IBM released today its annual Cost of a Data Breach (CODB) report, revealing global and regional trends related to the rising costs of data breaches in an increasingly sophisticated and disruptive cyber threat landscape. The 2025 report explores the growing role of automation and artificial intelligence (AI) in mitigating breach costs and, for the first time, examined the state of AI security and governance.
The report indicated that the average cost of a data breach in Brazil reached R$ 7.19 million, while in 2024 the cost was R$ 6.75 million, a 6.5% increase, marking additional pressure on cybersecurity teams facing highly complex challenges. Sectors such as Health, Finance, and Services led the list of the most impacted, recording average costs of R$ 11.43 million, R$ 8.92 million, and R$ 8.51 million, respectively.
In the country, organizations that extensively adopt secure AI and automation reported average costs of R$ 6.48 million, while those with limited implementation had costs of R$ 6.76 million. For companies that have not yet adopted these technologies, the average cost has risen to R$ 8.78 million, highlighting the advantages of AI in strengthening cybersecurity.
In addition to assessing the factors that increase costs, the 2025 Cost of a Data Breach Report analyzed elements that can reduce the financial impacts of a data breach. Among the most effective initiatives are the implementation of threat intelligence (which reduced costs by an average of R$ 655,110) and the use of AI governance technology (R$ 629,850). Despite this significant cost reduction, the report found that only 29% of the organizations studied in Brazil use AI governance technology to mitigate risks associated with AI model attacks. In general, AI governance and security are being widely ignored, with 87% of the organizations studied in Brazil reporting that they do not have AI governance policies in place and 61% lacking AI access controls.
Our study shows that there is already a concerning gap between the rapid adoption of AI and the lack of proper governance and security, and malicious agents are exploiting this vacuum. The absence of access controls in AI models has exposed sensitive data and increased organizational vulnerability. Companies that underestimate these risks are not only putting critical information at risk but also compromising trust across the entire operation, explains Fernando Carbone, Security Services Partner at IBM Consulting in Latin America.
Factors contributing to the increase in data breach costs
The complexity of the security system contributed, on average, to an increase of R$ 725,359 in the total cost of the breach.
The study also showed that the unauthorized use of AI tools (shadow AI) resulted in an average increase of R$ 591,400 in costs. And the adoption of AI tools (internal or public), despite their benefits, added an average cost of R$ 578,850 to data breaches.
The report also identified the most common root causes of data breaches in Brazil. Phishing stood out as the main threat vector, accounting for 18% of breaches, resulting in an average cost of R$ 7.18 million. Other significant causes include third-party and supply chain compromise (15%, with an average cost of R$ 8.98 million) and exploitation of vulnerabilities (13%, with an average cost of R$ 7.61 million).Compromised credentials, internal (accidental) errors, and malicious infiltrators have also been reported as causes of breaches, demonstrating the wide range of challenges organizations face in data protection.
Other global findings from the 2025 Cost of a Data Breach report:
- 13% of organizations reported violations involving AI models or applications, while 8% did not know if they had been compromised in this way. Committed organizations, 97% reported not having AI access controls in place.
- 63% of breached organizations do not have an AI governance policy or are still developing one. Among those with policies, only 34% conduct regular audits to detect unauthorized AI use.
- One in five organizations reported a breach due to shadow AI, and only 37% have policies to manage or detect this technology. Organizations that used high levels of shadow AI observed an average of $670,000 more in breach costs compared to those with low levels or no hidden AI. Security incidents involving hidden AI led to the compromise of more personally identifiable information (65%) and intellectual property (40%) compared to the global average (53% and 33%, respectively).
- 16% of the studied violations involved hackers using AI tools, often for phishing or deepfake attacks.
The financial cost of a breach
- Data breach costs.The global average cost of a data breach has fallen to $4.44 million, the first decline in five years, while the average cost of a breach in the US reached a record $10.22 million.
- Global lifecycle of a breach reaches record timeThe average global time to identify and contain a breach (including service restoration) has decreased to 241 days, a reduction of 17 days compared to the previous year, as more organizations detected the breach internally. Organizations that detected the breach internally also saved $900,000 in breach costs compared to those notified by an intruder.
- Violations in the healthcare sector continue to be the most costly.With an average of US$ 7.42 million, violations in the healthcare sector remained the most costly among all studied sectors, even with a reduction of US$ 2.35 million in costs compared to 2024. Violations in this sector take longer to be identified and contained, with an average of 279 days, more than 5 weeks above the global average of 241 days.
- Rescue payment fatigue.Last year, organizations increasingly resisted ransom demands, with 63% choosing not to pay, compared to 59% the previous year. As more organizations refuse to pay ransoms, the average cost of an extortion or ransomware incident remains high, especially when disclosed by an attacker (US$ 5.08 million).
- Price increase after violations.The consequences of a violation continue to extend beyond containment. Although down compared to the previous year, nearly half of all organizations reported plans to increase the price of goods or services due to violations, and nearly one-third reported price increases of 15% or more.
- Stagnation in security investments amid rising AI risks.There was a significant decrease in the number of organizations reporting plans to invest in security after a breach: 49% in 2025, compared to 63% in 2024. Less than half of those planning to invest in post-violation security will focus on AI-based security solutions or services.
20 years of the cost of a data breach
The report, conducted by the Ponemon Institute and sponsored by IBM, is the industry’s primary reference for understanding the financial impact of data breaches. The report analyzed the experiences of 600 global organizations between March 2024 and February 2025.
In the last 20 years, the Cost of a Data Breach Report has investigated nearly 6,500 breaches worldwide. In 2005, the inaugural report found that nearly half of all breaches (45%) originated from lost or stolen devices. Only 10% were due to hacked systems. Moving into 2025, the threat landscape has changed drastically. Today, the threat landscape is predominantly digital and increasingly targeted, with breaches now driven by a spectrum of malicious activities.
A decade ago, cloud misconfiguration issues were not even monitored. Now, they are among the main vectors of violations. Ransomware exploded during the 2020 lockdowns, with the average cost of breaches increasing from $4.62 million in 2021 to $5.08 million in 2025.
To access the full report, visit IBM's official website.here.
