Cost per record: $178 for IP, $115 for anonymized data.

IBM tracks per-record cost by the type of data exposed. The 2025 figures, with 2024 for comparison:

Source: IBM Cost of a Data Breach Report 2025, Figure 6. Customer PII was the most commonly compromised type, present in 53% of breaches; intellectual property was the costliest per record.

IBM does not publish a per-record cost by industry. Where you see sector per-record figures quoted, they are derived, and so are these. The table below scales IBM's $160 customer-PII per-record figure by each sector's cost ratio against the $4.44M global average (both IBM 2025). Treat them as planning estimates, not IBM data.

Model: $160 customer-PII per-record baseline x (sector average cost / $4.44M global average), both from IBM CODB 2025. The scaling assumes record-driven costs move proportionally with sector cost, which holds best for notification, credit monitoring, and post-breach response and least well for sectors where business interruption dominates (energy, industrial).

The per-record figure is most reliable for mid-volume breaches in the range of approximately 10,000 to 100,000 records, which matches the range IBM actually studied (2,960 to 113,620 compromised records in the 2025 report). Within this range the per-record cost behaves as a stable multiplier and is the right number to use for back-of-envelope breach-cost estimation. Below the lower bound and above the upper bound the relationship breaks down for different reasons, and IBM's own methodology FAQ states it is not consistent with the research to use per-record cost for breaches involving millions of records.

For breaches below approximately 10,000 records, fixed costs dominate. The cost of forensic investigation does not scale linearly with record count: a forensic engagement for a 1,000-record breach still requires a minimum of $50K-$200K. The cost of legal counsel is similarly fixed at the lower end. The cost of regulator notification is a per-event cost rather than a per-record cost. The result is that effective per-record cost for small breaches can run into the thousands of dollars even though the per-record sector figure is much lower.

For breaches above approximately 100,000 records, fixed-cost amortisation reduces the effective per-record cost materially. Mega-breaches at the 100 million record scale typically show effective per-record cost in the $5-$25 range. The Yahoo breach (3 billion records, approximately $470M total cost) implies a per-record cost of approximately $0.16, far below any benchmark. The Change Healthcare 2024 breach (190 million records, $2.45B+ total cost) implies a per-record cost of approximately $13, again far below the $160 customer-PII figure. The amortisation effect is real and material at scale, which is exactly why IBM warns against extrapolating its per-record figures to mega-breaches.

Per-record costs fell across almost every data class in 2025, mirroring the 9% decline in the global average: employee PII dropped from $189 to $168, customer PII from $179 to $160, other corporate data from $171 to $154, and anonymized customer data from $132 to $115. Intellectual property was the exception, rising from $173 to $178 and overtaking employee PII as the costliest record type.

The decline tracks the same driver as the headline average: faster identification and containment (241 days, a nine-year low) pushed detection and escalation costs down nearly 10%. The IP exception reflects the long-tail competitive damage of stolen source code, model weights, and trade secrets, which faster containment does little to claw back. One related 2025 data point: in shadow-AI incidents specifically, customer PII cost $166 per record, above the $160 global figure for that type.

For breach-cost budget planning at a typical mid-market organisation, the per-record cost is the right starting point only within the range IBM actually studied (roughly 3,000 to 113,000 records). For an organisation holding 50,000 customer records, baseline record-driven exposure is $160 x 50,000 = $8M before fixed costs and multipliers; a healthcare provider at the same record count lands nearer $267 x 50,000 = $13.4M on the modeled sector estimate above. Beyond roughly 100,000 records, do not multiply: amortisation takes over and a flat per-record multiplication produces absurd totals (190 million Change Healthcare records x $160 would imply $30B against an actual $2.45B).

The figures above are central estimates. Cyber-insurance underwriters typically apply a wide range around the central estimate to account for breach-specific factors: detection time (breaches over 200 days cost $1.14M more), attack-vector severity (attacker-disclosed extortion runs 14% above average, malicious insiders 11%, per IBM 2025), and control posture (extensive AI/security automation is associated with a $1.9M lower breach cost). For a fully-loaded estimate that accounts for these factors, use the homepage calculator rather than applying the per-record figure as a flat multiplier.

For organisations holding fewer than 10,000 records, the per-record figure is misleading. Use the SMB cost-range data on the small-business page instead, which is calibrated for the fixed-cost-dominated regime.