IBM has released its 2025 Cost of a Data Breach Report, and its findings show phishing is the top attack vector, breach costs are rising in the U.S., attackers are going after personal data, and AI is rapidly reshaping the threat landscape for both attackers and defenders.
Here are some highlights:
- In the United States, the average cost of a breach “surged by 9% to USD 10.22 million, an all-time high for any region.”
- “The most frequent type of attack vector on organizations was phishing, at 16%, which averaged USD 4.8 million.”
- “16% of data breaches involved attackers using AI, most often for AI-generated phishing (37%) and deepfake impersonation attacks (35%).”
- “AI models and applications are emerging as an attack surface, especially in cases of shadow AI.”
- Among its mitigations, the report notes that “securing AI data is essential not just for privacy and compliance, but also to protect data integrity, maintain organizational trust and avoid data compromise.”
- On mitigating credential theft that stems from social engineering, IBM says “it’s critical to prevent attackers from obtaining those credentials in the first place. One of the most effective ways to do so is by ensuring all human users adopt modern, phishing-resistant authentication methods, such as passkeys.”
In addition to this, organizations can address the threat even earlier by removing the exposed personal data that fuels credential harvesting campaigns. Eliminating employee and executive PII from data broker sites is a powerful proactive mitigation that shuts down this threat vector before it ever reaches the employee inbox or phone.
- The report emphasizes using AI for detection and response: “As attackers turn to AI to produce and distribute more adaptive attacks, security teams should also embrace AI technologies. Security teams can use AI to reduce or prevent attacks and their business impacts, proactively employing measures that improve the accuracy of detection (threat hunting) and reduce the time to respond.”
At Optery, we apply AI as a proactive defense, scrubbing the online data that attackers need to launch social engineering attacks. To execute these removals, Optery employs a blend of technologies.
The result is that companies and consumers can now remove their exposed personal data at a scale and speed never before possible. Combined with our patented search technology, which uncovers ~100 profiles per person, we offer the most comprehensive form of threat vector detection and mitigation possible across data broker sites. The outcome is a dramatically minimized attack surface for phishing and related threats.
Read the full report here: Cost of a data breach 2025 | IBM