Headline figure / IBM 2025
A breach now costs $4.44M on average.
Independent register of breach-cost intelligence. IBM's 2025 figures, the Verizon DBIR, and Sophos ransomware data, presented as browsable, citable web pages instead of gated PDFs. Calculate your specific exposure below.
Global avg
$4.44M
-9% YoY
US avg
$10.22M
record high, +9%
Healthcare
$7.42M
#1 for 14 yrs
MTTD
241d
lowest in 9 yrs
AI savings
-$1.9M
extensive AI deploy
Shadow AI
+$0.67M
added breach cost
Source:IBM Cost of a Data Breach Report 2025, verified June 2026. 600 organizations, 16 countries and regions, 17 industries. Compiled by Oliver Wakefield-Smith.
Section I / Filer Particulars
Breach inputs
Sector multiplier x1.67 vs $4.44M global average (HIPAA). IBM 2025, Figure 3.
Customer / employee records at risk. IBM avg PII record value: $160.
Multiplier vs $4.44M baseline. IBM's attacker-disclosed extortion breach average ($5.08M).
Section II / Security Controls (IBM 2025 cost-factor analysis)
Section IV / AI-Threat Exposure (IBM 2025)
The 2025 AI factors: shadow AI adds up to $0.67M, a security skills shortage up to $1.57M. Governance maturity scales how much shadow-AI exposure you carry.
No unsanctioned AI tools in use. IBM 2025, Figure 40 (shadow-AI breaches $4.63M vs $3.96M).
Policy exists, controls inconsistently enforced. Scales shadow-AI exposure; IBM 2025: 97% of AI-model breaches lacked proper access controls.
Adequately staffed security team. IBM 2025, Figure 42 (high shortage $5.22M vs low $3.65M).
Estimated total exposure
$45,037,030
vs IBM 2025 avg
1014%
Per record
$900.74
Records
50,000
Region mult.
x2.30
Schedule B / IBM cost-category split
Where the money goes
IBM Cost of a Data Breach Report 2025, four-category methodology.
Schedule C / File this estimate
Export the filing
Turn this estimate into a shareable artifact. Save as PDF via your browser print dialog, or copy a plain-text filing to paste into a board pack, ticket, or email.
Section VI / Comparison band
At $45.04M, your estimated exposure is 10.14x the global IBM 2025 average and 4.41x the US average. The United States regional cost factor is x2.30 (State-by-state).
Reduce your exposure
PartnerTwo levers move the numbers above: transferring residual risk, and shortening the detection-to-containment window. Compare cyber-insurance cover or incident-response retainers.
Cyber-insurance cover
→Compare standalone cyber policies and what breach-response costs they reimburse.
Incident-response retainer
→How pre-negotiated IR retainers cut the 241-day detection-to-containment clock.
Independent register. Links above are neutral educational resources (CISA), not paid placements. This slot is labelled and disclosed; any future sponsored partner will be marked as such.
Schedule D / Results explained (plain text)
Your estimate, in words
Based on the IBM Cost of a Data Breach 2025 report, a breach of a 501 - 5,000 employees Healthcare organization in United States, exposing 50,000 records via Ransomware / Extortion, carries an estimated total exposure of $45,037,030. That is 1014% of the IBM 2025 global average breach cost of $4.44M (the US average is $10.22M), or 10.14x the global figure, and works out to $900.74 per record. The Healthcare sector averaged $7.42M in IBM 2025, and the United States regional cost factor is x2.30 relative to the global average. Detection assumption: Over 200 days ($5.01M basis). This estimate is classified as critical exposure.
AI-threat factors add an estimated $0 to this exposure. Shadow-AI usage is set to None / sanctioned only (IBM 2025 found shadow-AI breaches cost $4.63M versus $3.96M without, a $0.67M premium), AI-governance maturity to Partial (IBM 2025 found 97% of AI-model breaches occurred at organizations lacking proper AI access controls), and the security skills shortage to Low / none (IBM 2025 found a high shortage cost $5.22M versus $3.65M for low, a $1.57M premium).
| Cost category | Estimated amount | Share |
|---|---|---|
| Lost business | $13,961,479 | 31% |
| Detection & escalation | $14,862,220 | 33% |
| Post-breach response | $12,159,998 | 27% |
| Notification | $4,053,333 | 9% |
| Estimated total exposure | $45,037,030 | 100% |
IBM Cost of a Data Breach Report 2025. Cost-category split uses IBM's four-category methodology (detection 33%, lost business 31%, post-breach 27%, notification 9%). Verified June 2026.
Schedule C / Cost by industry sector
Average breach cost, all 17 sectors
Brick-red bars sit above the $4.44M global average; steel bars below it. Healthcare leads for the fourteenth consecutive year. Figures are the IBM 2025 averages, unmodified.
Primary source:IBM Cost of a Data Breach Report 2025, Figure 3 (industry averages). Verified June 2026.
