The Weekly Breach Breakdown Podcast: Love in the Time of Breaches - U.S. Breaches Cost $10M - S6E25

Show Transcript

Welcome back to the Identity Theft Resource Center’s (ITRC) Weekly Breach Breakdown, supported by Sentilink. I’m James E. Lee, the ITRC’s President, and this is the episode for August 15, 2025. Each week, we take a look at the latest news and trends related to data security and privacy. This week, we’re taking a look at the last of the Big Three data breach reports issued each year, this one focusing on data breach cost – IBM’s Cost of Data Breaches Report (CODB). 

For 20 years now, the CODB, along with the ITRC’s U.S. Data Breach Report (DBR) and Verizon’s global Data Breach Investigation Report (DBIR), have been part of the triumvirate that looks at data breach costs by region around the world, along with how long it takes to find and fix a data breach. 

The CODB, along with the DBR and DBIR, are proof that those of us in the cybersecurity world love our acronyms. That makes this episode – LITTOB – Love in the Time of Breaches (with apologies to the makers of Love in the Time of Cholera).

I do have a bone to pick about one particular stat, not with IBM, but with most trade media and other cyber pros. You may have even seen a headline that claims the average data breach cost dropped in 2024 to $4.4 million.

That’s true, but it lacks some very important context. That’s a global cost average, not a U.S. average, which is reported deeper in the CODB and often missed by reporters and analysts in a hurry. The data breach cost to a U.S. organization was actually up nine percent to an average of a little more than $10 million, the highest data breach cost reported in the two decades of the IBM report.

There’s one more important point to know about this report. The average data breach on which the average is based only involves the exposure of between roughly 2,000 and 113,000 records. We don’t report the number of records exposed at the ITRC; we track victim notices issued. That roughly equates to individuals impacted. 

Just based on the number of 2024 compromises and notices issued as reported by the ITRC, the average U.S. data breach was nearly five times larger than the global average, or approximately 538,000 victim notices per event. All that to say, like all reports on data breaches, this one should be viewed as a conservative estimate, with the actual volume and impact of data breaches being much higher.

The other stat that everyone looks forward to learning from this report is the dwell time of cyberattacks that lead to breaches. Dwell time is the length of time between when an attack is launched and when it is discovered. Dwell time is combined with remediation time to get a start-to-finish view of cyberattacks.

In 2024, IBM reports that the mean dwell time dropped and so did the mean remediation time – how long it took to stop an attack once found – to a nine-year low: 181 days to identify an attack and 60 days to contain it. That’s just short of eight months – still plenty of time to do a lot of damage.

All discussions of cybersecurity these days require a mention of artificial intelligence (AI). IBM’s cost of data breaches is no exception. Two related stats stand out:

First is that one in six data breaches involved AI. That means attackers can use generative AI to both perfect and scale their phishing campaigns and other social engineering attacks. IBM believes generative AI reduces the time to generate a convincing phishing email from 16 hours to only five minutes. This year’s report shows the impact of that: on average, 16 percent of data breaches involved attackers using AI, most often for AI-generated phishing (37 percent) and deepfake impersonation attacks (35 percent).

The second stat is a corollary: On average, 13 percent of organizations reported breaches that involved their own AI models or applications. However, among those that did report an AI-related breach, nearly all (97 percent) lacked proper AI access controls, allowing someone to use the technology as part of an attack.

A few other items of note found in the IBM CODB:

• Only half of all data breaches are discovered by internal security teams. The rest are reported by outside third parties or the attackers themselves.
• Organizations reporting a breach to law enforcement dropped 20 percentage points. Only 40 percent of the breaches studied in the IBM report involved a law enforcement investigation, despite indications that police involvement can save as much as $1 million in data breach costs.
• Meanwhile, more organizations refused to pay ransomware. Sixty-three (63) percent said no to data hostage takers compared to 59 percent in the previous year’s report.

If you want to learn more about the data breach cost, take a look at IBM’s reports web page. If you want to know more about what’s happening this year with U.S. data breaches, check out the ITRC’s H1 Data Breach Analysis at our website www.idtheftcenter.org/reports. 

If you’re the victim of identity theft, fraud or a scam, speak with an expert ITRC advisor on the phone, chat live on the web or exchange emails during our normal business hours (6 a.m.-5 p.m. PT). Just visit www.idtheftcenter.org to get started. 

Thanks again to Sentilink for supporting this podcast and the ITRC. Please hit the like button for this episode and subscribe where you listen to podcasts. Check out the latest episode of our sister podcast, the Fraudian Slip, where we discuss the impact of AI on identity theft, fraud, scams and kale. We will return next week with another episode of the Weekly Breach Breakdown. Until then, thanks for listening.