Cost of a data breach hits historic all-time high in the US, drops globally: IBM warns of growing shadow AI risk
"AI is accelerating across the enterprise, but the security and governance needed to protect it aren’t keeping pace."
The average cost of a data breach has hit a record high in the US - again - whilst dropping for the first time in five years globally.
In its annual Cost of a Data Breach Report, IBM said "this year's headline" was a rare piece of good news in a forever-worsening threat landscape - but warned that incidents were so expensive in America last year that they dragged up the otherwise-descending global average.
Global breach costs dropped to $4.44 million between March 2024 and February 2025. However, in the superpower surveyed alongside 15 other countries and regions, companies faced spending an average of $10 million.
Internationally, the positive price slice was partly driven by "faster breach containment driven by AI-powered defences", IBM found.
In the US, regulatory penalties and rising detection costs were largely responsible for the rise.
On LinkedIn, IBM's Mark Hughes, Global Managing Partner of Cybersecurity Services, wrote: "This year’s research takes a hard look at a major shift already underway: AI is accelerating across the enterprise, but the security and governance needed to protect it aren’t keeping pace.
How much does a data breach cost in 2025?
For the first time, the report studied breaches involving AI models and applications, finding that 13% of organisations reported experiencing an AI-related breach.
Of the organisations that disclosed a compromise, 97% did not have tough enough access controls in place.
"The data shows that a gap between AI adoption and oversight already exists, and threat actors are starting to exploit it," said Suja Viswesan, Vice President, Security and Runtime Products, IBM.
"The report revealed a lack of basic access controls for AI systems, leaving highly sensitive data exposed, and models vulnerable to manipulation.
"As AI becomes more deeply embedded across business operations, AI security must be treated as foundational. The cost of inaction isn't just financial, it's the loss of trust, transparency and control."
One in five organisations reported a breach due to shadow AI. But, again, too few preparing to face the threat, with just 37% having policies in place to manage AI or detect shadow AI.
Organisations that suffered from higher levels of shadow AI faced an average of $670,000 in higher breach costs than those with little or no shadow AI.
READ MORE: The rise of Dark LLMs: DDoS-for-hire cybercriminals are using AI assistants to mastermind attacks
Roughly two-thirds (65%) of security incidents involving shadow AI led to the leak of personally identifiable information, followed by intellectual property (40%).
The global average time it takes to identify, contain, and recover from a data breach dropped to 241 days in 2025 - 17 days faster than the previous year. This improvement happened because more organisations are capable of detecting breaches internally. Notably, those that identified breaches internally saved an average of $900,000 compared to breaches that were initially disclosed by attackers.
Despite a $2.35 million year-over-year reduction, healthcare breaches remained the most expensive across all sectors, averaging $7.42 million. Breaches in this industry also took the longest to contain: 279 days on average, more than five weeks longer than the global benchmark.
How many companies agree to pay ransomware demands?
Last year, organisations "pushed back" against ransom demands, with 63% of organisations defiantly refusing to hand over the crypto to criminals compared to the year before, where 59% just agreed to pay up. IBM said this drop was caused by "ransomware fatigue".
As more organisations refuse to pay ransoms, the average cost of an extortion or ransomware incident remains high, particularly when disclosed by an attacker, with an average cost of $5.08 million.
IBM also found a "significant" decline in the number of companies that planned to invest in security following a breach, which was 49% in 2025, down from 63% in 2024.
READ MORE: Microsoft blames China for SharePoint ToolShell attacks, governments and nuclear weapons agency targeted
Among those that do intend to invest, less than half are prioritizing AI-based security tools or services, signaling a slowdown in proactive adoption despite rising AI-related risks.
The 2025 report also said this about companies that suffered a breach: "Nearly all organisations studied suffered operational disruption following a data breach. This level of disruption is taking a toll on recovery timelines. Among organisations that reported recovery, most took more than 100 days on average to do so.
"However, the consequences of a breach continue to extend beyond containment. While down compared to the year prior, nearly half of all organisations reported that they planned to raise the price of goods or services because of the breach, and nearly one-third reported price increases of 15% or more."
