IBM's 2025 Cost of a Data Breach: what the $10.22M number really means
Global breach costs fell 9% — but US enterprises bucked the trend with a 9% increase, hitting an average of $10.22M. A closer look at where the money actually goes.
IBM's annual Cost of a Data Breach Report, conducted by the Ponemon Institute, is one of the few public benchmarks security leaders can use to talk about cost in concrete dollars. The 2025 edition surveyed 600 organizations across the world that experienced a breach between March 2024 and February 2025.
Two numbers stand out — and they tell a different story depending on where you sit.
Globally, breach costs fell. In the US, they rose.
The global average cost of a data breach dropped to $4.44 million, down 9% from the year before. That's the first decline in five years. The driver, per the report, was faster identification and containment, with organizations using AI and automation extensively saving an average of $1.9 million on breach response.
But the US average rose to $10.22 million, a 9% increase over 2024. US breach costs are now roughly 4x the cost of a breach in India ($2.51M) and significantly higher than the global average. The split tells you something: globally, automated detection is paying off. In the US, the costs that move the average — regulatory fines, legal exposure, lost business, and customer notification — are still climbing.
What's actually in the number
When most people read "$10.22 million" they imagine ransom payments. The real composition of the IBM number is closer to:
- Detection and escalation — forensic work, incident triage, the cost of figuring out what happened
- Notification — required regulatory disclosures, customer outreach, breach-coach legal counsel
- Post-breach response — credit monitoring offered to affected individuals, regulatory responses, identity protection
- Lost business — customers who churn, deals that don't close, brand impact
That last bucket is where the US specifically loses ground. US consumers and B2B buyers churn faster after a breach disclosure than buyers in many other markets, and US regulators (especially state-level) impose more disclosure obligations.
Phishing as an attack vector
The 2025 report flags phishing as the most common breach attack vector, accounting for 16% of breaches, with phishing-driven breaches costing an average of $4.88 million. Stolen or compromised credentials are another top-five vector, accounting for 10% of breaches and taking up to 186 days to identify on average — almost six months of attacker dwell time.
Why does this matter for awareness programs? A few things:
- The longest-dwelling breach types are credential-driven. That's not a perimeter problem. It's a "how does someone notice when their account is doing something it shouldn't" problem.
- The most common breach types start with someone clicking, replying, or being persuaded. That's exactly what awareness testing is designed to interrupt.
- The cost gap between detected-fast and detected-late is massive. IBM's data shows mean time to identify and contain a breach was 241 days in 2025 — and the longer it takes, the higher the eventual cost.
The AI angle
One reason global costs fell: AI and automation in security operations. The 2025 report finds organizations that extensively used AI and automation for prevention and response saved $1.9M on average per breach and shortened breach lifecycle by 80 days.
But there's a sting in the tail. The report also finds AI adoption is outpacing AI governance — organizations are deploying AI in business processes without applying the same access controls and monitoring they apply to traditional systems. That's where the next category of expensive breaches will likely come from.
What this means for awareness budgets
If the average US breach is $10.22M and a meaningful fraction starts with a person being fooled, the math on awareness investment looks different than it did three years ago. A program that reduces phishing click-through by even a small percentage pays for itself many times over against the cost of a single avoided breach.
That doesn't mean awareness alone is enough. The IBM data is clear: the orgs that come out best are the ones with layered defenses — fast detection, automated response, AND a workforce that doesn't hand attackers their first foothold. Awareness is the cheapest layer to add. It's also the layer that's most often skipped or run as compliance theater.
The number to remember from this report isn't $10.22M. It's the gap between organizations that treat awareness as a check-the-box exercise and ones that treat it as a behavior-change program. The IBM data shows that gap, in dollars, is enormous.
Sources: IBM Cost of a Data Breach Report 2025, IBM 2025 Cost of a Data Breach: Navigating the AI Rush, Infosecurity Magazine — Data Breach Costs Fall.