MedhaCloud
Link copied to clipboard!
Cybersecurity

Data Breach Statistics 2026: Costs, Causes & Records Exposed

Sreenivasa Reddy G
Sreenivasa Reddy G
Founder & CEO
Jul 4, 202618 min read
24
Data Breach Statistics 2026: Costs, Causes & Records Exposed

The average data breach now costs $4.44 million globally — and a record $10.22 million in the United States, the highest figure IBM has measured in 20 years of tracking. Breach costs decide security budgets, insurance premiums, and board agendas, so the difference between the average incident and a well-defended one is measured in millions. This page compiles 58 data breach statistics from the IBM Cost of a Data Breach Report, the Verizon Data Breach Investigations Report (DBIR), the Identity Theft Resource Center (ITRC), and regulatory enforcement trackers.

Cost of a Data Breach

The headline number fell for the first time in five years. The US number went the other way. IBM attributes the global decline to faster detection and containment, and the US increase to higher regulatory penalties and detection costs.

$4.44M
Global average breach cost (IBM 2025)
$10.22M
US average — a record high (IBM 2025)
241 days
Average breach lifecycle (IBM 2025)
  1. The global average cost of a data breach is $4.44 million, down about 9% from $4.88 million in 2024 — the first decline in five years (IBM Cost of a Data Breach Report 2025).
  2. The US average rose to $10.22 million, the highest figure recorded for any country in the report's history (IBM 2025).
  3. The average cost per compromised record is roughly $169 (IBM).
  4. One in five organizations in IBM's 2025 study reported a breach tied to shadow AI — employees using unsanctioned AI tools with company data.
  5. Breaches involving high levels of shadow AI added about $670,000 to the average breach cost (IBM 2025).
  6. Malicious insider attacks were the costliest initial attack vector at roughly $4.9 million per breach (IBM 2025).
  7. 63% of breached organizations said they planned to pass breach costs on to customers through higher prices (IBM 2024).
  8. Detection and escalation is the largest of IBM's four breach cost categories, ahead of lost business, post-breach response, and notification (IBM).

Breach Frequency & Records Exposed

Breach volume set records on both sides of the Atlantic. The Verizon DBIR logged its largest-ever dataset, and US compromise counts stayed near all-time highs. For the wider threat picture behind these numbers, see our cybersecurity statistics for 2026.

Metric Value Source
Confirmed breaches analyzed (2025 report)12,195Verizon DBIR
US data compromises (2024)3,158ITRC
US breach victim notices (2024)1.35 billionITRC
Largest single-incident records claim~2.9 billionNational Public Data filings
US healthcare records breached (2024)276.7 millionHIPAA Journal / HHS data
  1. The Verizon DBIR 2025 analyzed 12,195 confirmed data breaches — the most in the report's history.
  2. Those breaches came from a pool of 22,052 security incidents across 139 countries (Verizon DBIR 2025).
  3. The ITRC recorded 3,158 US data compromises in 2024, just below the all-time record of 3,202 set in 2023.
  4. Those compromises generated an estimated 1.35 billion victim notices in 2024 — nearly four times the 2023 total, driven by a handful of mega-breaches (ITRC).
  5. The single largest exposure claim of the period was ~2.9 billion records in the National Public Data breach, according to class-action and bankruptcy filings.
  6. The 2024 Snowflake credential campaign affected approximately 165 customer organizations, including Ticketmaster and AT&T (Mandiant / Google Cloud).
  7. 276.7 million US healthcare records were exposed or stolen in 2024 alone (HIPAA Journal analysis of HHS breach data).

Causes & Attack Vectors

Attackers still walk in through the front door. Stolen credentials and unpatched systems open most breaches, and a person is involved in the majority of them. Our password statistics and insider threat statistics break down the human side in detail.

