Use of shadow AI by employees contributes to cost of a data breach: Report
Unauthorized use by employees of artificial intelligence applications is contributing to the thousands of dollars cyber attacks cost organizations, according to the latest version of IBM's annual Cost of a Data Breach report.
Among the organizations studied this year, 20 per cent said they suffered a breach due to security incidents involving shadow AI.
For organizations with high levels of shadow AI, those breaches added $670,000 to the average breach price tag compared to those that had low levels of shadow AI or none. (All numbers are in US dollars.)
These incidents also resulted in more personally identifiable information and intellectual property data being compromised.
The report also found that data was most often stored across multiple environments, revealing just one unmonitored AI system can lead to widespread exposure.
At the same time the report found an advantage to AI in the enterprise: Security teams using AI and automation extensively shortened their breach discovery times by 80 days and lowered their average breach costs by $1.9 million compared to organizations that didn’t use these solutions.
Nearly a third of organizations said they used these tools extensively across the security lifecycle—in prevention, detection, investigation and response, the report says. However, it adds, that figure is up only slightly from last year's report, suggesting AI adoption may have stalled. "It also shows the majority are still not using AI and automation and, therefore, aren’t seeing the cost benefits," the report says.
The 2025 Cost of a Data Breach report was released Wednesday . Registration is required.
Data was gathered by the Ponemon Institute, which studied 600 organizations around the world impacted by data breaches between March 2024 and February of this year. Analysis was done by IBM. Victim firms came from 17 industries in 16 countries and regions. Breaches ranged from 2,960 to 113,620 compromised records. The data also included interviews with 3,470 security and C-suite business leaders with firsthand knowledge of the data breach incidents at their organizations.
Among the highlights:
--the global average breach cost dropped slightly to $4.44 million from $4.88 million last year. The report attributes this to faster identification and containment of breaches, much of it from organizations’ own security and security service teams, with help from AI and automation;
--the global average would have been lower were it not for the United States, where the average cost surged by 9 per cent to $10.22 million, an all-time high for any region. Higher regulatory fines and higher detection and escalation costs in the U.S. contributed to this surge;
--in Canada organizations paid an average of $4.84 million per breach, a 10.4 per cent increase from last year's report;
--in the U.K. firms paid an average of $4.14 million, in Germany $4.03 million and in France $3.73 million.
--for the second year in a row malicious insider attacks resulted in the highest average breach costs ($4.92 million) among initial threat vectors. Third-party vendor and supply chain compromise followed closely at $4.91 million.
--the most frequent type of attack vector on organizations was — again — phishing;
--healthcare remained the most expensive industry for breaches;
--the mean time organizations took to identify and contain a breach fell to 241 days, reaching a nine-year low and continuing a downward trend that started after a 287-day peak in 2021, thanks in part to AI-driven and automation-driven defences.