What is the average cost of a technology sector data breach in 2025?

IBM 2025 puts the technology sector at $4.97M average per breach with per-record cost of $196. The sector has held rank #4 for five consecutive years. The headline figure understates total economic impact because tech-firm breaches frequently propagate through downstream customers, with industry-wide totals an order of magnitude larger than any single-firm figure.

Why are tech-sector breach figures lower than financial services?

Per-record cost is lower at $196 versus $228 financial services because tech-sector breaches less often trigger the fraud-loss reserves and card reissuance cost lines that dominate financial-services budgets. Tech firms also typically face lower regulator-stack density than banks (no OCC, no CFPB), although GDPR exposure can offset the gap for firms with European users. Where tech sector cost compounds is supply-chain blast radius and IP loss, neither of which IBM measures fully.

What was the largest tech sector breach by cost?

Facebook/Meta at $5B FTC settlement in 2019, plus EUR 1.2B GDPR fine in 2023, plus state AG and class-action settlements, total above $7B. The FTC fine alone remains the largest privacy-related civil penalty by any single regulator. The Yahoo 2013-2014 breach exposed more records (3 billion) but produced lower total cost (about $470M) because notification did not occur until 2016 during the Verizon acquisition.

Does a supply-chain breach count as the vendor's cost or the customer's cost?

IBM's methodology counts only the cost incurred by the breached entity. SolarWinds disclosed about $90M in direct cost; the cost across 18,000 customer organisations was estimated at over $500M. MOVEit similarly disclosed tens of millions while the industry-wide cost reached $2.7B. For supply-chain breach analysis, both numbers matter: vendor cost for vendor liability planning, customer-aggregate cost for sector-wide exposure modelling.

What is the cost of IP loss in a tech sector breach?

IP loss is difficult to quantify and slow to manifest, which is why it does not appear well in IBM data. For foundation-model AI companies, stolen model weights represent direct depreciation of the training investment (a model that cost $100M to train depreciates by close to that amount if leaked to a competitor). For SaaS firms, the cost shows up as accelerated commoditization 18 to 36 months later as competing products ship from jurisdictions with weaker IP enforcement.

What is the SEC v. SolarWinds CISO precedent?

In October 2023 the SEC filed civil charges against SolarWinds CISO Tim Brown personally, alleging fraud and internal-control failures related to materially misleading statements about the company's security posture. It was the first major SEC enforcement action against a CISO personally. The case is ongoing as of 2026 but the precedent has already changed cyber D&O insurance markets, with premium for CISOs at tech firms running $100K-$400K annually for $10M-$25M coverage.

How much does an average tech-sector breach cost per record?

$196 per record per IBM 2025. The figure is most reliable for mid-volume breaches of 10,000 to 1M records and is composed of detection-escalation (29% of total), lost business (38%), post-breach response (27%), and notification (6%). Mega-breaches like Yahoo show lower per-record cost due to fixed-cost amortization across billions of records.

Sector File 03.TC / TechnologyGDPR / CCPA / SOXSupply-chain blast radius the cost driver

Sector profile

Technology breaches cost $4.97M on average, but the blast radius is unique.

IBM's 2025 tech-sector figure of $4.97M sits at rank #4. The headline number understates the true sector cost because tech-firm breaches frequently cascade through downstream customers in ways the IBM methodology cannot fully capture. SolarWinds, MOVEit, and the 2024 Snowflake credential-compromise campaign each affected thousands of downstream organisations, with industry-wide totals an order of magnitude larger than any single-firm figure.

Avg total cost

$4.97M

IBM CODB 2025, tech sector

Per record

$196

Mid-tier sector

YoY change

+2%

Slight uptick

Years at #4

Consistent rank since 2020

Section TC.1

Why tech-sector cost figures understate the true exposure

IBM's sector figure measures the cost incurred by the breached entity. For a typical company that holds its own data, that captures the meaningful exposure. For technology companies, especially software-supply-chain vendors and cloud-infrastructure providers, the meaningful exposure includes the costs that propagate to every customer organisation that consumed the compromised product or service. The 2020 SolarWinds breach is the clearest example: SolarWinds itself disclosed roughly $90M in direct cost across response, SEC enforcement, and remediation. The cost across the 18,000 organisations that ran the trojanized Orion update was estimated at over $100M and probably exceeded $500M when fully tallied.

The MOVEit campaign in 2023 produced an even larger gap. Progress Software faced direct response costs in the tens of millions for the SQL injection vulnerability in MOVEit Transfer. The downstream impact across 2,700+ affected organisations, including state government agencies, universities, healthcare entities, and financial-services firms, was estimated at $2.7B in aggregate by IBM Security's 2024 supply-chain analysis. That figure does not appear on Progress Software's books, but it does represent the true economic cost of the breach.

The 2024 Snowflake campaign illustrated the cloud-service variant of the same dynamic. Threat actors used credentials harvested via infostealers to log into Snowflake accounts that lacked MFA enforcement, then exfiltrated customer data from approximately 165 Snowflake customer organisations including Ticketmaster, AT&T, and Santander. Snowflake itself was not breached, but Snowflake-hosted customer data was, with industry-wide costs already past $1B.

