Full Report
The global average cost of a data breach fell from $4.88 million in 2024, a 9% decrease that now matches numbers seen in 2023.
Analysis Summary
This article describes general trends and statistical findings based on IBM's 20th annual data breach research, spanning incidents detected between March 2024 and February 2025. It does not detail a *single, specific, actionable security incident* with defined dates, compromised systems, or direct response actions. Therefore, the timeline and specific attack vector fields will reflect the scope of the *reported data* rather than the analysis of one event.
# Incident Report: Global Data Breach Cost Trends (2024-2025)
## Executive Summary
Global average data breach costs declined by 9% to $4.4 million, driven by faster detection and containment using automation. However, costs in the U.S. rose sharply to over $10 million due to stringent regulatory penalties. The healthcare sector remains the most expensive industry for breaches, maintaining the highest costs for the 14th consecutive year.
## Incident Details
- Discovery Date: Between March 2024 and February 2025 (Average detection trend)
- Incident Date: Between March 2024 and February 2025 (Study period)
- Affected Organization: Approximately 600 monitored organizations
- Sector: Various (Healthcare identified as costliest sector)
- Geography: Global (16 different countries and regions studied, with heavy focus on the U.S.)
## Timeline of Events
*Note: As this is a statistical summary, the "timeline" represents the period of study and observed trends.*
### Initial Access
- Date/Time: Varied across organizations during the study period.
- Vector: Malicious insider incidents ($5M average cost) and Third-party/Supply chain compromises (longest detection time—267 days).
- Details: Attack vectors leading to data compromise across the sampled organizations.
### Lateral Movement
- Details: Not specifically detailed, but supply chain attacks implied long-tail movement, taking 267 days to resolve on average due to inherent trust exploitation between vendors and customers.
### Data Exfiltration/Impact
- Scale: Ranged from approximately 3,000 to over 113,000 stolen files.
- Financial Impact: Average global cost of $4.4 million; U.S. average exceeding $10 million.
### Detection & Response
- Detection Time: Global average improving due to automation, but Healthcare averaged 279 days (five weeks longer than the general average).
- Response Actions: Organizations increasingly refusing to pay ransoms (63% of surveyed ransomware incidents).
## Attack Methodology
*Note: Methodology reflects common vectors observed across the studied breaches.*
- Initial Access: Malicious insiders, supply chain exploitation, and other unspecified vectors.
- Persistence: In ransomware incidents, failure to pay ransom implies attackers sought persistent access until payment was made or systems were rebuilt.
- Privilege Escalation: Not detailed.
- Defense Evasion: Implied improvements in detection speed suggest better organizational evasion techniques, though specific TTPs are not listed.
- Credential Access: Not detailed.
- Discovery: Not detailed.
- Lateral Movement: Supply chain risk suggests lateral movement exploiting established vendor/customer trust.
- Collection: Data volumes ranged widely, but collection occurred prior to exfiltration.
- Exfiltration: Data theft led to the costs categorized under notification and post-attack response.
- Impact: Regulatory fines were a significant cost component, with one-third of organizations paying fines.
## Impact Assessment
- Financial: Global average $4.4M; U.S. average $10M+. Healthcare average $7.42M. Detection costs fell to $1.5M on average.
- Data Breach: Scale varied from 3,000 to 113,000+ files stolen.
- Operational: Not explicitly detailed, but reflected in "lost business" cost category, which decreased globally.
- Reputational: Implied negative impact, reflected in the 'lost business' cost category.
## Indicators of Compromise
*Note: No specific IoCs were published in this statistical release.*
- Network indicators: [Not applicable based on text]
- File indicators: [Not applicable based on text]
- Behavioral indicators: General behavioral trend of organizations refusing ransomware payments (63%).
## Response Actions
- Containment: Globally, organizations are faster at containment, aided by automated tools.
- Eradication: Ransomware payment refusal (63%) represents a specific eradication/negotiation stance.
- Recovery actions: Cost category decreased globally due to improved response structure.
## Lessons Learned
- Automation significantly aids rapid detection and containment, reducing associated costs.
- Regulatory environments, particularly in the U.S., are driving up the financial burden of breaches via steeper penalties.
- Supply chain attacks are the most difficult to resolve and detect (267 days average resolution).
- Involving law enforcement demonstrably lowered the average cost of a breach, yet fewer organizations are currently involving them in ransomware scenarios.
## Recommendations
- Invest heavily in monitoring and rapid containment solutions, particularly leveraging automation, to reduce detection costs.
- Prioritize robust security vetting of third-party vendors and actively manage supply chain risk to mitigate long detection windows.
- Ensure clear protocols are in place for engaging law enforcement during ransomware incidents to minimize overall breach cost.