Data Breach Statistics 2026
The United States recorded 3,322 data compromises in 2025 — a new all-time high, 79% above the five-year baseline, and the third consecutive year the count has cleared 3,000. At the same time, the number of individuals notified of a breach fell 79% in the same period. More breaches. Fewer victims per incident. That apparent contradiction is not good news — it reflects a shift toward precision targeting, where attackers trade broad credential harvesting for surgical strikes on high-value repositories. Meanwhile, US cybercrime losses crossed $20 billion for the first time, and the average American’s chance of receiving a breach notice last year was roughly 80%.
Here is what the numbers actually say, sourced directly from the primary reports that analysts, journalists, and regulators cite.
Table of Contents
Key Data Breach Figures at a Glance (2025–2026 Data)
| Metric | Figure | Source |
|---|---|---|
| US data compromises in 2025 | 3,322 (all-time record) | ITRC 2025 Annual Data Breach Report, Jan 2026 |
| 5-year increase in US compromises | +79% | ITRC |
| Victim notices sent in 2025 | 278.8 million | ITRC |
| Global average breach cost | $4.44 million | IBM Cost of a Data Breach Report 2025 |
| US average breach cost | $10.22 million (record) | IBM |
| Healthcare average breach cost | $7.42 million | IBM |
| Average breach lifecycle | 241 days (181 to identify, 60 to contain) | IBM |
| US cybercrime losses in 2025 | $20.877 billion (+26% YoY) | FBI IC3 2025 Annual Report, April 6, 2026 |
| IC3 complaints in 2025 | 1,008,597 (first year >1 million) | FBI IC3 |
| Supply chain entities affected | 1,251 (nearly double 2024’s 660) | ITRC |
| Breaches involving a human element | 68% | Verizon 2025 DBIR |
| Savings from AI/automation in security | $1.9 million per breach | IBM |
| Breach notices disclosing root cause | 30% (down from ~100% in 2020) | ITRC |
The 2025 Breach Paradox: More Incidents, Fewer Victims
Why did breach counts hit a record while victim notices fell?
In 2025, US data compromises reached 3,322 while victim notices dropped to 278.8 million — a 79% decline from 2024’s 1.37 billion. The explanation is structural: 2024 was defined by mega-breaches. The Change Healthcare ransomware attack alone exposed records tied to an estimated 190 million individuals, disrupting roughly one-third of all US patient records and generating $14 billion in delayed insurance claims. No comparable single event occurred in 2025.
What replaced mega-breaches was volume. The ITRC 2025 Annual Data Breach Report, released January 29, 2026, frames the shift this way: attackers are moving from indiscriminate harvesting to precision targeting. A breach that steals 50,000 curated medical records with Social Security numbers and insurance details generates higher criminal market value than a breach exposing 50 million login credentials from a consumer platform. The numbers reflect that.
The five-year arc is unambiguous. In 2020, US data compromises numbered 1,862. In 2025: 3,322. That is a 79% increase over five years, according to ITRC data spanning 20 years of breach tracking.
Data Breach Costs by Industry (2025 Data, IBM)
Which industries pay the most when breached?
Healthcare has led breach cost rankings for 15 consecutive years, and 2025 was no exception.
| Industry | Average Breach Cost | Notes |
|---|---|---|
| Healthcare | $7.42 million | Highest for 15th consecutive year; down from $9.77M in 2024 due to absence of a Change Healthcare-scale event |
| Financial services | $5.56 million | 2nd highest; regulatory penalties from SEC/CFPB add substantially to base costs |
| Manufacturing | $5.00 million | Rising espionage-motivated attacks noted by Verizon 2025 DBIR |
| Technology | $4.97 million | Cloud environment complexity extends detection windows |
| Energy/utilities | $4.78 million | Critical infrastructure classification drives higher notification costs |
| Education | $3.80 million | High volume, lower individual costs; PowerSchool supply chain breach affected 71.9M |
| Government | $2.83 million | High attack volumes; lower regulatory penalties keep costs below sector average |
| Global average | $4.44 million | Down 9% from $4.88M in 2024 (IBM’s first recorded decline in five years) |
Source: IBM Cost of a Data Breach Report 2025.
