What is the most common cause of data breaches in 2026?

For the first time in 19 years of Verizon DBIR history, vulnerability exploitation overtook stolen credentials as the #1 breach entry point at 31% of breaches, driven by AI tools that reduce time-to-exploit from months to hours. Phishing accounts for 16% and credential abuse for 13%.

Data Breach Statistics 2026: Costs, Causes & Industry Data

Data Breach Statistics 2026

Axis Intelligence Research

Axis Intelligence Research is our data journalism and market analysis division. Our research reports combine primary data analysis, industry surveys, and expert interviews to provide actionable intelligence for technology decision-makers. Each report undergoes peer review by at least two subject-matter editors before publication.

Last updated: June 11, 2026 | Next scheduled update: Q3 2026 (September) Authors: Axis Intelligence Research + Marcus Chen

data-breach-statistics-2026 Download

The U.S. recorded 3,322 data compromises in 2025 — a new all-time high and a 79% increase over five years — while the global average cost of a data breach fell for the first time in five years to $4.44 million, per IBM’s 2025 Cost of a Data Breach Report. But that global improvement masks a stark divergence: American organizations hit a record $10.22 million per breach, and healthcare absorbed 772 large breaches exposing the protected health information of 139.7 million people. In 2026, vulnerability exploitation has overtaken stolen credentials as the #1 breach entry point, and 70% of breach notices now fail to disclose how the attack occurred.

Key Findings

3,322 U.S. data compromises were recorded in 2025, a new all-time record and a 79% jump over five years, per the Identity Theft Resource Center’s 20th Annual Data Breach Report. Yet victim notices fell 79% to 278.8 million — the lowest since 2014 — as attacks shifted from mass-scale breaches to targeted, high-value intrusions.
The global average cost of a data breach fell 9% to $4.44 million in 2025 — the first decline in five years — driven by faster AI-assisted detection. U.S. organizations simultaneously hit a record $10.22 million average, producing a structural divergence that no source quantifies as a composite ratio. Axis Intelligence calculates this gap as the Breach Cost National Divergence Ratio (BCNDR): 2.30 — meaning U.S. breach costs are 130% above the global baseline.
Healthcare suffered 772 large data breaches in 2025 — a new annual record — per HHS Office for Civil Rights data, exposing 139.7 million individuals. That figure represents 379,306 patients’ data breached every single day of the year. Healthcare has led all sectors in breach costs for 15 consecutive years.
Vulnerability exploitation became the #1 breach entry point for the first time in 19 years, reaching 31% of all breach initial access vectors in the Verizon 2026 DBIR, up from 20% in 2025 — driven by AI-accelerated CVE exploitation that shrinks time-to-exploit from months to hours.
70% of breach notices in 2025 contained no information on how the attack occurred, per ITRC data — up from 65% in 2024 and a near-total collapse from 2020, when close to 100% of organizations disclosed their attack vectors. Victims are notified, but left unable to protect themselves.

The Axis Breach Cost National Divergence Ratio (BCNDR) — Q2 2026

Original metric published by Axis Intelligence Research. Methodology disclosed below.

The most consequential and least-analyzed fact in breach economics is the structural divergence between U.S. and global average breach costs. IBM’s 2025 Cost of a Data Breach Report publishes both figures — $4.44M global, $10.22M U.S. — but neither IBM, Verizon, nor any competing publication has calculated and published this ratio as a composite index with component attribution. Axis fills that gap with the BCNDR.

BCNDR Formula: U.S. average breach cost ÷ Global average breach cost = National Divergence Ratio

Q2 2026 BCNDR: $10.22M ÷ $4.44M = 2.30

Cost Component	Global Avg (IBM 2025)	U.S. Avg (IBM 2025)	U.S. Premium	Primary Driver
Base breach cost	$4.44M	$10.22M	+130%	Regulatory + litigation overlay
Detection & escalation	Included	Higher (more forensics, legal)	Est. +25–40%	Mandatory disclosure complexity
Notification costs	Included	Higher (50-state laws, 4-day SEC rule)	Est. +15–30%	Most fragmented notification framework globally
Post-breach litigation	Low globally	High (class action culture)	Est. +20–35%	U.S. class action frequency unmatched globally
Healthcare sector premium	$7.42M avg	Dominant U.S. sector	+67% above global avg	HIPAA + state law + CMS enforcement
Shadow AI component	+$670K	+$670K (equally applied)	Parity	Governance gap universal
BCNDR Composite Score	Baseline: 1.0	2.30	+130%	See full methodology

