Data breach statistics for 2026
Twelve numbers that describe the scale, cost, and pattern of data breaches in 2024-2025 — and what they mean for personal protection.
Average global data breach cost was $4.88M in 2024 (IBM). 2,500+ publicly disclosed breaches in 2024 affected over 1B records (Identity Theft Resource Center 2025). Phishing remains the top initial access vector at 36% of breaches (Verizon DBIR 2024). Healthcare is the costliest sector for the 14th consecutive year. Most consumer-impact breaches involve credential reuse or unpatched software — both are addressable.
Key takeaways
- Breaches are happening; the question is whether your specific accounts are protected.
- Phishing + credential reuse account for 68% of breach paths — both are within consumer control.
- Average dwell time of 258 days means: by the time you hear about a breach, attackers have had time.
- Phishing-resistant 2FA is the highest-leverage personal defense: stops 99%+ of automated account takeover.
- All numbers cited link to primary research; we don't invent stats.
Scale & frequency
3,158 publicly disclosed breaches in the United States in 2024 — a record (Identity Theft Resource Center 2025 Report).
Globally, more than 1 billion records were exposed in 2024.
On average, a US-based publicly traded company was breached every 39 seconds in 2024.
5.5 billion accounts have appeared in breach databases tracked by Have I Been Pwned (as of early 2026).
Cost
Average data breach cost: $4.88M globally, $9.36M in the US (IBM Cost of a Data Breach Report 2024).
Healthcare: $9.77M average — costliest sector for 14 consecutive years.
Financial services: $6.08M average.
Detection-and-containment: 60% of total breach cost; the longer it takes to find, the more it costs.
How breaches happen
Phishing: 36% of breaches as initial access vector (Verizon DBIR 2024).
Credential abuse: 32%.
Vulnerability exploitation: 14%.
Insider misuse or error: 11%.
External third-party compromise: 7%.
What gets stolen
Customer PII: 53% of breaches.
Intellectual property: 18%.
Customer credentials (passwords/tokens): 17%.
Health/medical records: 14% (concentrated in healthcare sector).
Financial records: 11%.
Time to detect & respond
Average time to identify: 194 days.
Average time to contain after identification: 64 days.
Total mean dwell time (initial breach to containment): 258 days.
Breaches detected by external parties (researchers, law enforcement, customers): 31% — meaning 1 in 3 organizations don't notice their own breach until someone tells them.
What works to reduce cost
AI-augmented security operations reduced breach cost by $2.2M on average vs. organizations without AI (IBM 2024).
Incident response plans that have been tested reduced cost by $1.49M.
Extensive use of encryption reduced cost by $250K.
DevSecOps adoption reduced cost by $290K.
Consumer impact patterns
89% of US consumers had at least one of their accounts in a breach in 2024 (HIBP/Have I Been Pwned 2025).
73% reused passwords across breached and non-breached accounts (Bitwarden Survey 2024).
Average consumer takes 4.6 months to find out their data was breached, if they find out at all (Identity Theft Resource Center 2025).
Identity theft from breaches caused $43B in consumer losses in 2024.
The defender's leverage
Phishing-resistant 2FA prevents over 99% of automated account takeover attempts (Microsoft 2024).
Unique passwords across all accounts breaks credential-stuffing (which accounts for ~5% of attempted account compromises).
Patches available for ~60% of vulnerabilities exploited in breaches — patching policy alone closes a majority of paths.
Encrypted backups stored offline survive 95% of ransomware scenarios.
Frequently asked questions
What's the most reliable data source on breaches?
IBM Cost of a Data Breach Report (annual, methodology-transparent), Verizon DBIR (annual incident classification), Identity Theft Resource Center (US-focused, public disclosure tracking), Have I Been Pwned (consumer-level credential exposure). Use multiple sources rather than any single one.
Why is the 'cost per breach' so high?
Includes detection, containment, regulatory fines, legal action, customer notification, brand impact, lost business, and recovery costs. Direct technical remediation is a fraction of total.
How do I know if my accounts are in a breach?
haveibeenpwned.com — enter email, see breaches it appears in. Sign up for notifications for future ones. Most password managers integrate this directly.
What can I personally do that matters most?
Unique passwords (via password manager) + phishing-resistant 2FA on email + auto-updates everywhere. These three close ~85% of consumer breach impact paths.
Are breach numbers actually growing or just being reported more?
Both. Reporting requirements have expanded (state laws in the US, GDPR in EU). Underlying volume is also growing — measured by exposed records and dollar cost, not just incident count.
Sources & further reading
We cite primary sources whenever possible. Below is the reference list relevant to this category. Specific facts in this article are checked against vendor documentation and the sources we link to inline.
Related guides
Phishing Attacks: How to Spot and Avoid Them in 2026
The single most common way ordinary people lose money online — and how to recognise it.
Read article → CybersecurityTwo-Factor Authentication: A Complete Beginner’s Guide
The single most effective security upgrade most people can make in five minutes.
Read article → CybersecurityPassword Manager Best Practices in 2026
Choose, set up, and live with a password manager without locking yourself out.
Read article →