What is the average cost of a data breach?

According to IBM's Cost of a Data Breach Report 2024, the global average cost of a data breach is $4.88 million — up from $4.45 million in 2023. This is the highest figure ever recorded in the report's 19-year history.

Which industry has the highest data breach cost?

Healthcare has the highest per-record breach cost at $10.93 per record, followed by financial services at $5.97 per record. Healthcare has held the top position for 14 consecutive years due to highly sensitive data and strict regulatory requirements.

How much does an incident response team save in a data breach?

IBM's 2024 report found that organizations with a dedicated incident response team save an average of $2.66 million compared to those without one. AI-based security tools save $1.76 million on average.

How long does it take to contain a data breach?

The global average time to identify and contain a data breach is 258 days (194 days to identify + 64 days to contain). Breaches contained in under 200 days cost $3.93M on average vs $4.95M for breaches taking over 200 days.

What factors most reduce data breach costs?

The top cost-reducing factors from IBM 2024 are: incident response team (-$2.66M), AI and automation in security (-$1.76M), employee training (-$1.5M), encryption (-$360K), and DevSecOps approach (-$249K).

Data Breach Cost Breakdown: Where the Money Actually Goes (2026)

IBM's Four Cost Categories

IBM categorizes data breach costs into four distinct areas, each representing different phases and types of expenditure during and after a breach incident. Understanding this breakdown is essential for incident response planning, insurance negotiations, and board-level budget conversations. At the $4.44M global average, each percentage point represents approximately $44,400 — meaning the 38% attributed to lost business accounts for roughly $1.69M in customer churn, revenue loss, and reputation damage.

38%

Lost Business

29%

Detection & Escalation

27%

Post-Breach Response

Notification

Lost Business38% ($1.69M)

Detection & Escalation29% ($1.29M)

Post-Breach Response27% ($1.20M)

Notification6% ($0.27M)

Lost Business

38%

Customer churn, revenue loss, reputation damage, system downtime

Detection & Escalation

29%

Forensic investigation, assessment, audit services, crisis management

Post-Breach Response

27%

Help desk, credit monitoring, identity protection, legal, regulatory

Notification

Letters, emails, regulatory filings, call centre setup

Source: IBM Cost of a Data Breach Report 2025

The 5-Year Cost Tail

One of the most underappreciated aspects of data breach costs is their duration. The initial incident response — the dramatic phase of forensics, containment, and notification — represents only 53% of total costs. Nearly half of all breach costs emerge in years two through five, driven by litigation, regulatory proceedings, continued customer churn, and the compounding effects of reputation damage. This multi-year distribution means that annual security budgets and insurance policies must account for ongoing costs, not just the immediate incident.

Year 153%

Immediate response, forensics, notification

Year 224%

Ongoing litigation, continued customer churn

Years 3-523%

Class action settlements, long-term brand damage

Case Study: Equifax (2017-2025)

Equifax's 2017 breach is the clearest illustration of the multi-year cost tail. The initial breach exposed 147 million records through an unpatched Apache Struts vulnerability. Year one costs included forensic investigation, system remediation, and initial notification ($200M+). Year two brought the $700M FTC settlement and the beginning of class action litigation. Years three through five saw continued litigation costs, mandatory security investments imposed by regulators, ongoing credit monitoring for affected individuals, and compliance remediation. By 2025 — eight years after the breach — Equifax had spent over $1.4 billion and was still accruing costs from regulatory compliance requirements. The breach also triggered CISO and CIO resignations, stock price decline of 35%, and permanent reputational impact that affected new customer acquisition for years.

Hidden Costs Most Companies Miss

IBM's four cost categories capture the direct, measurable expenses of a data breach. But many significant costs fall outside these categories or are difficult to quantify at the time of the incident. These hidden costs often represent the difference between a manageable incident and an existential threat, yet they are rarely included in breach cost calculators or insurance policies.

Executive Turnover

40% of CISOs replaced within 12 months

Major breaches trigger executive accountability. Equifax, Target, 23andMe, and Optus all saw C-suite departures. Replacing a CISO costs $500K-$1M in recruitment and the institutional knowledge loss is incalculable. Beyond the CISO, CIO and CEO positions are increasingly at risk — Target's CEO was forced out, and 23andMe's entire board resigned. This career risk is a powerful but unmeasured cost that affects security team morale and retention across the organization.

