Twenty years ago, companies increasingly became awakened to the very real threat that their sensitive and confidential data had been or could be targeted by a cybercriminal. It was clear that such an incident would not only jeopardize the privacy of their customers and business partners, but it could also mean significant financial harm.
When discussing a possible research project, our client asked if there would be any way we could calculate the cost of a data breach. The idea was that having such a calculus would be extremely beneficial in helping IT and IT security practitioners prepare for the possible consequences of a data breach, but also to convince the C-suite and board members to budget more money so that investments in technologies and staffing would be sufficient. In both instances, we have heard the research has succeeded.
Over the years, the research has evolved based on what we have learned from organizations that have been breached. In the typical study, we speak with IT, compliance and information security practitioners who are knowledgeable about their organization’s data breach and the costs associated with resolving the breach.
We are often asked, how do you calculate the cost? To calculate the average cost of a data breach, we collect both the direct and indirect expenses incurred by the organization. Direct expenses include engaging forensic experts, outsourcing hotline support and providing free credit monitoring subscriptions and discounts for future products and services. Indirect costs include in-house investigations and communication, as well as the extrapolated value of customer loss resulting from turnover or diminished customer acquisition rates.
In this year’s study, the global average cost was $4.4 million. Sixteen percent of organizations reported breaches involving attackers using AI, most often for phishing or deepfake impersonation, signaling an escalating AI arms race. U.S. average costs reached a record $10 million, fueled by the nation’s rising detection expenses and stricter regulatory penalties. In fact, more than one-third of U.S. organizations paid breach fines that averaged more than $250,000.
We hope you will download our 2025 report and look forward to hearing from you.