Methodology: The BCNDR is computed from IBM’s annual Cost of a Data Breach primary source. Component premiums are estimated by cross-referencing IBM sector and vector tables with Verizon DBIR third-party and notification data and U.S. regulatory disclosure requirements (SEC Rule 10-K, 50-state notification laws, HIPAA Breach Notification Rule). No single source publishes this composite. The BCNDR tracks whether U.S. breach costs are converging toward or diverging from the global average — a question directly relevant to regulatory and insurance decision-making. Updated quarterly as IBM’s annual Cost of Data Breach Report and Verizon DBIR refresh.

Released CC BY 4.0. Cite as: Axis Intelligence Research (2026). Breach Cost National Divergence Ratio Q2 2026. axis-intelligence.com.

U.S. Data Breach Volume — Scale, Trajectory, and the Transparency Crisis

Record Breach Volume

The Identity Theft Resource Center’s 2025 Annual Data Breach Report — the 20th edition of ITRC’s landmark study — tracked 3,322 data compromises in the United States in 2025. This broke the previous record set in 2023 (3,202), exceeded 2024 (3,152) by 5%, and represents a 79% increase over five years. It is the third consecutive year with more than 3,000 documented U.S. data compromises.

At the same time, the number of victim notices fell from 1.367 billion in 2024 to 278.8 million in 2025 — a 79% decline year-over-year, and the lowest total since 2014. This statistical paradox — more breaches, fewer victims notified — reflects a structural shift in attacker strategy: from the mass-scale “spray and pray” mega-breaches that dominated 2024 (led by the 192.7-million-record Change Healthcare attack) toward targeted, high-value intrusions that expose fewer records per incident but are harder to detect and more damaging per victim.

ITRC President James E. Lee framed it as an inflection point: “We have moved beyond an era of simple identity theft into a ‘State of More’ — more attacks that are more precise, more automated and more difficult to detect.”

The Transparency Collapse

Perhaps the most consequential trend in the 2025 data: 70% of breach notices provided no information on how the breach occurred, per the ITRC — up from 65% in 2024 and from approximately 45% in 2023. In 2020, close to 100% of breaching organizations disclosed their attack vectors. The direction of the trend has reversed completely in five years, leaving consumers and organizations receiving breach notifications unable to assess their own exposure or take targeted protective action.

ITRC attributes this to two forces: increasingly opaque state notification laws that vary widely in disclosure requirements, and legal counsel advising organizations to minimize disclosure to limit class-action liability exposure.

Year	U.S. Data Compromises	Victim Notices	Breach Notices Without Attack Info
2020	~1,800	~300M	~0–5%
2021	~1,860	~298M	~30%
2022	~1,900	~422M	~40%
2023	3,202	~900M	45%
2024	3,152	1,367,117,021	65%
2025	3,322 (record)	278,827,933	70%

Source: ITRC 2025 Annual Data Breach Report.

The five-year breach volume trajectory (+79%) and the simultaneous collapse in breach transparency are structurally linked: as organizations disclose less about how breaches occurred, other organizations cannot learn from those incidents, which contributes to the persistence of the same attack vectors year after year.

The Cost of a Data Breach — Global, U.S., and by Sector

Global Cost Trends — IBM 2025

The IBM 2025 Cost of a Data Breach Report — the definitive annual study of breach economics, based on 604 organizations across 17 industries and 16 countries — found the global average cost fell from $4.88 million in 2024 to $4.44 million in 2025, the first year-over-year decline after five consecutive years of increases. IBM attributes the improvement to faster detection and containment, driven by AI-powered security tools. Organizations that extensively deploy security AI and automation achieved average breach costs of just $3.62 million — a $820,000 saving against the global average.