02 Global statistics
→$4.44M global, $10.22M US, 241-day MTTD, year-over-year trends, attack-vector costs, AI impact.
03 By industry
→Healthcare $7.42M (#1, 14 years). Financial $5.56M. Industrial $5.00M. Tech $4.79M. All 17 sectors.
04 Biggest breaches
→Equifax, Marriott, Change Healthcare, MOVEit, 15 verified mega-breaches with sourced cost figures.
05 Prevention ROI
→AI/automation (-$1.9M), DevSecOps (-$227K), SIEM (-$212K). IBM 2025 cost factors ranked.
06 Ransomware costs
→$5.08M attacker-disclosed extortion breach. $1.32M median demand, 63% refuse to pay.
07 Small business
→$1.6M average SMB breach (TechAisle 2025). $15K-$3.31M cost ranges by size, common attacks, affordable defence.
08 By country / region
→16 IBM regions. US 2.30x global, Brazil 0.27x. GDPR impact and US state notification map.
09 Notification laws
→GDPR 72h, all 50 US states + DC, California SB 446 (30 days), penalties for late filing.
10 Cost breakdown
→33% detection, 31% lost business, 27% post-breach, 9% notification. The 5-year cost tail.
11 50-state laws
→All 50 states + DC, one page each: statute citation, deadline, AG threshold, private right of action, penalties.
New register / State notification statutes
Data breach notification laws by state: 51 statutes, no federal floor.
A multi-state breach can trigger up to 51 separate statutes, each with its own deadline, attorney general threshold, and penalty structure. One source-cited page per state: California, Texas, New York, Florida, and the rest of the 50 plus DC. Verified June 2026.
Open the 50-state register →Jurisdictions
51
Strictest
30d
Federal
None
Healthcare
→$7.42M average, 14 years at #1. Change Healthcare, Anthem, Premera.
Financial Services
→$5.56M average, #2 sector. Equifax, Capital One, JPMorgan.
Technology
→$4.79M average. Supply-chain blast radius driving downstream cost.
Retail
→$3.54M average. PCI DSS economics. Target, Home Depot, TJX.
Education
→$3.80M average, +9% YoY. FERPA + state laws. Lincoln College closure precedent.
Government
→$2.86M average, lowest tracked sector. FISMA + FedRAMP. OPM national-security cost.
Energy
→$4.83M average. OT/IT convergence. Colonial Pipeline regulatory aftermath.
Equifax 2017
→$1.4B+ total cost. 147M records. Apache Struts CVE-2017-5638.
Anthem 2015
→$260M+ total cost. 78.8M records. $16M OCR HIPAA settlement (then record).
Target 2013
→$292M cumulative. 40M cards + 70M records. HVAC vendor pivot.
Capital One 2019
→$300M+ total cost. 106M records. Cloud-misconfig precedent.
Change Healthcare 2024
→$2.45B+ disclosed. 190M records. Largest healthcare in US history.
MOVEit 2023
→$2.7B aggregate. 2,700+ orgs. Cl0p zero-day supply chain.
Marriott 2018
→$350M+ cumulative. 500M Starwood guests. 4-year undetected dwell.
T-Mobile 2021
→$500M+ total cost. 77M records. $150M security investment mandate.
23andMe 2023
→$30M+ settlement. 6.9M affected. Credential stuffing, board resigned, bankruptcy.
Snowflake 2024
→~165 customers hit. Ticketmaster, AT&T. Stolen credentials, no MFA on cloud warehouse.
MGM Resorts 2023
→~$100M impact. Scattered Spider / ALPHV. 10-day operational outage via social engineering.
SolarWinds 2020
→18,000 customers. SUNBURST supply-chain backdoor. SEC enforcement case dismissed 2024.
GDPR breach fine
→4% global revenue or 20M EUR. Meta 1.2B EUR (largest). 72-hour notification.
HIPAA breach penalty
→4-tier structure: $145 to $2.19M annual cap (2026). OCR Wall of Shame portal.
CCPA breach fine
→$2,500 negligent, $7,500 intentional. $100-$750 private action.
PCI DSS breach cost
→$5K-$100K monthly fines + $5-$15 per card reissuance.
SEC Item 1.05
→4-business-day cyber disclosure. Stock-price 2-7% typical impact.
Cost per record
→$178 IP down to $115 anonymized data. When per-record is reliable, when it breaks.
Notification cost
→$1-$3 per letter, $20-$80 per call. Multi-state regulator filing economics.
Credit monitoring
→$10-$30 retail, $4-$12 enterprise bulk. Settlement-mandated enrolment.
Forensics investigation
→$200-$2,000/hour. Mandiant, CrowdStrike, Kroll, Unit 42 rate cards.
Class-action settlement
→$100M-$400M for mega-breaches. $1.50-$5 per class member typical.
Building around your breach response?
Digital Signet builds custom software and AI automation for security teams. Incident tooling, evidence collection, notification workflows, audit prep.
Get in touch →