Share of Breaches Involving Each Factor (Verizon DBIR 2025)
Human element
60%
Ransomware
44%
Third party
30%
Credential abuse
22%
Vuln. exploitation
20%
  1. Credential abuse remains the leading initial access vector, present in about 22% of breaches (Verizon DBIR 2025).
  2. Exploitation of vulnerabilities was the initial vector in about 20% of breaches — up 34% year-over-year (Verizon DBIR 2025).
  3. Edge devices and VPNs jumped from 3% to 22% of exploitation targets — an almost eightfold increase in one year (Verizon DBIR 2025).
  4. Phishing was the initial vector in roughly 16% of breaches; our phishing statistics cover the full attack chain (Verizon DBIR 2025).
  5. The median user clicks a phishing link in 21 seconds and submits data within about another 28 seconds (Verizon DBIR 2024).
  6. The human element — error, stolen credentials, social engineering, or misuse — appears in roughly 60% of breaches (Verizon DBIR 2025).
  7. Third-party involvement in breaches doubled from 15% to 30% in a single year, driven by software supply chain and partner compromises (Verizon DBIR 2025).
  8. Ransomware was present in 44% of breaches, up from 32% the prior year; see our ransomware statistics for the full picture (Verizon DBIR 2025).
  9. The median ransom payment fell to $115,000 (Verizon DBIR 2025).
  10. 64% of ransomware victims refused to pay — up from 50% two years earlier (Verizon DBIR 2025).
  11. Ransomware appeared in 88% of breaches at small and mid-sized businesses, versus 39% at large organizations (Verizon DBIR 2025).

Detection & Response Times

Speed is the strongest cost lever an organization controls. Every benchmark below moves the final invoice by six or seven figures.

241 days
Average time to identify and contain a breach — the shortest lifecycle in nine years (IBM 2025)
  1. The average breach lifecycle is 241 days — the shortest in nine years of IBM tracking (IBM 2025).
  2. That splits into 181 days to identify a breach and 60 days to contain it (IBM 2025).
  3. Organizations making extensive use of security AI and automation cut the lifecycle by roughly 80 days (IBM 2025).
  4. Only about one in three breaches is discovered by the victim's own security teams and tools; 27% are disclosed by the attacker (IBM 2023).
  5. Attacker-disclosed breaches cost close to $1 million more than internally detected ones — $5.23 million versus $4.30 million (IBM 2023).
  6. GDPR requires notification of the supervisory authority within 72 hours of becoming aware of a personal data breach.
  7. US public companies must disclose material cybersecurity incidents within 4 business days under SEC rules adopted in 2023.

Industry Breakdown

Healthcare pays the most per breach. Financial services gets breached most often. Regulated data, downtime sensitivity, and legacy systems drive the gap — which is why regulated providers move workloads onto HIPAA-compliant cloud hosting with contractual safeguards built in. Our healthcare data breach statistics cover the hardest-hit sector in depth.

Average Breach Cost by Industry (IBM 2025)
Healthcare
$7.42M
Financial
$5.56M
Industrial
$5.00M
Energy
$4.83M
Technology
$4.79M
  1. Healthcare is the most expensive industry for breaches at $7.42 million on average — a position it has held every year since 2011, even after falling from $9.77 million in 2024 (IBM 2025).
  2. Financial services ranks second at $5.56 million per breach (IBM 2025).
  3. Industrial organizations average $5.00 million per breach (IBM 2025).
  4. Energy averages $4.83 million and technology $4.79 million — both above the global average (IBM 2025).
  5. By breach count rather than cost, financial services logged 737 compromises in 2024 and overtook healthcare as the most-breached US sector (ITRC).

Biggest Data Breaches

A handful of incidents account for most of the records exposed in any given year. Two of the largest on record happened in 2024.

Breach Year Records / People Source
Yahoo20133 billion accountsCompany disclosure
National Public Data2024~2.9 billion records (claimed)Court / bankruptcy filings
Ticketmaster (Snowflake)2024560 million (claimed)Attacker claim / company filing
Change Healthcare2024~190 million peopleHHS OCR
Equifax2017147 million peopleFTC settlement
AT&T (Snowflake)2024~110 million customersCompany disclosure
  1. The Change Healthcare ransomware attack exposed data on roughly 190 million people — the largest healthcare breach ever reported to US regulators (HHS Office for Civil Rights).
  2. Parent company UnitedHealth Group attributed more than $2.8 billion in response and remediation costs to the attack in its 2024 earnings reports.
  3. The National Public Data breach involved a claimed ~2.9 billion records of personal data including Social Security numbers; the company filed for bankruptcy within months.
  4. The Ticketmaster breach, part of the Snowflake credential campaign, involved a claimed 560 million customer records.
  5. The same campaign exposed call and text metadata for roughly 110 million AT&T customers (company disclosure).
  6. The largest confirmed breach in history remains Yahoo's 2013 incident: all 3 billion accounts, a figure the company confirmed in 2017.

