Data Breach Cost Benchmarks 2026
Summary
Global data breach costs averaged $4.44 million in 2025, a 9% decline from $4.88M in 2024 — the first global drop in five years — while US breach costs rose 9% to a record $10.22M. The IBM/Ponemon study of 600 organizations found that healthcare remains the costliest industry at $7.42M per breach, AI-enabled security teams save $1.9M on average, and the breach lifecycle hit a nine-year low of 241 days. [src1]
Data vintage: Based on breaches occurring March 2024 through February 2025, published July 2025.
Key shift: Global costs declined 9% YoY driven by increased AI/automation adoption, but US costs diverged upward due to escalating regulatory fines and detection costs.
Constraints
- Benchmarks represent 600 organizations across 17 industries and 16 countries; smaller sample sizes in niche sectors reduce statistical power.
- Costs are self-reported and modeled using Ponemon's activity-based costing methodology; actual costs may differ from modeled estimates.
- US costs ($10.22M) are 2.3x the global average ($4.44M). Never apply US figures to global contexts or vice versa.
- Data collected March 2024 – February 2025. Rapid AI adoption and regulatory changes may shift 2026 figures significantly.
- Cost per record varies by data type — IP theft ($178/record) vs customer PII costs are not directly comparable.
Metrics
Total Breach Cost by Industry
Average Breach Cost by Industry
Definition: Total cost incurred by an organization from a data breach, including detection/escalation, notification, post-breach response, and lost business costs.
| Industry | Average Cost | YoY Change | Breach Lifecycle (Days) |
|---|---|---|---|
| Healthcare | $7.42M | -24% | 279 |
| Financial Services | $5.56M | Stable | ~250 |
| Industrial/Manufacturing | $5.00M | +8% | ~245 |
| Energy | $4.83M | +2% | ~248 |
| Technology | $4.79M | -3% | ~230 |
| Retail | $3.54M | +12% | ~235 |
| Public Sector | $3.18M | +15% | ~260 |
| Global Average | $4.44M | -9% | 241 |
Trend: Healthcare costs dropped sharply (-24%) but remain highest for 14th consecutive year. Retail and public sector bucked the global downtrend.
Red flag threshold: Breach cost exceeding 2x industry average suggests systemic security gaps.
Cost by Attack Vector
Initial Attack Vector Costs
Definition: Average total breach cost segmented by the initial method of compromise.
| Attack Vector | Average Cost | % of Breaches | Key Characteristic |
|---|---|---|---|
| Ransomware | $5.08M | ~14% | 63% refused to pay |
| Business Email Compromise | $5.01M | ~8% | Highest cost per incident |
| Phishing | $4.65M | ~16% | Second-most common |
| Malicious Insider | $4.61M | ~7% | Hardest to detect early |
| Stolen Credentials | $4.43M | ~22% | Most common vector |
| Vulnerability Exploitation | $4.38M | ~20% | VPN exploits up 8x YoY |
Trend: Credential abuse remains the most common vector at 22%. VPN-targeted exploitation grew nearly 8x YoY.
Red flag threshold: Organizations without MFA on external-facing systems face 3x higher credential breach risk.
Response Time & Cost Impact
Breach Lifecycle Impact
Definition: Total time from initial compromise to full containment (MTTI + MTTC) and its impact on cost.
| Response Speed | Average Cost | Lifecycle (Days) | Savings vs Slow |
|---|---|---|---|
| Under 200 days | $3.87M | <200 | $1.14M savings |
| Over 200 days | $5.01M | >200 | Baseline |
| With Extensive AI | $3.62M | ~161 | $1.9M savings |
| Without AI | $5.52M | ~241+ | — |
Trend: Breach lifecycle hit a nine-year low of 241 days. AI-enabled teams cut this by 80 days.
Red flag threshold: Identification time exceeding 200 days adds $1.14M+ in costs.