Internal breach detection rates improved from 33% in 2023 to 42% in 2024, reaching 50% in 2025 — the first time half of all breaches were discovered by the victim organization before external disclosure. Breaches detected internally cost $4.18 million on average, versus $5.08 million for breaches disclosed by the attacker — a $900,000 detection premium that quantifies the ROI of advanced monitoring.

Year	Global Average Breach Cost	YoY Change	Key Driver
2020	$3.86M	—	Pandemic remote work expansion
2021	$4.24M	+10%	Sustained cloud migration
2022	$4.35M	+3%	Supply chain attacks surge
2023	$4.45M	+2%	Regulatory enforcement tightens
2024	$4.88M	+10%	Mega-breach year, credential theft peak
2025	$4.44M	-9%	AI-assisted detection improvement

Source: IBM Cost of a Data Breach Report 2025.

U.S. vs. Global: The Divergence That Defines Risk

While the global average fell, the U.S. average rose from $9.77 million to a record $10.22 million — the first time American breach costs have crossed the $10 million threshold. For 15 consecutive years, the United States has led all countries in average breach cost. The U.S. is the only major market where the 2025 trend moved in the opposite direction from the global average.

IBM attributes the U.S. divergence to: more aggressive regulatory enforcement (SEC 4-day disclosure rule, HIPAA, FTC Health Breach Notification Rule, 50 individual state notification laws), higher litigation costs driven by the U.S. class-action environment, greater prevalence of high-cost sectors (healthcare, financial services) in breach samples, and more complex incident response obligations that extend investigation timelines.

Country breach costs ranked (IBM 2025):

Rank	Country	Average Breach Cost	vs. Global Avg
1	United States	$10.22M	+130%
2	Middle East	$8.75M	+97%
3	Germany	$5.31M	+20%
4	Canada	$5.13M	+16%
5	Japan	$4.97M	+12%
6	United Kingdom	$4.53M	+2%
—	Global Average	$4.44M	Baseline
(Low)	India	$2.35M	-47%
(Low)	Public Sector	$2.86M	-36%

Source: IBM Cost of a Data Breach Report 2025. Note: India and Public Sector represent lowest-cost segments, not countries at the bottom of country rankings.

Breach Cost by Sector

Healthcare leads breach costs globally for the 15th consecutive year. The sector’s $7.42 million average is 67% above the global mean — a gap sustained by the combination of HIPAA enforcement penalties, the high dark-web value of protected health information (PHI trades at 10x the price of credit card data due to its non-expiring nature), nine-month average breach detection and containment timelines, and a dense regulatory notification framework.

Sector	Average Breach Cost (IBM 2025)	vs. Global Avg	Consecutive Years Leading
Healthcare	$7.42M	+67%	15 years (all-time record)
Financial Services	$5.56M	+25%	—
Industrial	$5.00M	+13%	—
Energy	$4.83M	+9%	—
Technology	$4.79M	+8%	—
Pharmaceuticals	$4.61M	+4%	—
Education	$3.58M	-19%	—
Public Sector	$2.86M	-36%	—
Global Average	$4.44M	Baseline	—

Source: IBM Cost of a Data Breach Report 2025.

Entertainment, media, hospitality, education, research, retail, and the public sector were the only industries that saw breach costs increase in 2025 despite the global decline — suggesting these sectors lag in AI-assisted security adoption.

Breach Lifecycle: How Detection Speed Determines Cost

The global average breach lifecycle fell to 241 days in 2025 — 181 days to identify plus 60 days to contain — the shortest in nearly a decade. Healthcare’s average exceeded 279 days, the longest of any sector and more than five weeks above the global mean. IBM documents a clear cost-duration relationship:

Breaches contained under 200 days: average cost $3.87 million
Breaches lasting more than 200 days: average cost $5.01 million
Gap: $1.14 million penalty for slow detection

Healthcare — The Sector That Defines U.S. Breach Statistics

Healthcare is not merely the highest-cost sector — it is the structural anchor of U.S. data breach statistics. Between 2009 and 2025, the HHS Office for Civil Rights breach portal has recorded 7,418 large healthcare data breaches (affecting 500 or more individuals), exposing the protected health information of more than one billion Americans — 1,013,066,481 individuals, or more than 2.9 times the current U.S. population. Every American who has received healthcare or held health insurance in the past 15 years has likely had their data breached, and probably multiple times.

