Data breaches aren’t new. In fact, the earliest “hack” dates back nearly two centuries, when the Blanc brothers exploited France’s Chappe telegraph to gain an advantage in bond trading. Fast-forward to today, and the stakes are much higher. Modern breaches aren’t clever tricks with wires and codes they’re global, relentless, and costly attacks that put organizations of every size at risk.
From small retail shops to multinational enterprises, no business is immune. Cybercriminals exploit stolen credentials, system vulnerabilities, and even unsuspecting employees to slip past defenses. Once inside, they linger often for months before being detected, silently siphoning off sensitive data. The result? Financial fallout, regulatory fines, reputational damage, and in many cases, lost customer trust.
But here’s the good news: organizations can fight back. By understanding how breaches happen and what the latest data tells us about their impact, IT leaders and security professionals can chart a smarter path forward. The data breach statistics that follow reveal just how alarming the landscape has become and why strong access controls, rapid detection, and Zero Trust principles are more important than ever.
Most Alarming Data Breach Statistics
What happens when a cybercriminal breaches an organization's systems? The short answer: nothing good. Breaches hurt organizations, employees, and customers. Damage compounds when breaches remain undetected for long periods.
1. In 2018, cybercriminals breached ∼4,818 websites every month using formjacking code.
That's according to a Symantec report on internet threats. In this scam, hackers insert malicious code in the backend of retail websites to collect credit card data from unsuspecting customers. They then sell the card details on the dark web for up to $45 each. Any retail store can fall prey to the threat, from small and mid-sized businesses to major corporations. [2]
2. In 2025, the mean time to identify (MTTI) was 181 days, and the mean time to contain (MTTC) was 60 days — 241 days end-to-end.
How long do hackers typically retain access once they have infiltrated a system? Nearly six months, according to the 2025 IBM Cost of a Data Breach Report. During that time, they may peruse through sensitive information at their leisure and steal critical data. On the plus side, companies are identifying breaches 23 days faster than just a few years ago. [3]
3. In 2025, 22% of breaches involved stolen credentials overall; in basic web app attacks, 88% used stolen creds.
A 2025 Verizon report determined that the vast majority of data breaches originate from stolen passwords. Criminals may obtain a user's password through other successful data breaches or employ tactics such as credential stuffing to compromise accounts. [4]
4. The average cost of a data breach is $4.44 million.
Companies breached by hackers face an expensive cleanup, which can involve investigation, containment, and damage control to their reputation. Some organizations may face regulatory penalties or lawsuits brought by affected individuals. Those costs can run into the millions of dollars. [3]
5. In 2025, the per-record cost of a breach ranged from $115 to $178.
Anonymized customer data was the least financially destructive, with companies paying an average of $115 per record on cleanup efforts. Breaches involving company intellectual property were the most expensive to contain, at $178 per record. The majority of breaches target employee and customer personally identifiable information (PII), which costs between $160 and $168 to contain per record in 2025. [5]
6. There were 3,158 data compromises in the U.S. in 2024.
The number fell just shy of 2023's record of 3,202 compromises. However, there was a 211% year-over-year increase in the number of victim notices. That's due to six mega-breaches that affected millions of people. [6]
7. BlackBerry reported nearly 2 million attacks in Q3 2024 across its telemetry.
Data show that the U.S. is the most common target of cyberattacks, far surpassing any other country in the world. In most instances, hackers used commodity malware against their targets. However, attacks aimed against specific industries or high-value targets were more sophisticated and unique. [7]
8. Many companies fail to safeguard their data, with 66% exposing data to anonymous users through the cloud.
An analysis by Varonis highlights how many organizations lack protections over sensitive data, especially in the cloud. Additionally, 98% of companies have unverified AI apps in their systems. This puts organizations at risk of AI-related data exposure and breaches. [8]
9. An analysis of web applications found that 33% contained vulnerabilities
The 2025 Edgescan study examined full-stack applications and found that one-third contained critical or severe vulnerabilities, putting them at risk. Over 45% of large enterprises leave unresolved vulnerabilities for more than a year. [9]
10. In 2024, organizations issued ∼1.73 billion victim notices.
The largest single incident was the National Public Data breach, alleged at ~2.9B records. Other significant breaches took place against UnitedHealth Group, Ticketmaster Entertainment, and AT&T. [10, 6]
By the Numbers: The True Cost of a Data Breach
Organizations targeted in a data breach may encounter heavy financial penalties that reach into the millions of dollars.
