IBM report: Average cost of a data breach in Brazil reaches R$ 7.19 million

IBM today released its annual Cost of a Data Breach (CODB) report, revealing global and regional trends related to rising data breach costs in an increasingly sophisticated and disruptive cyber threat landscape.The 2025 report explores the growing role of automation and artificial intelligence (AI) in mitigating breach costs, and for the first time, studied the state of AI security and governance.

The report indicated that the average cost of a data breach in Brazil reached R$ 7.19 million, while in 2024 the cost was R$ 6.75 million, an increase of 6.5%, marking an additional pressure on cybersecurity teams facing highly complex challenges.Sectors such as Health, Finance and Services topped the list of the most impacted, recording average costs of R$ 11.43 million, R$ 8.92 million and R$ 8.51 million, respectively.

In the country, organizations that extensively adopt safe AI and automation reported average costs of R$ 6.48 million, while those with limited implementation had costs of R$ 6.76 million. For companies that do not yet use these technologies, the average cost rose to R$ 8.78 million, highlighting the advantages of AI in strengthening cybersecurity.

In addition to assessing the factors that raise costs, the Cost of a Data Breach Report 2025 analyzed elements that can reduce the financial impacts of a data breach. Among the most effective initiatives are the implementation of threat intelligence (which reduced costs by an average of R$ 655.110) and the use of AI governance technology (R$ 629.850). Even with this significant cost reduction, the report that only 29% of the organizations studied in Brazil use IATP governance technology for risks associated with IAT3 governance models being considered.

“Our study shows that there is already a worrying gap between the rapid adoption of AI and the lack of adequate governance and security, and malicious actors are exploiting this vacuum.The absence of access controls in AI models has exposed sensitive data and increased the vulnerability of organizations. Companies that underestimate these risks are not only putting critical information at risk, but also compromising trust in the entire” operation, explains Fernando Carbone, Partner of Security Services at IBM Consulting in Latin America.

Factors that contribute to increased data breach costs

The complexity of the security system contributed, on average, to an increase of R$ 725,359 in the total cost of the breach.

The study also showed that unauthorized use of AI tools (shadow AI) generated an average R$ 591,400 increase in costs. And the adoption of AI tools (internal or public), despite their benefits, added an average cost of R$ 578,850 to data breaches.

The report also identified the most frequent initial causes of data breaches in Brazil.Phishing stood out as the main threat vector, representing 18% of breaches, resulting in an average cost of R$ 7.18 million. Other significant causes include third party and supply chain compromise (15%, with average cost of R$ 8.98 million) and exploitation of vulnerabilities (13%, with average cost of R$ 7.61 million). Compromised credentials, internal errors (wide) and infiltrated data breaches were also demonstrating the malicious causes of data breaches were faced as well-intentious as range challenges.

Other global findings from the 2025 Cost of a Data Breach report:

• 13% of the organizations reported breaches involving AI models or applications, while 8% did not know if they had been compromised in this way.Of the organizations compromised, 97% reported having no access controls for AI in place.
• 63% of breached organizations do not have an AI governance policy or are still developing one. Among those with policies, only 34% conduct regular audits to detect unauthorized use of AI.
• One in five organizations reported a breach due to shadow AI, and only 37% have policies to manage or detect this technology. Organizations that used high levels of shadow AI observed an average of US$ 670,000 more in breach costs compared to those with low levels or no hidden AI. Security incidents involving hidden AI led to more personally identifiable information (65%) and intellectual property (40%) being compromised compared to the global average (53% and 33%, respectively).
• 16% of the breaches studied involved hackers using AI tools, often for phishing or deepfake attacks.

The financial cost of a breach

• Data breach costs. The global average cost of a data breach fell to US$ 4.44 million, the first drop in five years, while the average cost of a breach in the US reached the record US$ 10.22 million.
• Global lifecycle of a breach reaches record timethe average global time to identify and contain a breach (including service restore) has fallen to 241 days, a 17-day reduction from the previous year, as more organizations detected the breach internally. Organizations that detected the breach internally have also saved US$ 900,000 in breach costs compared to those notified by an attacker.
• Health violations remain the most expensive. With an average of US$ 7.42 million, breaches in the healthcare sector remained the most expensive among all sectors studied, even with a reduction of US$ 2.35 million in costs compared to 2024. Violations in this sector take longer to be identified and contained, with an average time of 279 days, more than 5 weeks above the global average of 241 days.
• Redemption payment fatigue. Last year, organizations increasingly resisted ransom demands, with 63% choosing not to pay, compared to 59% the previous year.As more organizations refuse to pay ransoms, the average cost of an extortion or ransomware incident remains high, especially when disclosed by an attacker (US$ 5.08 million).
• Post-violation price increases. The consequences of a breach continue to extend beyond containment.Although falling from the previous year, nearly half of all organizations reported that they planned to increase the price of goods or services due to the breach, and nearly a third reported price increases of 15% or more.
• Stagnation in security investments amid rising AI risks. There has been a significant reduction in the number of organizations reporting plans to invest in security following a breach: 49% in 2025, compared to 63% in 2024. Less than half of those planning to invest in post-breach security will focus on AI-based security solutions or services.

20 Years from the cost of a data breach

The report, conducted by the Ponemon Institute and sponsored by IBM, is the industry's leading reference for understanding the financial impact of data breaches.The report analyzed the experiences of 600 global organizations between March 2024 and February 2025.

Over the past 20 years, the Cost of a Dat Breach Report has investigated nearly 6,500 breaches worldwide.In 2005, the inaugural report found that nearly half of all breaches (45%) originated from lost or stolen devices.Only 10% were due to hacked systems. Moving forward to 2025, the threat landscape has changed dramatically. Today, the threat landscape is predominantly digital and increasingly targeted, with breaches now driven by a spectrum of malicious activity.

A decade ago, misconfiguration issues in the cloud were not even monitored. Now, they are among the main vectors of breaches. Ransomware exploded during the 2020 lockdowns, with the average cost of breaches increasing from US$ 4.62 million in 2021 to US$ 5.08 million in 2025.

To access the full report, visit the official IBM website here.