The 2025 cost decline deserves a caveat. IBM measured a 9% drop in the average per-breach cost globally — the first decrease in five years. The primary driver was widespread adoption of AI and automation in security operations, which IBM quantifies as $1.9 million saved per breach for organizations that deploy these tools extensively. But the global per-breach average declining does not mean aggregate damage is shrinking. The ITRC tracked record breach volumes in the same period, and the FBI IC3 2025 Annual Report, released April 6, 2026, recorded $20.877 billion in US cybercrime losses — a 26% increase from 2024. More incidents at slightly lower average cost equals higher total economic damage.
The US-specific figure compounds this further. While the global average fell, the US average rose 9% to $10.22 million per breach — an all-time record, and 2.3 times the global average. The Chubb cyber insurance report released April 15, 2026 attributes the US premium to higher regulatory notification requirements, a more aggressive litigation environment, and the growing prevalence of mass arbitration claims that can cost companies millions in administrative fees before a case is ever heard.
Industry Breach Volume: Who Gets Targeted Most Often
Which sector experienced the most data compromises in 2025?
Financial services led all sectors by compromise count in 2025, a position it also held in 2024.
| Industry | 2025 Compromises | Change vs 2024 |
|---|---|---|
| Financial services | 739 | +6 (from 733) |
| Healthcare | 534 | — |
| Professional services | 478 | +39% YoY |
| Manufacturing | 299 | — |
| Education | 188 | — |
Source: ITRC 2025 Annual Data Breach Report.
Professional services deserves specific attention. The ITRC flagged it as the sector with the most aggressive growth in attack frequency — up 39% year over year and 162% over five years. The reason is strategic: law firms, accounting practices, managed service providers, and consultants hold access credentials and sensitive data for dozens or hundreds of client organizations. Breaching one mid-sized professional services firm can yield the equivalent intelligence of attacking dozens of individual companies. The ITRC’s James E. Lee described these firms as “stepping stones” — a characterization now appearing in regulatory guidance for vendor risk assessment.
For healthcare, volume figures understate actual exposure. The FBI IC3 report documented 460 ransomware attacks and 182 separate data breaches against the healthcare and public health sector in 2025 — more than any of the other 15 critical infrastructure sectors tracked.
How Breaches Actually Happen: Attack Vectors in 2025
What are the leading causes of data breaches today?
The Verizon 2025 Data Breach Investigations Report, which analyzed 22,052 security incidents and 12,195 confirmed breaches across 139 countries, places human involvement at the center of most incidents: 68% of breaches involve a human element — errors, social engineering, or credential misuse. The figure rises to 88% in some analyses when accounting for all human-enabled entry points.
Credential compromise remains the leading initial access vector. Attackers obtain valid usernames and passwords through phishing, credential stuffing against reused passwords, or direct purchase from criminal markets, then authenticate as legitimate users. No technical exploit required.
Phishing led FBI IC3 complaint volume in 2025 with 191,561 reports — more than any other category. The IC3 report introduced a dedicated AI section for the first time, documenting 22,364 complaints referencing AI-facilitated schemes, generating $893 million in attributed losses. The FBI notes this figure is a floor: most complainants do not identify that AI is involved in what targeted them.
Ransomware continues to evolve. The FBI identified 63 new ransomware variants in 2025. The top families by impact volume were Akira, Qilin, RansomHub, LockBit, and Medusa. A notable shift documented by the ITRC: traditional ransomware (encrypt and demand payment) is declining relative to pure data-theft extortion, where attackers steal data and threaten to publish it rather than locking systems. The FBI IC3 received 3,611 ransomware complaints in 2025, generating over $32 million in direct reported losses — a figure the FBI explicitly notes excludes business disruption, equipment replacement, and third-party remediation costs.
Business email compromise remains the most financially destructive enterprise-targeted crime by verified losses. In 2025, BEC accounted for $3.046 billion in FBI IC3 losses despite representing a smaller share of total complaints. The method: social engineering that impersonates executives or vendors to redirect payments or extract credentials.
Supply Chain Risk: The Fastest-Growing Attack Surface
How have third-party and supply chain breaches changed?
Supply chain breaches affected 1,251 entities in 2025 — nearly double the 660 entities affected in 2024 — despite only a marginal increase in the number of discrete supply chain attacks. Each attack reached substantially more downstream targets.
The ITRC 2025 report puts the cumulative picture clearly: supply chain and third-party incidents now account for approximately 30% of all breaches. That share has doubled since 2021.
The mechanism is straightforward. When a software vendor, cloud platform, or managed service provider is compromised, every organization that vendor serves becomes a potential victim without any direct attack. The PowerSchool breach, the largest single compromise in the ITRC’s 2025 dataset, illustrates the math: one educational software company was attacked, 71.9 million victim notices were sent, and over 100 school districts subsequently entered related litigation.
