Data Breach Statistics 2026: Costs, Causes & Records Exposed


The average data breach now costs $4.44 million globally — and a record $10.22 million in the United States, the highest figure IBM has measured in 20 years of tracking. Breach costs decide security budgets, insurance premiums, and board agendas, so the difference between the average incident and a well-defended one is measured in millions. This page compiles 58 data breach statistics from the IBM Cost of a Data Breach Report, the Verizon Data Breach Investigations Report (DBIR), the Identity Theft Resource Center (ITRC), and regulatory enforcement trackers.
Table of Contents
Cost of a Data Breach
The headline number fell for the first time in five years. The US number went the other way. IBM attributes the global decline to faster detection and containment, and the US increase to higher regulatory penalties and detection costs.
- The global average cost of a data breach is $4.44 million, down about 9% from $4.88 million in 2024 — the first decline in five years (IBM Cost of a Data Breach Report 2025).
- The US average rose to $10.22 million, the highest figure recorded for any country in the report's history (IBM 2025).
- The average cost per compromised record is roughly $169 (IBM).
- One in five organizations in IBM's 2025 study reported a breach tied to shadow AI — employees using unsanctioned AI tools with company data.
- Breaches involving high levels of shadow AI added about $670,000 to the average breach cost (IBM 2025).
- Malicious insider attacks were the costliest initial attack vector at roughly $4.9 million per breach (IBM 2025).
- 63% of breached organizations said they planned to pass breach costs on to customers through higher prices (IBM 2024).
- Detection and escalation is the largest of IBM's four breach cost categories, ahead of lost business, post-breach response, and notification (IBM).
Breach Frequency & Records Exposed
Breach volume set records on both sides of the Atlantic. The Verizon DBIR logged its largest-ever dataset, and US compromise counts stayed near all-time highs. For the wider threat picture behind these numbers, see our cybersecurity statistics for 2026.
| Metric | Value | Source |
|---|---|---|
| Confirmed breaches analyzed (2025 report) | 12,195 | Verizon DBIR |
| US data compromises (2024) | 3,158 | ITRC |
| US breach victim notices (2024) | 1.35 billion | ITRC |
| Largest single-incident records claim | ~2.9 billion | National Public Data filings |
| US healthcare records breached (2024) | 276.7 million | HIPAA Journal / HHS data |
- The Verizon DBIR 2025 analyzed 12,195 confirmed data breaches — the most in the report's history.
- Those breaches came from a pool of 22,052 security incidents across 139 countries (Verizon DBIR 2025).
- The ITRC recorded 3,158 US data compromises in 2024, just below the all-time record of 3,202 set in 2023.
- Those compromises generated an estimated 1.35 billion victim notices in 2024 — nearly four times the 2023 total, driven by a handful of mega-breaches (ITRC).
- The single largest exposure claim of the period was ~2.9 billion records in the National Public Data breach, according to class-action and bankruptcy filings.
- The 2024 Snowflake credential campaign affected approximately 165 customer organizations, including Ticketmaster and AT&T (Mandiant / Google Cloud).
- 276.7 million US healthcare records were exposed or stolen in 2024 alone (HIPAA Journal analysis of HHS breach data).
Causes & Attack Vectors
Attackers still walk in through the front door. Stolen credentials and unpatched systems open most breaches, and a person is involved in the majority of them. Our password statistics and insider threat statistics break down the human side in detail.
- Credential abuse remains the leading initial access vector, present in about 22% of breaches (Verizon DBIR 2025).
- Exploitation of vulnerabilities was the initial vector in about 20% of breaches — up 34% year-over-year (Verizon DBIR 2025).
- Edge devices and VPNs jumped from 3% to 22% of exploitation targets — an almost eightfold increase in one year (Verizon DBIR 2025).
- Phishing was the initial vector in roughly 16% of breaches; our phishing statistics cover the full attack chain (Verizon DBIR 2025).
- The median user clicks a phishing link in 21 seconds and submits data within about another 28 seconds (Verizon DBIR 2024).