Section TC.2

IP loss: the line item that does not appear in IBM data

The IBM methodology captures PII-related cost categories well. It captures intellectual-property loss poorly, because the depreciation of stolen source code, model weights, or proprietary algorithms is difficult to quantify and slow to manifest. The cost shows up later in the form of lost competitive position, accelerated commoditization, and forced re-architecture to defend against the lookalike products that ship from competing jurisdictions 18 to 36 months after the breach.

For AI companies, the asset most exposed to breach is the model weight file itself. A foundation model that costs $100M to train represents a single artefact whose loss to a competitor (or to a state-sponsored actor) represents direct dollar-for-dollar depreciation of the training investment. The 2023 Mistral 7B model-weight leak is the most prominent public example, with the company subsequently acknowledging the leak but limiting its disclosure of internal cost. Model-weight protection is rapidly becoming the highest-priority data-protection objective at AI labs, with implications for security control investment that the IBM dataset has yet to track explicitly.

For SaaS firms, the exposed asset is typically the customer-tenant configuration plus the API integration credentials customers have stored in the SaaS platform. Tenant-isolation failures (where one customer's data is exposed to another) are particularly expensive because they trigger breach notification across multiple customer organisations simultaneously, each of which has its own regulator obligations. The 2023 Atlassian breach affecting Jira and Confluence Cloud customers was an instructive recent case.

Section TC.3

Notable tech-sector breaches

Facebook / Meta, 2019

540M records / Cambridge Analytica-era privacy violations / Multiple incidents

$5B+

The FTC's $5B settlement with Facebook in July 2019 remains the largest privacy-related civil penalty by any single regulator anywhere in the world. The settlement covered violations of a 2012 FTC consent order that resulted from the Cambridge Analytica disclosure and subsequent privacy failures. The 2023 GDPR fine of EUR 1.2B by the Irish Data Protection Commission for unlawful transatlantic data transfers added materially to the total. Facebook also faced multiple state AG actions and class-action settlements bringing combined cost above $7B by 2025.

Primary source: FTC consent order 24 July 2019; Irish DPC decision 22 May 2023; SEC 10-K filings.

Yahoo, 2013-2014

3B records / State-sponsored (Russian intelligence) / Forged session cookies

$470M+

Yahoo's 2013-2014 breach was the largest known by record count: every Yahoo account (3 billion) was compromised. The breach was not disclosed publicly until 2016 during the Verizon acquisition. Verizon used the late disclosure to negotiate a $350M reduction in the acquisition price (from $4.8B to $4.48B), the most visible single example of breach cost flowing through M&A valuation. Yahoo subsequently agreed to a $117.5M class-action settlement and SEC penalties for late disclosure, with total disclosed cost reaching about $470M.

Primary source: SEC 8-K filings September and December 2016; Verizon SEC 8-K 21 February 2017; class-action settlement Northern District of California 2018.

SolarWinds, 2020

18,000 orgs / Supply-chain (SUNBURST backdoor) / Russian SVR-attributed

$100M+ direct

SolarWinds's Orion network-management software was trojanized at the build stage by a Russian intelligence actor, with the backdoored update distributed to roughly 18,000 customer organisations. SolarWinds itself disclosed approximately $90M in direct cost over 2021-2023. The SEC subsequently filed charges against SolarWinds and its CISO in October 2023 alleging fraud and internal-control failures, the first major SEC enforcement action against a CISO personally. The downstream cost across customer organisations including US federal agencies was estimated at over $500M when fully tallied.

Primary source: SEC complaint 30 October 2023; SolarWinds SEC 10-K 2020-2023; CISA Emergency Directive 21-01.

Section TC.4

The SEC v. CISO precedent

The October 2023 SEC enforcement action against SolarWinds CISO Tim Brown is the single most consequential change to the cost calculus for tech-sector security leaders since GDPR. Until SolarWinds, breach cost was assumed to be an enterprise expense rather than a personal-liability question. The Brown complaint alleged that the CISO personally made materially misleading statements about the company's security posture in product collateral and SEC filings, and sought to bar him from serving as an officer or director of a public company. The case is ongoing as of 2026 but the precedent has already changed CISO insurance markets, with cyber D&O policies now standard at tech companies.

For tech-sector breach cost analysis, the implication is that the executive-protection insurance line item now adds materially to total cost-of-readiness. CISO D&O premium at a tech company with material public-cloud exposure runs $100K to $400K annually for $10M to $25M of coverage, and the deductibles have risen sharply since the Brown complaint. The cost is not in IBM's sector figure, but it is real, and it is permanent.

Cross-references

Case / MOVEit 2023

→

$2.7B industry-wide cost across 2,700+ downstream organizations.

Regulation / SEC Item 1.05

→

4-business-day cyber disclosure rule and Brown complaint.

Cost / Per record

→

$196 for tech vs $408 healthcare, full sector table.

Cost / Forensics

→

Mandiant, CrowdStrike, Kroll IR rates and engagement scope.

Index / All industries

→

All 10 IBM sectors ranked.

Schedule F / Reference Q&A

Frequently Asked Questions

Primary source:Technology sector cost figures from IBM Cost of a Data Breach Report 2025. Notable breach data from SEC filings, FTC consent orders, GDPR enforcement notices, and CISA emergency directives. Supply-chain aggregate cost estimates from IBM Security 2024 supply-chain analysis.