For organizations assessing third-party risk, the ITRC and the CISA supply chain risk management framework both note that remediation windows are compressing. Only 54% of vulnerable devices were fully remediated within a year of a known exploit being published. For edge devices targeted by nation-state actors, the median exploitation window relative to patch release was zero days — making preventive patching essentially impossible as a sole defense.
The Transparency Collapse
Are organizations disclosing breach causes honestly?
No — and the trend is moving sharply in the wrong direction.
In 2020, close to 100% of breach notifications provided consumers with the root cause of the incident, according to ITRC analysis. In 2025, that figure was 30%. The percentage of breach notices withholding attack vector details rose from 65% in 2024 to 70% in 2025.
“When organizations withhold the root cause of an attack to mitigate their own legal or reputational risk, they leave the American consumer and other businesses in the dark,” ITRC president James E. Lee said in the organization’s January 2026 release. The ITRC attributes the collapse partly to inconsistent state disclosure laws. A handful of states impose specific requirements on what must be included in notices, but most do not. Even states with strong requirements frequently do not enforce them.
The practical consequence: 80% of surveyed US consumers received at least one breach notice in 2025. Of those who did nothing after receiving the notice, 48.3% cited breach fatigue as the reason. The notices contain too little actionable information to motivate protective behavior, and consumers are receiving enough of them that warning signals are normalized.
What Actually Reduces Breach Costs
What security controls produce measurable cost savings?
IBM’s 2025 Cost of a Data Breach Report quantifies cost reduction by control type. These are the controls with verified cost impact, from largest to smallest:
| Control | Average Cost Savings Per Breach |
|---|---|
| AI and automation in security operations | $1.9 million |
| Incident response plan + testing | $2.66 million* |
| Zero trust architecture | $1.76 million |
| Law enforcement involvement in ransomware cases | $990,000 |
| Employee security training | Varies (significant for phishing vectors) |
*IBM reports IR plan savings relative to organizations without a plan; the $2.66M figure reflects the full lifecycle cost differential.
The AI/automation gap is the largest single-control differential IBM has documented. Organizations deploying AI and automation extensively average $3.62 million per breach; organizations without these tools average $5.52 million. That $1.9 million gap exceeds the savings from any other individual security control. IBM attributes the mechanism to detection speed: AI-equipped organizations identify breaches 51 days faster on average, catching attackers during lateral movement rather than after exfiltration.
Zero trust architecture also produces consistent savings, reducing the blast radius when credentials are compromised by limiting lateral movement within the environment. NIST’s Zero Trust Architecture publication (SP 800-207) provides the implementation framework most enterprise security teams reference.
The FBI IC3 Milestone: $20 Billion and One Million Complaints
What does the 2025 FBI cybercrime report show?
The FBI’s 2025 Internet Crime Report, published April 6, 2026, crossed two thresholds simultaneously that had not been reached in the program’s 25-year history.
Total reported losses hit $20.877 billion — a 26% increase from 2024’s $16.6 billion. Total complaints hit 1,008,597 — the first calendar year in which IC3 received more than one million reports. The complaints-per-day rate in 2025 averaged nearly 2,762, compared to roughly 23,300 per year in 2015.
The financial breakdown:
- Investment fraud (primarily cryptocurrency pig-butchering and fake trading platforms): $8.65 billion — 41% of all reported losses
- Business email compromise: $3.046 billion
- Tech/customer support fraud: $2.1 billion
- Personal data breaches: $1.3 billion
- Losses among victims aged 60+: $7.7 billion (+37% year over year)
The IC3 figure, substantial as it is, carries a built-in undercount. Research consistently places cybercrime reporting rates below 15% of actual incidents. The true aggregate of US cybercrime losses — unreported incidents included — is likely several times the $20.877 billion figure.
Per-Record Breach Costs: What Different Data Types Are Worth
How much does a breach cost per exposed record?
IBM’s 2025 data documents per-record costs by data category:
| Data type | Cost per record |
|---|---|
| Medical records | $10+ per record (highest category) |
| Financial data | $4–$8 per record |
| Intellectual property | Varies widely by industry |
| PII (name, SSN, address) | ~$160 average across all categories |
| Payment card credentials | $1–$2 per record on criminal markets |
The medical record premium reflects what the HIPAA Journal documents as durable exploitation value: unlike a payment card number — cancelled and reissued in minutes — a medical record contains immutable data including Social Security number, date of birth, insurance policy details, diagnoses, and medications. Medical records sell for $260–$310 each on criminal markets, roughly ten times the value of stolen credit card credentials that can be invalidated.