11. Globally, businesses paid $4.44 million per data breach in 2025.
That's down 9% from last year, when the cost of a data breach reached $4.88 million to resolve. IBM attributes the slight decline to improved identification and containment of breach incidents. Businesses that combine in-house cybersecurity teams with automated detection systems are better equipped to identify and respond to threats when they occur. [3]
12. The average cost of a data breach in the U.S. reached $10.22 million in 2025, an all-time high.
Data breach costs soared by 9% in the U.S. during 2025, likely driven by an expensive regulatory environment. Federal and state governments hold businesses accountable for inadequate protection following a breach, which can result in stiff fines. Containment costs are also high, and some organizations may spend millions to locate and remove the source of a breach. [3]
13. Over 53% of data breaches targeted customer PII, at an average cost of $160 per record.
Customer PII includes sensitive information, such as Social Security numbers, home addresses, phone numbers, and similar data, which can be used for identity theft or credit card fraud. Attacks involving customer PII jumped 7% over the past year. However, the cost per record dropped from $179 to $160. [3]
14. A single data breach averages $1.38 million of lost business in 2025.
That figure includes costs associated with system downtime, reputational damage, and lost clients. It dropped 6% from 2024 numbers and is down from a five-year high of $1.59 million in 2021. Businesses spent the most on breach detection and escalation, which averaged $1.47 million in 2025. [3]
15. 48% of businesses fined by government agencies after a data breach pay more than $100,000 in regulatory fees.
Over one-third of organizations incur regulatory fines following a data breach. Fines are likely when a breach involves sensitive information and organizations fail to follow standard data protection protocols. Just 8% of fined organizations paid less than $25,000. [11]
Causes of Data Breaches: What's Going Wrong?
How do criminals get into an organization's systems to begin with? Human error, system vulnerabilities, and stolen credentials are commonly used by bad actors to gain access.
16. The human element factored into ∼68% of breaches.
In the majority of data breaches, inadvertent actions by employees or individuals help facilitate attacks. Some examples include using weak passwords that are easily compromised or using the same password across different accounts. Phishing and pretexting messages designed to steal credentials are also a prime source for hackers. [4]
17. 88% of web application attacks use stolen credentials to compromise data.
A Verizon study found that most hackers rely on stolen credentials to break into web applications. Sometimes, criminals stop there and use the credentials to peruse information in a one-time incident. Other attacks use the stolen credentials as a springboard to create backdoors or commands that enable long-term system access. [4]
18. Around 20% of data breaches stem from the exploitation of system vulnerabilities.
Criminals looking for a way to exploit systems and steal data take advantage of vulnerabilities to get their foot in the door. Mistakes such as failing to apply security updates and misconfiguring firewalls can facilitate these types of breaches. [4]
19. Roughly 30% of all data breaches involve third-party vendors.
That's double the amount from 2024, where 15% of data breaches arose from third parties. Hackers seek out third parties that lack adequate security controls and exploit them to gain access to connected systems. Even if an organization isn't a direct target of the breach, it can be affected by involvement with a compromised third party. [4]
20. Ransomware featured in ∼14% of DBIR-analyzed breaches (stable YoY).
Hackers disproportionately attack small businesses, with 88% of breaches against them involving ransomware. However, as more companies refuse to comply with ransomware demands, the average payment to ransomware groups has dropped from $150,000 to $115,000 this year. [4]
Detection & Response Times
Many companies fail to recognize a breach when it occurs. Cybercriminals may have access to sensitive data for an extended period before the organization takes action.
21. In 2025, organizations took an average of 241 days to detect and contain a data breach.
That's slightly lower than last year, when data breaches averaged 258 days to resolve. IBM notes this is a downward trend that has greatly benefited from automated threat detection systems. However, that's still a very long time to have bad actors poking around a company's sensitive data. [3]
22. The mean time to identify a data breach was 181 days in 2025.
It can be months before security teams realize that someone has gained unauthorized access to company data. During that time, hackers can disable systems, steal highly sensitive information, and create backdoors or commands that facilitate continued access. [3]
23. Breaches involving multiple environments take an average of 276 days to resolve.
Organizations that rely on a combination of environments, including on-premises tools and public or private cloud, go undetected for an average of 207 days. Breaches that solely involve on-premises data have the quickest resolution time, taking an average of 217 days to detect and fix. [3]
24. Every second counts: an average of $1.14 million saved by organizations that resolve breaches in less than 200 days.
Companies that managed to detect and fix breaches in this timeframe paid an average of $3.87 million. That's dramatically less than the average $5.01 million paid by organizations that required more than 200 days to resolve. [3]
Industry Breakdown: Who's Getting Hit Hardest?