Insurance Premium Increases

50-200% increase after a breach

Cyber insurance premiums typically increase 50-200% at the next renewal following a breach, with some carriers declining to renew entirely. This increased cost persists for 3-5 years, representing hundreds of thousands to millions in additional annual expense. Some organizations discover their coverage was inadequate only after a breach — sub-limits, exclusions for nation-state attacks, and ransomware-specific carve-outs can leave significant gaps.

Increased Audit and Compliance Costs

3-5 years of elevated scrutiny

Post-breach, organizations face increased audit requirements from regulators, payment card networks (PCI DSS Level 1 assessment mandate), and business partners. SOC 2 audits become more rigorous, regulatory examinations become more frequent, and business partners may require additional security attestations. These increased compliance costs typically persist for 3-5 years and can add $200K-$500K annually to compliance budgets.

Opportunity Cost

Security team diverted from roadmap for 6-12 months

When a breach occurs, the security team (and much of IT) pivots to incident response, forensics, remediation, and regulatory compliance. This diverts resources from planned security improvements, product development, and business initiatives. A 6-12 month diversion of a 10-person security team represents $1M-$2M in redirected labour, plus the cost of delayed projects that may have prevented future incidents.

Board and Investor Confidence

Average 7.5% stock drop within 3 months

Beyond the measurable stock price impact, breaches erode board and investor confidence in management. This can lead to governance changes, increased board oversight requirements, mandatory security committees, and pressure for management changes. For private companies, breaches can reduce valuation in funding rounds or M&A transactions — Yahoo's acquisition price was reduced by $350M following its breach disclosure.

Recruitment Difficulty

Top talent avoids breached companies

Security professionals are in high demand, and top candidates have their pick of employers. Organizations that have experienced high-profile breaches report increased difficulty recruiting security talent, often needing to offer 20-30% salary premiums to attract experienced professionals. This recruitment challenge persists for 2-3 years after a major breach and compounds the organization's ability to improve its security posture.

Contract and Vendor Relationship Damage

Enterprise clients may terminate after breach

Enterprise customers increasingly include security breach clauses in contracts that allow termination following a vendor breach. Losing even a few enterprise clients can represent millions in annual recurring revenue. Additionally, existing clients may demand enhanced security audits, penetration testing results, and contractual security warranties, adding ongoing compliance costs to every business relationship.

Stock Price Impact

Public companies experience an average 7.5% stock price decline within three months of a major breach disclosure. However, the impact varies enormously based on the severity of the breach, the quality of incident response communication, and the company's existing market position. Companies that respond transparently and demonstrate clear remediation plans tend to recover faster than those that attempt to minimize the incident. The stock price impact represents billions in lost market capitalization for large companies, far exceeding the direct breach costs in many cases.

Company	Stock Drop	Recovery	Total Cost
Equifax (2017)	-35%	18 months to pre-breach levels	$1.4B+
Target (2013)	-10%	6 months	$292M
SolarWinds (2020)	-25%	12 months	$100M+
Capital One (2019)	-7%	4 months	$300M+
Marriott (2018)	-6%	3 months	$350M+

Source: Company SEC filings, market data. Stock drops measured within 3 months of disclosure.

Legal Cost Deep Dive

Legal costs represent one of the most unpredictable components of breach cost, with potential exposure ranging from $50,000 for a small, well-managed incident to hundreds of millions for mega-breaches. The legal cost spectrum includes immediate incident response legal counsel, regulatory defence, class action litigation, government investigations, and ongoing compliance obligations. Understanding these components helps organizations evaluate insurance coverage adequacy and set appropriate legal reserves.

Class action settlements: Nearly every breach affecting more than 100,000 individuals in the US triggers class action lawsuits. Average settlements for mega-breaches range from $30 million to $150 million, with outliers like T-Mobile ($350M) and Equifax ($700M FTC settlement plus additional litigation). Class action defence costs $2-$10 million in legal fees even before settlement, and cases typically take 2-4 years to resolve. The emergence of statutory damages provisions in CCPA ($100-$750 per consumer per incident) and BIPA ($1,000-$5,000 per violation) creates even larger exposure for future breaches.

Attorney fees: Breach response attorneys specialising in cybersecurity law charge $300-$1,000 per hour. A typical breach response engagement requires 500-2,000 attorney hours over 6-18 months, covering incident assessment, regulatory notification strategy, regulatory defence, litigation management, and insurance claims coordination. Total legal fees for a mid-market breach typically range from $150K-$2M; mega-breaches can generate $10M+ in legal fees before any settlements or judgments.

