How to Assess Third-Party Risk: A Practical Framework
Third-Party Risk Risk Management
What Is Third-Party Data Risk? Third-party data risk is the chance that an external vendor will cause a security …
The latest data breach statistics from IBM, Verizon, and the FBI.
• The average breach costs $4.44 million globally, but $10.22 million in the US. Detection speed is the biggest cost variable. Breaches caught within 200 days cost $1.14 million less than slower responses
• Stolen credentials are the top initial access vector at 22% of breaches. They’re also the most expensive at $4.67 million per incident because attackers using valid passwords look like legitimate users
• Ransomware payments dropped 50% in 2025, but total attack costs rose to $5.08 million. Attackers are hitting more targets for less money each. 63% of victims now refuse to pay
• Account takeover fraud hit $17 billion in global losses. ATO volume grew 141% from 2021 to 2025. Credential monitoring catches exposed passwords before they’re used for account takeover
The global average cost of a data breach dropped to $4.44 million in 2025. But US companies now pay $10.22 million on average, a record high.
Stolen credentials remain the top way attackers get in. Ransomware payments are declining but total attack costs keep climbing.
Below, we’ve compiled the most important breach statistics across cost, attack vectors, and ransomware. We also cover account takeover and identity theft. Each stat includes its source.
Contents
What Do the Latest Breach Statistics Tell Us?
These numbers aren’t just data points. Each one represents a decision that security teams need to make.
Data breach is a security incident where sensitive or confidential data is accessed or exposed by unauthorized parties. This includes customer records, employee credentials, and financial data. The impact depends on what was taken and how fast you detect it.
Here are the five headline statistics from the latest reports:
$4.44 million – global average cost of a data breach (IBM 2025). Down 9% from $4.88 million the prior year, driven largely by faster detection through AI.
22% – percentage of breaches involving stolen credentials as the initial access vector (Verizon 2025 DBIR). It’s been the #1 vector for years.
241 days – average time to identify and contain a breach (IBM 2025). The lowest in nine years, but still eight months of undetected access.
$17 billion – global losses from account takeover fraud in 2025 (Sift). Up from $13 billion the prior year.
63% – percentage of ransomware victims who refused to pay in 2025 (IBM 2025). Refusal is now the majority response.
How Much Do Data Breaches Cost?
Cost is the stat most executives ask about. Here’s what IBM’s 2025 report found.
Global vs US costs:
- Global average: $4.44 million per breach (down from $4.88M)
- US average: $10.22 million (record high, up 9%)
- Middle East: second most expensive region
Cost by industry:
- Healthcare: $7.42 million (highest, though down from $9.77M the prior year)
- Financial services: second highest
- Technology: third
Cost by attack vector:
- Malicious insiders: $4.92 million (most expensive)
- Supply chain compromises: $4.91 million (and 267 days to resolve)
- Phishing: $4.80 million
- Stolen credentials: $4.67 million (and 246 days to detect)
What reduces cost:
- Security AI and automation: saves $1.9 million per breach, cuts lifecycle by 80 days
- Breaches contained under 200 days: $3.87 million vs $5.01 million for slower responses. That’s a $1.14 million gap based on speed alone.
The full breakdown is in our cost of a data breach guide.
How Do Most Data Breaches Happen?
The Verizon 2025 DBIR and IBM’s 2025 report break down how attackers get in.
Attack vector is the method an attacker uses to gain initial access to a target system. Common vectors include stolen credentials and phishing emails. The vector determines both the cost of the breach and how long it takes to detect.
Top initial access vectors (IBM 2025):
- Phishing: 16% of breaches (up from previous years)
- Stolen credentials: 22% of breaches (still the most common overall per Verizon)
- Supply chain: 15% of breaches
Why credentials dominate. Phishing often delivers infostealer malware that harvests saved passwords. Those passwords end up on dark web marketplaces within hours. Attackers buy them and log in. No exploit needed, no malware to detect. That’s why credential breaches take 246 days to find.
The human factor. The Verizon 2025 DBIR found that human error is involved in the majority of breaches. Password reuse and phishing clicks are the two biggest contributors.
What Are the Latest Ransomware Statistics?
Ransomware is evolving. Payments are dropping but the total damage keeps growing.
Payment trends (2025):
- Average ransom payment: $1 million (down 50% from $2 million in 2024)
- Median ransom demand: $1.3 million (down 34% year over year)
- 63% of victims refused to pay (IBM 2025)
Payments are declining because more companies have better backups and more are refusing on principle. But attackers are compensating by hitting more targets.
