For the 20th consecutive year, experts at the Ponemon Institute have determined the cost of a data breach at companies and organizations. The outcomes have been published by sponsor IBM in its Cost of a Data Breach Report 2025. For the first time, the latest report also investigates AI-related risks.
Starting with the good news, the global average cost of a data breach has dropped – to USD 4.44 million. This represents a nine percent fall from USD 4.88 million in 2024 and can mainly be ascribed to security breaches being detected and contained more rapidly due to the increased use of AI and automation in security processes. The global figure would have fallen even more significantly if not counterbalanced by trends in the USA, where the average cost rose by nine percent to USD 10.22 million. The report identifies higher regulatory fines and increased costs related to detection and escalation as the major factors driving costs up in the US.
AI: A double-edged sword
With regard to AI, the report confirms that adversaries are leveraging these new technologies to perfect their phishing campaigns and other social engineering attacks. IBM estimates that using generative AI enables attackers to reduce the time needed to create a convincing phishing email from 16 hours to only five minutes. In the recent report, researchers found that 16% of breaches already involved adversaries using AI in their attacks, most commonly phishing attacks (37%) or deepfake attacks (35%).
In compiling the Cost of a Data Breach Report 2025, Ponemon researchers interviewed nearly 3,500 security and C-level business leaders at 600 organizations impacted by data breaches between March 2024 and February 2025 – across 17 sectors and in 16 countries and regions. The breaches ranged in magnitude from 2,960 to 113,620 compromised records.
Shadow AI shown to be very costly
Returning to AI, 13 percent of all organizations reported a security incident involving an AI model or application. And 97% of those breached organizations stated that they lacked proper AI access controls. These attacks most often took place via the supply chain (compromised apps, APIs, plug-ins etc.) and resulted in more widespread data leakage (60%) and operational disruption (31%). Based on these figures, Ponemon and IBM foresee AI developing into a lucrative target.
At the same time, 63% of the companies surveyed either had no AI governance policies in place or were still in the process of developing them. Fewer than half of the organizations had strict procedures for AI deployments, while 62% lacked automated AI risk-assessment tools and only 34% regularly conducted third-party security audits for unsanctioned AI. By the way, shadow IT also increases the cost of a data breach by roughly USD 200,000 on average, and also more often leads to breaches involving customer PII (65%) and intellectual property (40%).
Email security remains vital
For the second year running, the highest average costs among “conventional” attack vectors were those caused by malicious insiders at USD 4.92 million, closely followed by third-party vendor and supply-chain compromise (USD 4.91 million). Other costly attack vectors included phishing and the exploitation of vulnerabilities. Phishing, which on average cost organizations USD 4.8 million, was actually the most frequent attack vector at 16%. This trend underscores the continued importance of effectively safeguarding your business-critical email channel.
The full Cost of a Data Breach Report 2025 is available for download upon registration