2025: A Record Year That Barely Made Headlines

The HIPAA Journal’s analysis of OCR data — based on data obtained from OCR through May 19, 2026 — shows 772 large healthcare data breaches were reported in 2025, a new annual record, with the protected health information of 139,721,832 individuals exposed or stolen. That figure translates to 379,306 patient records compromised every single day of 2025.

While the 2024 figure (289 million individuals affected) was larger — driven almost entirely by the Change Healthcare mega-breach — the 2025 total of 139.7 million demonstrates that even absent a single catastrophic breach, the volume of compromised healthcare data remains staggering. Among the 2025 incidents, Conduent Business Services (62.2 million individuals affected — the third-largest healthcare breach of all time), Aflac Incorporated (13.9 million), and Blue Shield of California (4.7 million) stand as the year’s defining incidents.

Year	Healthcare Breaches (500+ individuals)	Individuals Affected	Rate
2018	369	~14M	~1/day
2019	511	~40M	~1.4/day
2020	663	~29M	~1.8/day
2021	715	~45M	~1.96/day
2022	719	~51.9M	~1.97/day
2023	746	~133M	~2.04/day
2024	741	289,162,330	~2.03/day
2025	772 (record)	139,721,832	2.1/day
2026 (Jan–Apr)	252	TBD	9.5% fewer than 2025 pace

Source: HHS Office for Civil Rights OCR Breach Portal, via HIPAA Journal Healthcare Data Breach Statistics (updated June 4, 2026).

All-Time Largest Healthcare Breaches

The OCR portal’s all-time data — extracted by the HIPAA Journal from the live government database — reveals the scale of healthcare’s structural vulnerability:

Rank	Organization	Type	Year	Individuals Affected
1	Change Healthcare	Business Associate	2024	192,700,000
2	Anthem Inc.	Health Plan	2015	78,800,000
3	Conduent Business Services	Business Associate	2025	62,224,658
4	Welltok Inc.	Business Associate	2023	14,782,887
5	Aflac Incorporated	Health Plan	2025	13,924,906

Source: HHS OCR Breach Portal via HIPAA Journal (June 4, 2026). Three of the five all-time largest healthcare breaches occurred in 2024–2025.

Cause of Healthcare Breaches — Hacking Dominates

Per OCR data compiled by HIPAA Journal, hacking and other IT incidents accounted for more than 80% of large healthcare data breaches in 2025. Network servers were the primary breach location in 61.5% of incidents, with email accounts accounting for 24.9% of breaches. Between 2018 and 2023, OCR documented a 239% increase in hacking-related healthcare breaches and a 278% increase in ransomware attacks.

Business associate data breaches — where the breach occurs at a vendor or third-party rather than the covered entity directly — are systematically undercounted in official statistics because they are often reported by each affected covered entity rather than the business associate itself. The landmark Change Healthcare breach affected 192.7 million individuals from a single business associate. The Conduent breach (62.2 million) demonstrates the same supply-chain amplification effect.

HIPAA Enforcement — Financial Penalties 2025–2026

OCR collected $8,330,066 in HIPAA violation penalties from 21 enforcement actions in 2025. OCR is conducting a focused enforcement initiative targeting HIPAA risk analysis failures — the most commonly identified HIPAA Security Rule violation — completing hacking incident investigations with financial penalties more efficiently to address its growing investigation backlog. As of early 2026, OCR has resolved 11 investigations with financial penalties under this initiative.

Attack Vectors and Breach Causes

Verizon 2026 DBIR — The Definitive Attack Vector Dataset

The Verizon 2026 Data Breach Investigations Report analyzed more than 22,000 security incidents including 12,195+ confirmed data breaches — the largest dataset in the report’s 19-year history.

