a quarter needed over 150 days.
How Organizations Can Respond
The report highlights clear actions to mitigate both costs and risks:
- Fortify identity security for both humans and AI agents by enforcing modern, phishing-resistant authentication and managing all credentials.
- Elevate AI data security practices, ensuring that data fueling AI models is properly classified, encrypted, and governed.
- Integrate AI security and governance to eliminate blind spots and detect shadow AI.
- Leverage AI security tools and automation to accelerate detection, reduce response times, and contain breaches.
- Build resilience through planning and training, including incident response testing and crisis simulations.
Key Takeaways
The 2025 Cost of a Data Breach Report paints a nuanced picture. On one hand, AI is driving real progress: faster detection, shorter breach lifecycles, and lower global costs. On the other, ungoverned AI adoption and shadow AI are creating new vulnerabilities that attackers are quick to exploit.
Organizations that embrace AI responsibly by pairing innovation with governance, security, and resilience will be better positioned to reduce breach costs and protect their businesses. Those that don’t risk finding themselves on the wrong side of an increasingly high-stakes cyber arms race.
