In late July, IBM and the Ponemon Institute released their annual Cost of a Data Breach Report for 2025, analyzing data from more than 6,400 breaches over the past year. Along with the Verizon Data Breach Investigations Report, the Cost of a Data Breach Report is one of the most commonly cited industry studies each year, and provides important context about the current state of the threat landscape. This year’s report is no different, but it does shine a light on an emerging—and concerning—issue: the lack of meaningful AI governance. While organizations are adopting AI-based solutions at an increasing rate, relatively few are managing or securing those solutions effectively—and cybercriminals have noticed.
That isn’t just important information for security clients, but for businesses in every industry—including our own. At a time when every business wants to talk about AI, marketing and public relations professionals need to help their clients stand out. Staying on top of new research is essential, and high-quality studies like the Cost of a Data Breach Report can provide clients with valuable information and allow them to offer a more informed perspective. Since that’s often the best way to get a reporter’s attention, let’s dig a bit deeper into some of the key takeaways from this year’s report.
The Cost of a Breach Is Falling…Except in the U.S.
Let’s start with the good news: globally, the average cost of a data breach has declined from $4.88 million 2024 to $4.44 in 2025. That’s the first time breach costs have declined since they fell from $3.92 million in 2019 to $3.86 million in 2020, and IBM cites faster breach identification and containment driven by increased adoption of automated security practices as a key factor behind the development.
Unfortunately, the numbers tell a slightly different story in the United States, where average breach costs have skyrocketed to $10.22 million—an all-time high for any region. In fact, IBM notes that the global average would have been even lower without U.S.-based breaches dragging the number upwards. The report cites higher detection and escalation costs as key drivers behind the continued rise, as well as increased regulatory fines.
The report’s industry-specific breakdown also tells an interesting tale. Healthcare has long dominated the breach landscape, and while healthcare breaches remain the most costly, the average cost has fallen from $9.77 million last year to just $7.42 million. That’s still a lot, but it marks a precipitous year-over-year drop. After healthcare, finance ($5.56 million), industrial ($5.00 million), energy ($4.83 million), technology ($4.79 million), and pharma ($4.61 million) are the next costliest industries—but interestingly, they each saw a slight decline as well.
Overall, it’s an encouraging trend. Only a small handful of industries saw their average breach costs rise, and even those increases were relatively modest. Still, it’s important to consider those trends in a global context—while the report does not break down industry costs by region, it’s safe to assume that costs within the U.S. are higher than the global average.
Attackers Find Success Targeting AI
The most interesting element of this year’s report was IBM’s focus on AI-related threats—specifically, the worrying lack of AI governance. The report states that 13% of organizations reported a breach involving their AI models or applications, meaning that either they or their provider failed to implement effective security controls. Of those that suffered a breach, 97% lacked proper AI access controls, and compromised apps, APIs, and plug-ins were among the most common breach drivers.
That’s a real problem, and it indicates that while organizations are increasingly adopting AI-based solutions, relatively few understand how to effectively secure them. This is backed up by the report, which found that nearly two-thirds of breached organizations indicated that they either do not have an AI governance policy or their policy is still being developed. Additionally, 61% say they do not have AI governance technologies in place, and a majority do not have internal approval processes for AI. Just 34% say they perform regular checks for unsanctioned AI use within the organization.
This paints a worrying picture of the state of AI security and underscores the pressing need for organizations to implement more effective AI governance. Cybercriminals are always looking for low-hanging fruit, and poorly secured AI applications represent a potential gold mine for savvy attackers. If organizations fail to govern which AI applications employees can use, what data can be shared with them, or how and where they can be accessed, attackers will continue to find success targeting them.
It’s also worth noting that attackers themselves are leveraging AI in greater numbers. While IBM’s findings state that attackers are using AI in just 16% of breaches, that number is likely to grow as advanced AI tools continue to be widely (and freely) accessible. AI-generated phishing scams and deepfake impersonations are the two most common tactics used by attackers, and IBM notes that generative AI is allowing attackers to craft convincing phishing emails in minutes rather than hours. It’s a problem that is only likely to get worse—and organizations need to be prepared.
Organizations Need to Protect Customer Data, Prioritize Resilience
A few other data points stand out from the report. First, 63% of ransomware victims are now refusing to pay ransom demands, up from 59% last year. This may be a sign that organizations are more confident in their own resilience, although the average cost of a ransomware or extortion incident remains higher than average for all breaches ($5.08 million). One catch is that just 40% of ransomware victims say they reported the incident to law enforcement, down from 53% in 2024. That could be something to keep an eye on moving forward.
It’s also worth flagging that attackers are targeting customers’ personal information in greater numbers than ever. Customer PII was involved in 53% of breaches, up from 46% last year. It is now far and away the most common target, with intellectual property dropping precipitously. Last year, IP was targeted in 43% of breaches—this year, it’s down to just 33%. This highlights attackers’ shifting priorities, and the fact that they can monetize customer PII more easily than ever. That said, organizations should still protect their IP—even in a down year, stolen IP has a higher overall cost impact than stolen customer data.
Finally, breach recovery still has significant room for improvement. Of those included in the report, 65% of organizations said they have still not fully recovered from a prior data breach. That’s actually a notable improvement from last year, when the number was 88%, but it’s clear that breach recovery efforts still have a long way to go. 76% of organizations said recovery time took more than 100 days, underscoring the need for greater cyber resilience.
Moving Forward with Security in Mind
The annual Cost of a Data Breach report provides important context about the threats today’s organizations face, helping them better understand where to prioritize their security efforts. This year’s report included some promising data points—particularly around declining breach costs—but also raised worrying red flags around the state of AI security. Organizations cannot afford to ignore AI governance any longer, and establishing internal usage guidelines and external vetting processes should be a high priority for those that want to avoid making themselves an easy target in the future.