The 2026 edition’s landmark finding: vulnerability exploitation rose to 31% of all breach initial access vectors, overtaking stolen credentials (13%) for the first time in 19 years of DBIR history. The shift from 20% (2025 DBIR) to 31% in a single year is the single largest one-year movement in any major attack vector category in the report’s history, and is directly attributable to AI tools that allow attackers to identify and exploit unpatched vulnerabilities in hours rather than weeks.

IBM X-Force 2026 corroborates the trend: a 44% year-over-year increase in attacks beginning with exploitation of public-facing applications, and a finding that 56% of disclosed vulnerabilities required no authentication to exploit — meaning attackers can break in without needing stolen credentials.

Initial access vectors in 2026 (Verizon DBIR 2026):

Attack Vector	Share of Breaches	YoY Change	Avg. Breach Cost (IBM)
Vulnerability exploitation	31%	+11pp	Highest ($4.91M+ for supply chain)
Phishing (social engineering)	16%	Flat	$4.80M
Stolen/compromised credentials	13%	-7pp	$4.81M
Pretexting (voice, SMS)	6%	+1pp	Included in social engineering
Malicious insider	~5%	Stable	$4.92M (IBM: costliest per attack)

Sources: Verizon 2026 DBIR, IBM Cost of a Data Breach Report 2025.

The Human Element — Persistent at 62%

Despite the rise of vulnerability exploitation, the Verizon 2026 DBIR found the human element present in 62% of all breaches — up from 60% in the 2025 edition. This figure encompasses credential reuse, phishing susceptibility, compliance failures, and AI-assisted deception operating across all three social engineering categories simultaneously.

The 2026 DBIR makes a critical methodological point: the 31% vulnerability exploitation figure and the 62% human element figure are not in competition. When a vulnerability is exploited because a system administrator failed to apply a patch, the human element is also present. Patching programs fail for human-behavioral reasons — competing priorities, resource constraints, risk acceptance — not purely technical ones.

AI-Enabled Attacks — Accelerating Both Sides

The 2026 DBIR, in a collaboration with Anthropic covering 793 threat actors flagged for AI misuse between March 2025 and February 2026, found that AI is currently an operational tool for attackers — automating and scaling known techniques rather than creating novel attack categories. In the median case, threat actors sought AI assistance across approximately 15 distinct ATT&CK techniques, with 44% of AI-assisted initial access being phishing-related.

IBM’s 2025 Cost of Data Breach Report found 16% of breaches involved attacker use of AI, primarily for phishing (37% of AI-enabled attacks) and deepfake impersonation (35%). Simultaneously, IBM found that organizations extensively deploying defensive AI achieved average breach costs of $3.62 million — $820,000 below the global mean — with breach detection timelines 190 days faster than organizations without AI security tooling.

Supply Chain — The Multiplier Effect

Third-party and supply chain breaches increased 60% year-over-year in the Verizon 2026 DBIR, now present in 48% of all breaches. IBM X-Force 2026 documented a near-fourfold increase in major supply chain compromises since 2020. The logic is straightforward: compromising one vendor grants access to dozens or hundreds of downstream organizations simultaneously — the Change Healthcare and Conduent breaches being the clearest recent proof.

Data Breach Notification — The Regulatory Maze

The U.S. data breach notification landscape is among the world’s most fragmented regulatory environments, a direct contributor to the BCNDR’s 130% U.S. premium. Organizations operating in multiple U.S. states must comply with 50 different state notification laws, each with varying definitions of what constitutes a breach, different timelines for notification (from 30 to 90 days), and different required content in notifications.

Federal regulatory layers add further complexity:

HIPAA Breach Notification Rule (HHS/OCR): Healthcare entities must notify affected individuals, HHS, and for breaches affecting 500+ individuals, local media within 60 days of discovery. The HHS OCR portal’s “Wall of Shame” publicly lists all large breaches, creating reputational exposure beyond financial penalties.