- The human element — error, stolen credentials, social engineering, or misuse — appears in roughly 60% of breaches (Verizon DBIR 2025).
- Third-party involvement in breaches doubled from 15% to 30% in a single year, driven by software supply chain and partner compromises (Verizon DBIR 2025).
- Ransomware was present in 44% of breaches, up from 32% the prior year; see our ransomware statistics for the full picture (Verizon DBIR 2025).
- The median ransom payment fell to $115,000 (Verizon DBIR 2025).
- 64% of ransomware victims refused to pay — up from 50% two years earlier (Verizon DBIR 2025).
- Ransomware appeared in 88% of breaches at small and mid-sized businesses, versus 39% at large organizations (Verizon DBIR 2025).
Detection & Response Times
Speed is the strongest cost lever an organization controls. Every benchmark below moves the final invoice by six or seven figures.
- The average breach lifecycle is 241 days — the shortest in nine years of IBM tracking (IBM 2025).
- That splits into 181 days to identify a breach and 60 days to contain it (IBM 2025).
- Organizations making extensive use of security AI and automation cut the lifecycle by roughly 80 days (IBM 2025).
- Only about one in three breaches is discovered by the victim's own security teams and tools; 27% are disclosed by the attacker (IBM 2023).
- Attacker-disclosed breaches cost close to $1 million more than internally detected ones — $5.23 million versus $4.30 million (IBM 2023).
- GDPR requires notification of the supervisory authority within 72 hours of becoming aware of a personal data breach.
- US public companies must disclose material cybersecurity incidents within 4 business days under SEC rules adopted in 2023.
Industry Breakdown
Healthcare pays the most per breach. Financial services gets breached most often. Regulated data, downtime sensitivity, and legacy systems drive the gap — which is why regulated providers move workloads onto HIPAA-compliant cloud hosting with contractual safeguards built in. Our healthcare data breach statistics cover the hardest-hit sector in depth.
- Healthcare is the most expensive industry for breaches at $7.42 million on average — a position it has held every year since 2011, even after falling from $9.77 million in 2024 (IBM 2025).
- Financial services ranks second at $5.56 million per breach (IBM 2025).
- Industrial organizations average $5.00 million per breach (IBM 2025).
- Energy averages $4.83 million and technology $4.79 million — both above the global average (IBM 2025).
- By breach count rather than cost, financial services logged 737 compromises in 2024 and overtook healthcare as the most-breached US sector (ITRC).
Biggest Data Breaches
A handful of incidents account for most of the records exposed in any given year. Two of the largest on record happened in 2024.
| Breach | Year | Records / People | Source |
|---|---|---|---|
| Yahoo | 2013 | 3 billion accounts | Company disclosure |
| National Public Data | 2024 | ~2.9 billion records (claimed) | Court / bankruptcy filings |
| Ticketmaster (Snowflake) | 2024 | 560 million (claimed) | Attacker claim / company filing |
| Change Healthcare | 2024 | ~190 million people | HHS OCR |
| Equifax | 2017 | 147 million people | FTC settlement |
| AT&T (Snowflake) | 2024 | ~110 million customers | Company disclosure |
- The Change Healthcare ransomware attack exposed data on roughly 190 million people — the largest healthcare breach ever reported to US regulators (HHS Office for Civil Rights).
- Parent company UnitedHealth Group attributed more than $2.8 billion in response and remediation costs to the attack in its 2024 earnings reports.
- The National Public Data breach involved a claimed ~2.9 billion records of personal data including Social Security numbers; the company filed for bankruptcy within months.
- The Ticketmaster breach, part of the Snowflake credential campaign, involved a claimed 560 million customer records.
- The same campaign exposed call and text metadata for roughly 110 million AT&T customers (company disclosure).
- The largest confirmed breach in history remains Yahoo's 2013 incident: all 3 billion accounts, a figure the company confirmed in 2017.
Regulatory Fines
Regulators have turned breach failures into a line item measured in billions. Fines now routinely exceed the direct technical cost of the incident that triggered them — a key reason regulated workloads belong on HIPAA-compliant cloud hosting rather than general-purpose infrastructure.