It's no surprise that industries known for housing vast amounts of sensitive data, such as healthcare and financial services, see high rates of data breaches. However, any organization can be a potential target.
25. Healthcare remains the most expensive industry—> $7.42 million average breach cost in 2025.
That's according to IBM, which also noted that healthcare breaches take an average of 279 days to resolve — the highest of all industries. Healthcare data is prized by attackers who use it for identity theft, financial crimes, and insurance fraud. [12]
26. In the U.S., financial services were the hardest-hit sector in 2024.
There were 737 reports of data compromises in the financial industry, with commercial banks and insurance companies leading the pack. The second-largest breach of the year, involving Change Healthcare, resulted in 190 million victim notices, according to the Identity Theft Resource Center. [6]
27. 97% of the top 100 U.S. retailers experienced a third-party data breach in 2024.
Every one of the top 20 retailers within the U.S. suffered a third-party breach, with the vast majority also experiencing a fourth-party breach. Only 12% were victims of direct data breaches. [13]
28. Federal government entities experienced 15,799 security incidents over the past five years.
A Verizon report examined known instances of security incidents and breaches across global federal agencies. It found that 848 incidents resulted in confirmed data loss. Top methods that hackers used to access data included system intrusion and lost and stolen assets. [14]
29. Among surveyed U.K. education institutions, 91% experienced a breach/attack in the past 12 months, with phishing listed as the most common vector.
Of the 32 higher education institutions that participated in the study, 91% experienced a breach or attack over the past 12 months. Hackers frequently use deceptive messages and texts to trick users into revealing sensitive information that can be used to access systems. [15]
Geographic View: Where Are Breaches Happening?
Data breaches occur everywhere, from North America to Australia and the Middle East. However, the U.S. remains a primary target for hackers.
30. U.S. companies identified 1,732 data breaches in the first half of 2025.
Some of the largest breaches involved an educational information system provider, a telecommunications company, and several healthcare systems. Companies mailed over 165 million victim notices to people affected by the incidents. [16]
31. The U.S. remains the top target for cybercriminals.
Between 2004 and 2024, hackers accessed over 17 billion data points from U.S. target organizations. Russia is the second most frequent target, with 4.5 billion leaked data points, and China is the third, with 2.1 billion leaked data points. [17]
32. European Union member countries noted 11,079 cyberattack events between July 2023 and June 2024.
Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks comprised nearly half of all incidents, followed by ransomware, which accounted for 27%. Hackers targeted public administration organizations in 19% of the attacks. Other frequently targeted sectors included transportation, banking, and business services. [18]
Passwords & Credential Theft Stats
Hackers take advantage of ineffective passwords to force their way into systems. Deploying a multi-factor authentication (MFA) system can protect organizations from credential theft.
33. A study of 19 billion exposed passwords revealed that 94% are reused across platforms.
Cybernews analyzed password data obtained in recent breaches between 2024 and 2025 and found that only 6% are completely unique. Even more disturbing, people continue to use very weak credentials such as "123456" and "password." [19]
34. Microsoft tracked over 7,000 password attacks every second in 2024.
That equates to approximately 604.8 million password attacks daily. One common method hackers use to get password data is brute force, which involves trying multiple passwords with a username until they find the right one. Others obtain user passwords through exposed data on the dark web. [20]
35. A survey of global small and mid-sized businesses found that only 35% implement MFA.
The U.S. is way ahead of the world, with 89% of surveyed businesses adopting MFA. Of those companies not using MFA, respondents noted that it was a low priority for their businesses. Others had funding concerns or lacked personnel to implement the tool. [21]
File Access & Internal Exposure
Many companies lack electronic file protocols and policies to protect vulnerable data. Lack of guidance, especially in the age of AI, is a major risk factor.
36. 99% of organizations have exposed data that's readily accessible by AI.