SEC 4-Day Disclosure Rule: Publicly traded companies must disclose “material” cybersecurity incidents within four business days of determining materiality under the SEC’s 2023 cybersecurity disclosure rules. This rule has produced the most aggressive mandatory timeline in any sector — faster even than healthcare’s 60-day HIPAA requirement — and is a primary driver of higher U.S. breach investigation costs as organizations must engage legal counsel, forensic teams, and crisis communications simultaneously to meet the timeline.

FTC Health Breach Notification Rule: Applies to personal health record vendors and health-related apps not covered by HIPAA, including fitness trackers, mental health apps, and fertility tracking services. The FTC has imposed penalties against Cerebral ($7.1M), BetterHelp ($7.8M), and GoodRx ($1.5M) under this rule.

CISA CIRCIA: The Cyber Incident Reporting for Critical Infrastructure Act imposes new mandatory reporting timelines for critical infrastructure operators — 72 hours for cyber incidents, 24 hours for ransomware payments — when its final rule takes effect.

This regulatory stack means U.S. organizations experiencing a single breach simultaneously manage HIPAA, SEC, state notification, FTC, and CIRCIA obligations — each with different timelines, different required content, and different regulatory audiences. No other country imposes this density of overlapping notification requirements.

Data Breach Forecasts and 2026 Emerging Trends

Q2 2026 Healthcare Trend

The HIPAA Journal reports that from January 1 to April 30, 2026, 252 large healthcare data breaches were reported to OCR — a 9.5% reduction compared to the same period in 2025. However, this figure is suppressed by OCR’s processing backlog following the federal government’s 43-day shutdown in late 2025 (October 1 – November 12, 2025), during which no data breaches were added to the breach portal. OCR has been adding catch-up reports through Q1 2026, and the true 2026 breach pace is likely higher than the current portal data reflects.

Financial Services Overtakes Healthcare in Breach Volume

The ITRC 2025 Annual Data Breach Report found financial services recorded the most data compromises of any U.S. sector in 2025, with 739 incidents — overtaking healthcare (534) for the first time. This shift reflects the strategic pivot by threat actors toward credential and PII theft for identity fraud and account takeover, as opposed to the ransomware-focused attacks that previously characterized healthcare targeting.

Professional services (478) has become the fastest-growing attack target, as compromising a single law firm, accounting firm, or consulting company provides lateral access to all of that firm’s clients simultaneously — the supply-chain amplification effect at the service-sector level.

Physical Skimming Renaissance — +750%

One of 2025’s most unexpected ITRC findings: physical skimming incidents jumped from just 4 in 2024 to 34 in 2025, a 750% year-over-year increase, driven by Bluetooth-enabled skimming devices that allow criminals to harvest card data without physical retrieval of the skimmer. This is a tactical adaptation by financially-motivated criminals who have found that physical card-present skimming — effectively dormant as a threat category for several years — can be revived with modern wireless technology.

Ransomware-as-Data-Theft Pivot

The ITRC reports that ransomware declined for the second consecutive year in 2025 as a root cause of disclosed breaches — falling to 143 incidents from 194 in 2024. The Verizon 2026 DBIR simultaneously shows ransomware in breach chains rising to 48% of all breaches. These statistics are not contradictory: they reflect the same strategic shift. Attackers increasingly steal data and threaten to release it (pure extortion) without encrypting systems — a method that leaves less forensic evidence, creates fewer operational disruptions that would prompt rapid victim response, and is therefore less likely to be classified and disclosed as a “ransomware” breach in notification filings.

Methodology

Data collection period: This report integrates primary source data published between January 2025 and June 2026. The Verizon 2026 DBIR covers incidents from November 2024 through October 2025. IBM’s 2025 Cost of Data Breach Report covers breaches studied from March 2024 to February 2025. ITRC data covers calendar year 2025. HHS OCR data reflects breaches reported through May 19, 2026.

Source hierarchy: U.S. government sources (HHS OCR portal, FTC, SEC) → Named research organizations publishing original primary data (IBM/Ponemon, Verizon DBIR, ITRC) → Sector-specific tracking organizations (HIPAA Journal, which compiles directly from the live OCR database).