Regulatory Fines

Regulators have turned breach failures into a line item measured in billions. Fines now routinely exceed the direct technical cost of the incident that triggered them — a key reason regulated workloads belong on HIPAA-compliant cloud hosting rather than general-purpose infrastructure.

Fine Amount Year Source
Meta (data transfers)€1.2 billion2023Irish DPC / CMS tracker
Amazon€746 million2021Luxembourg CNPD / CMS tracker
Instagram (children's data)€405 million2022Irish DPC / CMS tracker
TikTok (children's data)€345 million2023Irish DPC / CMS tracker
LinkedIn€310 million2024Irish DPC / CMS tracker
Uber€290 million2024Dutch DPA / CMS tracker
  1. Cumulative GDPR fines have passed €5.9 billion since enforcement began in 2018 (CMS.law GDPR Enforcement Tracker).
  2. The largest single GDPR fine is Meta's €1.2 billion penalty for unlawful EU-US data transfers (Irish DPC, 2023).
  3. LinkedIn was fined €310 million in 2024 for behavioral advertising consent failures (Irish DPC).
  4. Uber was fined €290 million in 2024 for transferring driver data outside the EU without safeguards (Dutch DPA).
  5. GDPR penalties can reach 4% of global annual revenue — for the largest companies, a ten-figure exposure per violation.
  6. HHS Office for Civil Rights has collected more than $140 million in cumulative HIPAA penalties and settlements since enforcement began (HHS OCR).
  7. HIPAA civil penalties are capped at over $2 million per violation category per year, adjusted annually for inflation (HHS).

Defenses That Lower Breach Costs

The cost data points in one direction: organizations that detect faster spend less. The controls below have measured, repeatable effects on the final bill — and most of them can be bought as a service. Continuous monitoring through white label SOC services is how smaller organizations and MSPs get enterprise-grade detection without building a 24/7 team.

$1.9M
Average savings with extensive security AI and automation (IBM 2025)
99%+
Account compromise risk reduction from MFA (Microsoft)
  1. Organizations using security AI and automation extensively saved an average of $1.9 million per breach compared to those using neither (IBM 2025).
  2. About one in three organizations uses security AI and automation extensively across prevention workflows (IBM).
  3. 63% of breached organizations either had no AI governance policy or were still developing one — a gap that maps directly to the shadow AI cost premium (IBM 2025).
  4. Multi-factor authentication blocks more than 99% of account compromise attacks (Microsoft security research).
  5. Sustained security awareness training cuts average phish-prone rates from about 33% to under 5% within 12 months (KnowBe4 benchmarking).
  6. Breaches at organizations with severe security staffing shortages cost $1.76 million more on average (IBM 2024) — the economic case for outsourced detection and response.
  7. Global cyber insurance premiums have grown to roughly $15 billion as breach costs push risk transfer into the mainstream (Munich Re); our cyber insurance statistics cover pricing and claims trends.

Sources

These statistics are compiled from the following research publications and databases:

  • IBM Cost of a Data Breach Report 2023, 2024, and 2025 (with Ponemon Institute)
  • Verizon Data Breach Investigations Report (DBIR) 2024 and 2025
  • Identity Theft Resource Center (ITRC) Annual Data Breach Report 2024
  • CMS.law GDPR Enforcement Tracker
  • HHS Office for Civil Rights breach portal and enforcement data
  • HIPAA Journal healthcare breach analysis
  • Mandiant / Google Cloud Snowflake campaign investigation
  • UnitedHealth Group earnings reports (2024)
  • Microsoft security research on MFA effectiveness
  • KnowBe4 Phishing by Industry Benchmarking Report
  • Munich Re Cyber Insurance Risk and Trends

Statistics are updated as new data becomes available. Last updated: July 2026.

Protect your organization with expert healthcare IT support designed for HIPAA compliance.

Managed IT for Healthcare

Topics

Data BreachCybersecurityComplianceRisk Management
Sreenivasa Reddy G
Written by

Sreenivasa Reddy G

Founder & CEO15+ years

Sreenivasa Reddy is the Founder and CEO of Medha Cloud, recognized as "Startup of the Year 2024" by The CEO Magazine. With over 15 years of experience in cloud infrastructure and IT services, he leads the company's vision to deliver enterprise-grade cloud solutions to businesses worldwide.

Managed IT SupportCloud InfrastructureDigital Transformation
Follow on LinkedIn

Need Expert Help?

Our certified cloud and IT engineers are ready to tackle your toughest challenges — from migrations to managed services.