IBM’s $160 average across all record types translates to a useful back-of-envelope calculation: a breach exposing 50,000 records costs an organization approximately $8 million in direct and indirect costs at current averages.
Frequently Asked Questions
What is the average cost of a data breach in 2026?
The global average cost of a data breach is $4.44 million, based on IBM’s 2025 Cost of a Data Breach Report. In the United States specifically, the average is $10.22 million — an all-time record, and more than twice the global figure. The divergence is driven by higher US regulatory penalties, more aggressive litigation, and stricter notification requirements.
How many data breaches happened in the US in 2025?
The Identity Theft Resource Center tracked 3,322 data compromises in the United States in 2025 — an all-time record and a 79% increase over five years. The ITRC defines “compromise” to include confirmed breaches, unauthorized exposures, and accidental leaks, not only intentional attacks.
Which industry has the most expensive data breaches?
Healthcare, for the 15th consecutive year. IBM’s 2025 report puts the healthcare average at $7.42 million per breach. The figure reflects HIPAA notification costs, the high per-record value of medical data, and the complexity of legacy clinical systems that extend detection and containment timelines. Healthcare breaches take an average of 279 days to identify and contain — the longest of any sector.
What percentage of data breaches involve human error?
Verizon’s 2025 DBIR found that 68% of confirmed breaches involve a human element — including errors, social engineering, and credential misuse. Stanford University research places the overall figure at 88% when accounting for all human-enabled entry points, including misconfigured systems.
What caused the increase in cybercrime losses in 2025?
The FBI IC3’s 2025 Annual Report attributes the 26% rise in losses primarily to investment fraud (especially cryptocurrency pig-butchering scams: $8.65 billion) and AI-facilitated crimes. Business email compromise remained steady at $3 billion. For the first time, the IC3 report included a dedicated section on AI-enabled cybercrime, citing 22,364 complaints and $893 million in losses — a figure the FBI says is undercounted because most victims do not recognize AI involvement.
How has supply chain risk changed?
Supply chain breaches affected 1,251 entities in 2025, nearly double the 660 affected in 2024. Third-party incidents now account for roughly 30% of all breaches, a proportion that has doubled since 2021. The PowerSchool breach in late 2024/early 2025 — a single vendor compromise — generated 71.9 million victim notices and triggered litigation across more than 100 school districts.
Do organizations tell consumers what caused their breach?
Increasingly, no. The ITRC found that 70% of breach notices in 2025 withheld root cause information — up from 65% in 2024 and from near-100% disclosure in 2020. The ITRC attributes this to legal risk mitigation by breached organizations and inconsistent state notification laws. Of surveyed consumers who took no protective action after receiving a breach notice, 48.3% cited breach fatigue as the reason.
What security measures most reduce breach costs?
IBM identifies three controls with the largest measurable impact: a tested incident response plan (saves $2.66 million per breach), AI and automation in security operations (saves $1.9 million), and zero trust architecture (saves $1.76 million). Deploying all three produces savings that, in combination, exceed the global average breach cost.
Methodology and Sources
The statistics in this article are drawn from primary research reports. No secondary aggregators were used as sources. All figures carry their original publication date.
- ITRC 2025 Annual Data Breach Report — Identity Theft Resource Center, released January 29, 2026. Tracks publicly reported US data compromises (idtheftcenter.org)
- IBM Cost of a Data Breach Report 2025 — Ponemon Institute research commissioned by IBM, analyzing 600 breached organizations across 17 industries and 16 countries (ibm.com/reports/data-breach)
- Verizon 2025 Data Breach Investigations Report — Analyzes 22,052 security incidents and 12,195 confirmed breaches across 139 countries (verizon.com/business/resources/reports/dbir)
- FBI IC3 2025 Internet Crime Report — Released April 6, 2026, covering 1,008,597 complaints and $20.877 billion in reported US cybercrime losses (ic3.gov)
- Chubb 2026 Cyber Insurance Report — Released April 15, 2026, covering US breach cost trends and enterprise insurance claims (chubb.com)
Living document: This page is updated when new primary source data becomes available. Last reviewed: April 21, 2026.