BCNDR methodology: Calculated as U.S. average breach cost ÷ global average breach cost from IBM’s annual Cost of a Data Breach Report. Component cost premiums (regulatory, litigation, healthcare sector) are estimated via cross-reference of IBM sector and country tables with Verizon DBIR data. The ratio of 2.30 is a measured figure; the component premiums are estimates with ranges. Quarterly updates will track the BCNDR as IBM’s 2026 Cost of Data Breach Report is expected in July 2026.

Limitations:

IBM’s Cost of Data Breach Report excludes mega-breaches (over 100,000 records) from its sample design, meaning its cost figures understate the true mean for very large incidents.
ITRC data counts compromises, not confirmed breaches — this is a broader category that includes unconfirmed exposures.
HHS OCR data as of May 19, 2026, does not yet reflect the full 2026 breach landscape due to the government shutdown backlog.
The 70% figure for breach notices without attack information (ITRC) reflects disclosed notices, not actual breach causes — organizations that do not disclose their attack vector are systematically overrepresented in the “no information” category, introducing selection bias.

About This Dataset

License: CC BY 4.0 — Free to share and adapt with attribution. Citation (APA): Axis Intelligence Research. (2026, June). Data breach statistics 2026: Costs, causes, industries & full dataset. Axis Intelligence. https://www.axis-intelligence.com/data-breach-statistics/ Citation (MLA): Axis Intelligence Research. “Data Breach Statistics 2026: Costs, Causes, Industries & Full Dataset.” Axis Intelligence, 10 June 2026, www.axis-intelligence.com/data-breach-statistics/. Citation (Chicago): Axis Intelligence Research. “Data Breach Statistics 2026: Costs, Causes, Industries & Full Dataset.” Axis Intelligence, June 10, 2026. https://www.axis-intelligence.com/data-breach-statistics/.

Download the dataset: [CSV download — data-breach-statistics-2026.csv] (CC BY 4.0)

FAQ

What is the average cost of a data breach in 2026?

The global average cost of a data breach fell to $4.44 million in 2025 — the first decline in five years — per IBM’s 2025 Cost of a Data Breach Report. U.S. organizations simultaneously hit a record $10.22 million average, the first time U.S. breach costs have crossed the $10 million threshold. Healthcare remains the most expensive sector globally at $7.42 million per breach — the 15th consecutive year at the top.

How many data breaches occurred in the U.S. in 2025?

The Identity Theft Resource Center documented 3,322 U.S. data compromises in 2025 — a new all-time record and a 79% increase over five years. This was the third consecutive year with more than 3,000 documented incidents. Despite the record breach volume, victim notices fell 79% to 278.8 million as attackers shifted from mass-scale breaches to targeted, high-value intrusions.

Why are U.S. data breach costs so much higher than the global average?

U.S. breach costs are 130% above the global average — the Axis BCNDR score of 2.30 — due to a dense overlay of regulatory obligations: 50 different state notification laws, the SEC’s 4-day material breach disclosure rule, HIPAA, FTC Health Breach Notification requirements, and CIRCIA. The U.S. class-action litigation environment adds further cost. No other country imposes this density of overlapping regulatory notification requirements on breached organizations.

What sector experiences the most data breaches?

In 2025, financial services led all U.S. sectors by breach volume for the first time, with 739 data compromises per ITRC data — overtaking healthcare (534). However, healthcare leads in breach cost ($7.42M average per IBM 2025) and in total individuals affected. In 2025, 772 large healthcare breaches exposed 139.7 million Americans’ protected health information.

What is the most common way organizations get breached in 2026?

For the first time in 19 years of the Verizon DBIR’s history, vulnerability exploitation overtook stolen credentials as the #1 initial breach entry point, reaching 31% of breaches in the 2026 DBIR — up from 20% in 2025. AI is enabling attackers to identify and exploit unpatched vulnerabilities in hours rather than weeks. Phishing remains significant at 16% of initial access. The human element is present in 62% of all breaches.

