The 2025 IBM Cost of a Data Breach Report marks IBM’s 20th year of data breach research. The report conducted independently by Ponemon Institute and sponsored, analyzed and published by IBM—studied 600 organizations impacted by data breaches between March 2024 and February 2025. They looked at organizations across 17 industries, in 16 countries and regions, and breaches that ranged from 2,960 to 113,620 compromised records.
Findings
Organizations are skipping over security and governance for AI in favor of do-it-now AI adoption. Those ungoverned systems are more likely to be breached—and more costly when they are.
Two decades ago, nearly half of all data breaches (45%) were caused by a lost or stolen computing device, such as a laptop or thumb drive, while only 10% of breaches were attributed to “hacked electronic systems.” Today, most breaches are caused by a range of malicious activities, from phishing to insider threats.
AI-powered defenses
Global data breach costs have declined for the first time in five years, dropping to USD 4.44 million, due to faster breach containment that was driven by AI-powered defenses. But as defenders move smarter and faster, so do attackers—16% of breaches reportedly involved attackers using AI, often used in phishing and deepfake attacks. While this escalating AI arms race has benefitted organizations by pushing global breach costs lower, the US is bucking the trend. Breach costs there have surged past USD 10 million, driven by steeper regulatory penalties and rising detection costs.
AI Adoption outpacing AI oversight
The report found that 97% of AI-related security breaches involved AI systems that lacked proper access controls. And most breached organizations reported they have no governance policies in place to manage AI or prevent shadow AI—the use of AI without employer approval or oversight.
Both the covert use of shadow AI and the lack of governance are driving up breach costs.
What’s new in the 2025 report
For the first time, this year’s research explores the:
- State of security and governance for AI
- Prevalence and risk profile of shadow AI
- Type of data targeted in security incidents involving AI
- Length of breach disruptions to organizations
- Cost savings from using quantum security tools
- Breach costs associated with AI-driven attacks
- Amount of breach costs passed on to customers
Key Findings
USD 4.44 M : The global average cost of a data breach
The global average breach cost dropped to USD 4.44 million from USD 4.88 million in 2024, a 9% decrease and a return to 2023 cost levels. Faster identification and containment of breaches—much of it from organizations’ own security and security service teams, with help from AI and automation—drove this decline. The global average would have been lower were it not for the United States, where the average cost surged by 9% to USD 10.22 million, an all-time high for any region. Higher regulatory fines and higher detection and escalation costs in the United States contributed to this surge.
97%
Share of organizations that reported an AI-related breach and lacked proper AI access controls
Security incidents involving an organization’s AI remain limited— for now. On average, 13% of organizations reported breaches that involved their AI models or applications. However, among those that did, almost all (97%) lacked proper AI access controls. The most common of these security incidents occurred in the AI supply chain, through compromised apps, APIs or plug-ins. These incidents had a ripple effect: they led to broad data compromise (60%) and operational disruption (31%). The findings suggest AI is emerging as a high-value target.
USD 4.92 M : Average cost of malicious insider attacks
For the second year in a row, malicious insider attacks resulted in the highest average breach costs among initial threat vectors: USD 4.92 million. Third-party vendor and supply chain compromise followed closely at USD 4.91 million. Other expensive attack vectors included vulnerability exploitation and phishing. However, the most frequent type of attack vector on organizations was phishing, at 16%, which averaged USD 4.8 million.
USD 670K: Added breach cost for shadow AI
Among the organizations studied this year, 20% said they suffered a breach due to security incidents involving shadow AI. For organizations with high levels of shadow AI, those breaches added USD 670,000 to the average breach price tag compared to those that had low levels of shadow AI or none. These incidents also resulted in more personal identifiable information (65%) and intellectual property (40%) data being compromised. And that data was most often stored across multiple environments, revealing just one unmonitored AI system can lead to widespread exposure. The swift rise of shadow AI has displaced security skills shortages as one of the top three costly breach factors tracked by this report.
USD 1.9M: Cost savings from extensive use of AI in security
Security teams using AI and automation extensively shortened their breach times by 80 days and lowered their average breach costs by USD 1.9 million compared to organizations that didn’t use these solutions. Nearly a third of organizations said they used these tools extensively across the security lifecycle—in prevention, detection, investigation and response. However, that figure is up only slightly from the previous year, suggesting AI adoption may have stalled. It also shows the majority are still not using AI and automation and, therefore, aren’t seeing the cost benefits.
63% : Share of organizations that refused to pay ransomware attackers
More ransomware victims refused to pay a ransom in 2025 (63%) than 2024 (59%). However, the average cost of an extortion or ransomware incident remains high, particularly when disclosed by an attacker (USD 5.08 million). At the same time, fewer ransomware victims reported involving law enforcement—40% of organizations this year versus 53% last year.
49%: Share of organizations investing in security post-breach
There was a significant reduction in the number of organizations that plan to invest in security following a breach, 49% this year compared to 63% last year. Less than half of those who plan to invest in a security plan to focus on AI-driven security solutions or services, such as threat detection and response, incident response (IR) planning and testing, and data security or protection tools.
63%
Share of organizations that lack AI governance policies
A majority of breached organizations (63%) either don’t have an AI governance policy or are still developing one. Even when they have a policy, less than half have an approval process for AI deployments, and 61% lack AI governance technologies. Among organizations that have governance polices in place, only a minority (34%) perform regular audits for unsanctioned AI. It shows AI remains largely unchecked as adoption outpaces both security and governance.
1 in 6
Number of breaches involving AI-driven attacks
Attackers can use generative AI (gen AI) to both perfect and scale their phishing campaigns and other social engineering attacks. IBM previously found gen AI reduced the time needed to craft a convincing phishing email from 16 hours down to only five minutes. This year’s report shows the impact: on average, 16% of data breaches involved attackers using AI, most often for AI-generated phishing (37%) and deepfake impersonation attacks (35%).
Need help with developing a cybersecurity strategy for your business? Get in touch.
