How AI is changing the cost of a data breach

Lenders sprinting to adopt artificial intelligence solutions could be opening the door to increasingly damaging cybersecurity incidents.

Nearly all types of companies who suffered hacks involving their AI models or applications in the past year lacked proper access controls, according to IBM's annual Cost of a Data Breach report. Although just 13% of the 600 organizations surveyed by IBM and the Ponemon Institute suffered AI-related breaches, the majority of all impacted firms said they lack an AI governance policy.

"Organizations are skipping over security and governance for AI in favor of do-it-now AI adoption," the report read. "Those ungoverned systems are more likely to be breached—and more costly when they are. We're not surprised."

The assessment comes as the average cost of a data breach for U.S.-based businesses hit a survey-record $10.22 million for breaches that occurred between March 2024 and February 2025. Those expenses include detection, notification, lost business and legal costs in which settlements alone have cost lenders upwards of tens of millions of dollars.

The artificial intelligence threat

Cyberattacks via an AI system typically occurred in a company's AI supply chain, compromised applications such as Software-as-a-Service, application programming interfaces or plug-ins, the report said. Meanwhile 16% of companies said they suffered incidents from attackers using AI, such as phishing or deepfake impersonations.

Another 20% of companies said they dealt with attacks involving shadow AI, when employees use the tech without proper authorization or oversight. Shadow AI typically led to more personally identifiable information being compromised, and drove up average breach costs by $670,000, according to IBM.

AI has also helped security teams better respond to incidents. Compared to those that didn't implement AI, security teams using the tech cut down breach lifecycles by 80 days and lowered the average cost by $1.9 million, the study found. 

The researchers urged companies to adopt AI governance policies, such as regular audits for unsanctioned AI use. Even among firms who said they have such controls in place, less than half acknowledged they had strict approval procedures for AI deployments. IBM and Ponemon also cautioned regarding agentic AI, which is quickly being adopted in the lending space. 

"AI agents increasingly rely on credentials to access systems and perform tasks," the study read. "It's essential to implement strong operational controls or services that help you do so, and maintain visibility into all non-human identity activity."

What the average data breach looks like today

Organizations on the whole are getting faster at responding to incidents, with a mean response time including identification and containment of 241 days, a nine-year survey low. Faster responses equal lower costs. Different types of breaches however all end up costing on average close to $5 million. 

Ransomware attacks are the most expensive, costing companies on average $5.08 million. More firms, or 63% of those surveyed, however are refusing to pay ransoms. The 40% of businesses who said they notified law enforcement of such attacks is also down. Researchers said organizations however can realize cost savings of $1 million when they involve authorities. 

And while all types of information, from intellectual property to customer and employee PII cost over $100 per record, attackers are prioritizing consumer data. The cost of compromised customer PII in a data breach is $179, as the information can be used by threat actors for numerous types of fraud.

What a data breach costs

The soaring cost of data breaches in the U.S. shot up primarily because of higher regulatory fines and detection and escalation costs. The global average breach cost of $4.44 million, the first decline in five years according to IBM, fell because of decreasing detection and escalation costs.

Today's inflationary environment is also causing companies to tighten their wallets. Just 49% of affected organizations said they would invest in more security post-breach, down from 63% last year. Conversely, fewer firms in the past 12 months said they would pass breach costs onto customers, while 15% said they would hike prices. 

What companies can do to prevent a data breach

Most of the organizations who reported data breaches to IBM said they're still recovering from the incidents 12 months later. That recovery process includes meeting compliance obligations, implementing controls sometimes required by regulators, and restoring customer and employee confidence. 

While numerous controls and security tools can reduce data breach costs, other common business practices can weigh heavily. Remote work adds on average $131,212 to the average cost of a breach, while migration to the cloud can add $174,538 to incident costs, IBM found. 

"Today, many attackers are logging in rather than hacking in," the report said. "To combat this issue, it's critical to prevent attackers from obtaining those credentials in the first place."