| Fine | Amount | Year | Source |
|---|---|---|---|
| Meta (data transfers) | €1.2 billion | 2023 | Irish DPC / CMS tracker |
| Amazon | €746 million | 2021 | Luxembourg CNPD / CMS tracker |
| Instagram (children's data) | €405 million | 2022 | Irish DPC / CMS tracker |
| TikTok (children's data) | €345 million | 2023 | Irish DPC / CMS tracker |
| €310 million | 2024 | Irish DPC / CMS tracker | |
| Uber | €290 million | 2024 | Dutch DPA / CMS tracker |
- Cumulative GDPR fines have passed €5.9 billion since enforcement began in 2018 (CMS.law GDPR Enforcement Tracker).
- The largest single GDPR fine is Meta's €1.2 billion penalty for unlawful EU-US data transfers (Irish DPC, 2023).
- LinkedIn was fined €310 million in 2024 for behavioral advertising consent failures (Irish DPC).
- Uber was fined €290 million in 2024 for transferring driver data outside the EU without safeguards (Dutch DPA).
- GDPR penalties can reach 4% of global annual revenue — for the largest companies, a ten-figure exposure per violation.
- HHS Office for Civil Rights has collected more than $140 million in cumulative HIPAA penalties and settlements since enforcement began (HHS OCR).
- HIPAA civil penalties are capped at over $2 million per violation category per year, adjusted annually for inflation (HHS).
Defenses That Lower Breach Costs
The cost data points in one direction: organizations that detect faster spend less. The controls below have measured, repeatable effects on the final bill — and most of them can be bought as a service. Continuous monitoring through white label SOC services is how smaller organizations and MSPs get enterprise-grade detection without building a 24/7 team.
- Organizations using security AI and automation extensively saved an average of $1.9 million per breach compared to those using neither (IBM 2025).
- About one in three organizations uses security AI and automation extensively across prevention workflows (IBM).
- 63% of breached organizations either had no AI governance policy or were still developing one — a gap that maps directly to the shadow AI cost premium (IBM 2025).
- Multi-factor authentication blocks more than 99% of account compromise attacks (Microsoft security research).
- Sustained security awareness training cuts average phish-prone rates from about 33% to under 5% within 12 months (KnowBe4 benchmarking).
- Breaches at organizations with severe security staffing shortages cost $1.76 million more on average (IBM 2024) — the economic case for outsourced detection and response.
- Global cyber insurance premiums have grown to roughly $15 billion as breach costs push risk transfer into the mainstream (Munich Re); our cyber insurance statistics cover pricing and claims trends.
Sources
These statistics are compiled from the following research publications and databases:
- IBM Cost of a Data Breach Report 2023, 2024, and 2025 (with Ponemon Institute)
- Verizon Data Breach Investigations Report (DBIR) 2024 and 2025
- Identity Theft Resource Center (ITRC) Annual Data Breach Report 2024
- CMS.law GDPR Enforcement Tracker
- HHS Office for Civil Rights breach portal and enforcement data
- HIPAA Journal healthcare breach analysis
- Mandiant / Google Cloud Snowflake campaign investigation
- UnitedHealth Group earnings reports (2024)
- Microsoft security research on MFA effectiveness
- KnowBe4 Phishing by Industry Benchmarking Report
- Munich Re Cyber Insurance Risk and Trends
Statistics are updated as new data becomes available. Last updated: July 2026.
Protect your organization with expert healthcare IT support designed for HIPAA compliance.
Managed IT for HealthcareTopics

Sreenivasa Reddy G
Founder & CEO • 15+ years
Sreenivasa Reddy is the Founder and CEO of Medha Cloud, recognized as "Startup of the Year 2024" by The CEO Magazine. With over 15 years of experience in cloud infrastructure and IT services, he leads the company's vision to deliver enterprise-grade cloud solutions to businesses worldwide.
More in Cybersecurity
View all
Insider Threat Statistics 2026: Cost, Frequency & Detection
16 min read

Cloud Security Statistics 2026: Breaches, Spending & Trends
18 min read

Password Statistics 2026: Reuse, Breaches & MFA Adoption
19 min read

Small Business Cybersecurity Statistics 2026: Attacks, Costs & Readiness
19 min read

42 Cyber Insurance Statistics for 2026 — Premiums & Claims Data
16 min read

52 Email Security Statistics for 2026 — BEC, Spam & Phishing
19 min read