How has the healthcare data breach landscape changed in 2025–2026?

Healthcare reached a record 772 large breaches in 2025, with 139.7 million individuals affected — equivalent to 379,306 records compromised daily. Three of the five largest healthcare breaches of all time occurred in 2024–2025 (Change Healthcare: 192.7M; Conduent: 62.2M; Aflac: 13.9M). Hacking and IT incidents now account for more than 80% of healthcare breaches. Business associate breaches are systematically undercounted but account for the largest individual incidents.

What is the Axis BCNDR and why does it matter?

The Breach Cost National Divergence Ratio (BCNDR) is an original metric by Axis Intelligence Research quantifying the structural gap between U.S. and global average breach costs. The Q2 2026 BCNDR of 2.30 means U.S. organizations face breach costs 130% above the global baseline. This ratio directly informs cyber insurance pricing, regulatory policy analysis, and CISO budget benchmarking. No primary source publishes this ratio explicitly. Full methodology available at axis-intelligence.com/data-breach-statistics/.

Why are 70% of breach notices missing attack information?

The ITRC 2025 Annual Data Breach Report found that 70% of breach notices provided no information on how the breach occurred — up from 65% in 2024 and near-zero in 2020. This transparency collapse is driven by uneven state notification laws (which vary widely in required disclosure detail) and legal strategy: organizations’ legal counsel increasingly advise minimal disclosure to limit class-action exposure. The result is a systemic information asymmetry where victims cannot protect themselves based on notification content.

How does AI affect data breach costs and frequency?

AI impacts breach economics on both sides. On the attacker side, IBM’s 2025 report found 16% of breaches involved attacker AI use (phishing 37%, deepfakes 35%), and the Verizon 2026 DBIR found 15 distinct ATT&CK techniques now bolstered by AI. Shadow AI — unauthorized employee AI tool use — added $670,000 to average breach costs and was present in 20% of IBM-studied breaches. On the defensive side, organizations extensively deploying security AI achieved average breach costs of $3.62 million, $820,000 below the global mean, with breach detection 190 days faster.

What is the breach cost difference between fast and slow detection?

IBM’s 2025 report documents a clear detection-cost relationship: breaches contained within 200 days cost an average of $3.87 million; those exceeding 200 days cost $5.01 million — a $1.14 million penalty for slow detection. The global average lifecycle fell to 241 days in 2025. Healthcare averaged 279 days — the longest of any sector. The $900,000 gap between internally detected breaches ($4.18M) and attacker-disclosed breaches ($5.08M) represents the quantified organizational value of proactive monitoring.

Related Research from Axis Intelligence

Phishing Statistics 2026 — FBI IC3 data showing phishing as the #1 breach initial vector (16%), phishing losses up 208% to $215.8M, APWG quarterly volumes, and the Axis PLAI Score (18.0)
Cybersecurity Statistics 2026 — Full threat landscape covering ransomware, supply chain attacks, AI threats, the cybersecurity workforce gap, and the Axis CBCDI metric
Identity Theft Statistics 2026 — Per-victim financial losses, identity fraud types, ACRI composite cost metric, and FBI IC3 age-group breakdown
Best Identity Theft Protection Services — Reviewed and ranked protection services for individuals and businesses

Cite This Research

<blockquote style="border-left:4px solid #1a1a2e;padding:12px 20px;margin:0;font-family:sans-serif;">
  <p style="font-size:1.1em;font-weight:bold;margin:0 0 8px;">
    "3,322 U.S. data compromises in 2025 — a 79% rise over 5 years. U.S. breach costs hit a record $10.22M, 130% above the $4.44M global average."
  </p>
  <footer style="font-size:0.85em;color:#555;">
    — <a href="https://www.axis-intelligence.com/data-breach-statistics/" style="color:#1a1a2e;text-decoration:underline;">
      Axis Intelligence Research: Data Breach Statistics 2026
    </a> (CC BY 4.0)
  </footer>
</blockquote>

Business Address:

Data Breach Statistics 2026: Costs, Causes, Industries & Full Dataset