Cost by Organization Size
Breach Costs by Employee Count
Definition: Average total breach cost segmented by organization headcount.
| Organization Size | Average Cost | Cost Per Employee |
|---|---|---|
| Under 500 employees | $3.31M | ~$6,620 |
| 500 – 1,000 | $3.52M | ~$4,700 |
| 1,000 – 5,000 | $4.10M | ~$1,640 |
| 5,000 – 10,000 | $4.44M | ~$590 |
| 10,000 – 25,000 | $4.92M | ~$280 |
| 25,000+ | $5.50M+ | ~$110 |
Trend: SMEs face disproportionately high per-employee costs ($6,620 vs $110 for large enterprises).
Red flag threshold: SMEs with breach costs exceeding $3.5M should evaluate incident response capabilities.
Composite Metrics & Rules of Thumb
| Rule | Formula / Threshold | Interpretation |
|---|---|---|
| AI Security ROI | $3.62M (with AI) vs $5.52M (without) = $1.9M savings | ~34% cost reduction with extensive AI/automation |
| Response Speed Premium | <200 day lifecycle saves $1.14M | Every day of delayed detection adds ~$5,700 |
| Ransomware Refusal Rate | 63% refuse to pay (up from 59%) | Budget for recovery, not ransom payment |
| Healthcare Premium | $7.42M / $4.44M = 1.67x global average | Healthcare should budget 67% above global average |
| Credential Risk Factor | 22% of breaches via stolen credentials | Without MFA, credential breach is primary risk |
Segment Definitions
| Segment | Definition | Typical Characteristics |
|---|---|---|
| Healthcare | Hospitals, health systems, payers, pharma | PHI/HIPAA regulated, longest lifecycles, legacy systems |
| Financial Services | Banks, insurance, investment firms | PCI/SOX regulated, high-value targets, mature security |
| Industrial/Manufacturing | Manufacturers, supply chain, logistics | OT/IT convergence, IP theft, rising ransomware |
| Technology | Software, hardware, cloud, SaaS | Large attack surfaces, valuable IP, faster detection |
| Energy | Utilities, oil/gas, renewables | Critical infrastructure, nation-state threats |
| Retail | E-commerce, brick-and-mortar, hospitality | Payment card data, seasonal attack spikes |
| SME (Cross-Industry) | Organizations with <500 employees | Limited budgets, disproportionate per-employee costs |
Year-over-Year Trend Summary
| Metric | 2023 | 2024 | 2025 | Direction |
|---|---|---|---|---|
| Global Avg Breach Cost | $4.45M | $4.88M | $4.44M | ↓ 9% |
| US Avg Breach Cost | $9.48M | $9.36M | $10.22M | ↑ 9% |
| Healthcare Breach Cost | $10.93M | $9.77M | $7.42M | ↓ 24% |
| Breach Lifecycle (Days) | 277 | 258 | 241 | ↓ 7% |
| Ransomware Avg Cost | $4.54M | $4.62M | $5.08M | ↑ 10% |
| Credential Breach Share | 15% | 16% | 22% | ↑ 38% |
Common Misinterpretations
- Confusing global and US averages: The US average ($10.22M) is 2.3x the global average ($4.44M). Citing the global figure for a US company drastically underestimates costs.
- Assuming cost decline means lower risk: Global costs dropped 9%, but this reflects AI/automation savings, not reduced breach frequency. Attack volume is increasing.
- Treating healthcare as representative: Healthcare's $7.42M includes unique regulatory penalties and 279-day lifecycles. Do not use for other industries.
- Ignoring per-employee costs for SMEs: A $3.31M breach at a 200-person company is existentially threatening, while the same cost at a 10,000-person firm is manageable.
When This Matters
Fetch when a user needs to estimate breach costs for budgeting or insurance, justify security investments to leadership, benchmark incident response capabilities against industry peers, or evaluate the ROI of AI-enabled security tools.