Settlement vs trial economics: The vast majority of breach lawsuits settle rather than go to trial, because both sides face uncertainty and trial costs. Defendants prefer settlement to avoid unpredictable jury verdicts and to control the timeline and publicity. Plaintiffs prefer settlement for the certainty of recovery. Settlement negotiations typically begin 6-18 months after the breach and may take an additional 6-12 months to finalize. The settlement amount is influenced by the number of affected individuals, the sensitivity of the data, the defendant's response quality, and precedent from similar cases.

Calculate Your Exposure

See the full cost breakdown for your specific scenario.

Global Context

How the $4.44M global average breaks down across all cost categories.

Real Breach Costs

See these cost categories in action across 15+ major breaches.

Prevent These Costs

10 security controls that reduce breach costs measurably.

Notification Costs

Deep dive into the 6% notification category by jurisdiction.

Frequently Asked Questions

The most commonly overlooked breach costs include: executive turnover (40% of CISOs replaced within 12 months of a major breach, costing $500K-$1M in recruitment), insurance premium increases (50-200% at next renewal, persisting 3-5 years), increased audit and compliance costs ($200K-$500K/year for 3-5 years), opportunity cost of diverted security team (6-12 months of redirected effort), recruitment difficulty (20-30% salary premiums needed to attract talent post-breach), lost enterprise contracts (customers with breach termination clauses), and reduced M&A valuation (Yahoo's acquisition price dropped $350M). These hidden costs often exceed the direct, measurable costs tracked by IBM.

Public companies experience an average 7.5% stock price decline within three months of a major breach disclosure. However, impact varies significantly: Equifax dropped 35% (recovering in 18 months), SolarWinds dropped 25% (12-month recovery), Target fell 10% (6-month recovery), while Marriott dropped only 6% (3-month recovery). Key factors determining impact severity include: breach scale, data sensitivity, quality of incident response, transparency of communication, and the company's market position. Companies that respond transparently and demonstrate clear remediation plans consistently recover faster than those that minimize or conceal the incident.

Data breach lawsuit costs range from $50K for small incidents to $700M+ for mega-breaches. Class action settlements for significant breaches typically range from $30M-$150M, with notable outliers including Equifax ($700M FTC settlement), T-Mobile ($350M), and Facebook ($5B FTC). Defense attorney fees alone cost $2-$10M before settlement, with cybersecurity attorneys charging $300-$1,000/hour over 500-2,000 hours. Cases typically take 2-4 years to resolve. The emergence of statutory damages under CCPA ($100-$750 per consumer) and BIPA ($1,000-$5,000 per violation) creates potentially larger exposure for future breaches in those jurisdictions.

IBM's research shows that 53% of breach costs occur in year one, 24% in year two, and 23% in years three through five. However, mega-breaches can generate costs for much longer. Equifax's 2017 breach was still generating costs in 2025 (8 years later). Facebook's 2019 data scraping resulted in a $1.6B EU fine in 2023 (4 years later). The longest-lasting cost components are class action litigation (2-5 years to settlement), regulatory compliance requirements (3-5 years of increased scrutiny), insurance premium increases (3-5 years), and reputation damage (varies but can be permanent for some organizations). Organizations should model 5-year cost projections when evaluating breach impact.

Customer churn is the largest single component of breach cost at 38% of total (approximately $1.69M at the $4.44M global average). Research shows that 65% of consumers lose trust in a business after a breach, and 85% say they would avoid companies with perceived security weaknesses. The cost of churn depends on customer lifetime value and acquisition costs: in B2B contexts, losing a single enterprise client can represent millions in annual recurring revenue. Healthcare and financial services experience the highest churn costs because customers have strong alternatives and high data sensitivity expectations. The churn effect is not immediate — it typically accelerates 3-6 months after breach disclosure as affected individuals reassess their provider relationships.

IBM breaks costs into four categories: lost business (38% — customer churn, revenue loss, reputation damage), detection and escalation (29% — forensic investigation, assessment, audit, crisis management), post-breach response (27% — help desk, credit monitoring, legal, regulatory), and notification (6% — letters, emails, regulatory filings, call centers). This means 71% of costs occur after the breach is detected, underscoring that prevention and rapid detection are far more cost-effective than response. Organizations that invest in detection capabilities (reducing the 29% category through faster identification) also reduce the 38% lost business category because faster detection correlates with smaller breach scope and less data exfiltration.