Total attack costs:
- Average ransomware incident cost: $5.08 million when disclosed by the attacker (IBM 2025)
- Average recovery cost (excluding ransom): $1.53 million (down 44% from prior year)
- Global ransomware damage projected at $57 billion annually in 2025
Detection and response:
- Supply chain ransomware attacks take 267 days to resolve (IBM 2025)
- Companies with automated response workflows contain ransomware 16% faster (IBM 2025)
For monthly ransomware trends, see our ransomware reports.
How Common Is Account Takeover Fraud?
Account takeover is one of the fastest-growing threats because it starts with stolen credentials – the same data that causes the most expensive breaches.
Scale of the problem:
- Global ATO losses: $17 billion in 2025 (Sift)
- ATO volume grew 141% from H1 2021 to H1 2025 (Sift)
- 83% of companies experienced at least one ATO incident in 2025
- ATO is now the #1 fraud type for US businesses, responsible for 31% of all fraud losses (TransUnion)
Why it’s growing. Infostealers harvest saved browser passwords and sell them on dark web markets. Attackers buy those credentials and use credential stuffing to test them across hundreds of services. One stolen password can unlock multiple accounts because people reuse them.
What stops it. MFA blocks most ATO attacks even when passwords are stolen. Credential monitoring catches exposed passwords before attackers use them for account takeover. The combination covers both the prevention and detection sides.
Which Industries Are Hit Hardest?
Not all industries pay the same price for a breach.
Cost by industry (IBM 2025):
- Healthcare: $7.42 million – still the most expensive, driven by HIPAA regulations and the sensitivity of patient data
- Financial services: consistently in the top three due to regulatory penalties and the value of financial records
- Technology: high costs due to the value of IP and customer data
Healthcare’s unique challenge. Healthcare breaches take an average of 279 days to detect and contain (IBM 2025). That’s 38 days longer than the cross-industry average. Patient care systems can’t easily be taken offline for investigation, which extends the breach lifecycle. The largest healthcare data breaches show how that detection gap plays out in practice.
Why it matters for you. Your industry determines your regulatory notification requirements and your insurance premiums. Healthcare and financial companies need stronger controls because they pay more when things go wrong.
What Are the Latest Identity Theft Statistics?
Identity theft feeds on the same stolen data that causes breaches. When credentials and personal information leak, fraud follows.
FTC and FBI data (2025):
- 5.7 million fraud reports filed with the FTC, including 1.4 million identity theft cases
- Cybercrime losses: estimated $10.2 billion (FBI), nearly double the prior year
- 503,450 credit card fraud cases reported to the FTC in the first three quarters of 2025 alone
- Identity theft filings in 2025 already exceeded all of 2024 before Q4
The credential connection. Most identity theft starts with stolen personal information from data breaches. Names and SSNs from breaches end up in fraud schemes. Data breach consequences extend far beyond the company that was breached – they reach every individual whose data was exposed.
These numbers keep climbing because the supply of stolen credentials keeps growing. Monitoring for your organization’s exposed data is the most direct way to break the chain between breach and fraud. Book a demo to see how Breachsense monitors the dark web for your leaked credentials.
Data Breach Statistics FAQ
The global average is $4.44 million according to IBM’s 2025 report. In the US, it’s $10.22 million. Healthcare is the most expensive industry at $7.42 million per breach. See our full breakdown of data breach costs.
Stolen credentials are the top initial access vector, involved in 22% of breaches according to the Verizon 2025 DBIR. Phishing is second at 16%. Both are rooted in human error – people reusing passwords or clicking malicious links.
The average is 241 days from compromise to containment, according to IBM’s 2025 report. Credential-based breaches take even longer at 246 days because attackers using valid logins don’t trigger security alerts. Dark web monitoring cuts detection time from months to hours.
Payments dropped 50% in 2025. The average ransom payment fell to about $1 million, down from $2 million in 2024. But total ransomware attack costs rose to $5.08 million per incident because recovery and legal costs keep climbing even when victims refuse to pay.
ATO fraud volume grew 141% from 2021 to 2025, according to Sift’s Digital Trust Index. Global losses reached $17 billion in 2025. It’s now the most damaging fraud type for US businesses, responsible for 31% of all reported fraud losses.
Healthcare, at $7.42 million per breach according to IBM’s 2025 report. Financial services is second. Healthcare costs more because of strict HIPAA regulations and the sensitivity of medical records.