That's according to Varonis, which examined 10 billion files in its research. It noted that many organizations lacked control over AI use in the enterprise environment. Nearly every company in its study had unverified AI apps installed on company devices. [8]
37. Only one of every 10 companies used a labeled filing system.
Unlabeled files make it nearly impossible to track sensitive data. It's easy to forget what's inside the file, and the problem worsens with employee turnover. System administrators may unknowingly grant new employees access to files they don't need. [8]
38. Eighty-eight percent of organizations have stale users in their environment who still have access to data.
Ghost users, who are individuals no longer employed by a company, are often kept active by their former employers. Hackers may exploit outdated credentials to gain unauthorized access to system data through ghost user accounts. [8]
39. Only 37% of organizations have an AI governance policy.
IBM research shows that companies are taking a haphazard approach to AI, with few actively managing its use in the workplace. Of the companies that do have an AI policy, just 45% have a strict approval process for its use, and only 36% provide employee training on AI risks. [3]
Year-over-Year Trends (2010-2025)
The widespread adoption of the internet brought a lot of positives, but it also introduced new opportunities for criminals. As data breaches escalate, it's up to organizations to keep systems safe.
40. Data breaches quadrupled between 2010 and 2024.
In 2010, the Identity Theft Resource Center noted 662 data breaches. [22] That number jumped to 1,473 in 2019 and 2,850 in 2024. [23, 6]
41. If 2025 trends continue, the total number of data breaches may reach 3,500 for the year.
Data from the first half of 2025 confirms 1,732 data breaches in the U.S. through June 2025. Assuming that breach activity remains at that level, we can anticipate approximately 3,500 data compromises for the whole year. [16]
Key Takeaways
- A data breach exposes organizations to financial and reputational consequences that threaten their very survival.
- Cybercriminals work fast, and they're always on the lookout for new vulnerabilities. Organizations can stay ahead by implementing a robust detection strategy.
- Simple fixes, such as improved access control and password hygiene, are low-hanging fruit organizations can start with today.
How StrongDM Helps
Too many organizations still underestimate the reality of data breaches. They assume attackers only target the big players, while in reality, cybercriminals go after any business with weak defenses. The truth is, hackers count on companies being unprepared whether it’s poor password hygiene, unpatched vulnerabilities, or third-party risks.
But forward-thinking businesses are waking up. They recognize that prevention is not only possible but essential to survival. With the right mix of access controls, monitoring, and Zero Trust principles, organizations can drastically reduce their exposure and respond faster when incidents occur. Strong, effective security isn’t reserved for the Fortune 500; it’s achievable for businesses of all sizes.
If you want to learn more about how to protect your business effectively, we recommend reading the following guides: Identity and Access Management (IAM), Privileged Access Management (PAM), Role-Based Access Control (RBAC), Zero Trust Architecture, and Secure Access Service Edge (SASE).
If you want to see how we can help you secure your business, sign up for a free product demo.
References
1. 1834: The First Cyberattack - Schneier on Security
2. 2019 Internet Security Threat Report
3. Cost of a Data Breach Report 2025
4. 2025-dbir-data-breach-investigations-report.pdf
5. Cost of a Data Breach Report 2025, Figure 6.
6. ITRC 2024 Annual Data Breach Report - ITRC
7. BlackBerry Quarterly Global Threat Report — January 2025
8. Data Security Report Reveals 99% of Orgs Have Sensitive Information Exposed to AI
9. Vulnerability Statistics Report in 2024 by Edgescan
10. Top 11 Data Breaches of 2024 by Risk Exposure Score
11. Cost of a Data Breach Report 2025, Figure 17
12. Cost of a Data Breach Report 2025, Figure 3
13. SecurityScorecard Threat Intel Report
14. 2025-dbir-data-breach-investigations-report.pdf, page 91
15. Cyber security breaches survey 2025: education institutions findings - GOV.UK
16. ITRC Sees Rise of 2024 Data Breach Trends in First Half of 2025
17. Top countries by number of leaked data points 2024| Statista
18. ENISA THREAT LANDSCAPE 2024
19. 19 billion passwords leaked, 94% reused or weak, study reveals | Cybernews
20. Microsoft Digital Defense Report 2024
21. 2024 Global Multifactor Authentication (MFA) Survey Insights - Cyber Readiness Institute
22. Overview2005to2016Finalv2.pdf
23. Identity Theft Resource Center®’s 2020 Annual Data Breach Report Reveals 19 Percent Decrease in Breaches - ITRC
