Data Breach Cost Calculator 2026
Estimate your data breach exposure with per-record cost modeling, regulatory fine estimates by jurisdiction, and lifecycle impact analysis. Based on IBM CODB 2025.
Breach Parameters
Configure your breach scenario
Get an itemized breach cost estimate with regulatory fine overlay
Cost Per Record by Industry
| Industry | Per Record | Avg Records Breached | Avg Total Cost |
|---|---|---|---|
| Healthcare | $614 | 12,100 | $7.42M |
| Financial Services | $402 | 15,100 | $6.08M |
| Pharmaceuticals | $387 | 13,600 | $5.27M |
| Energy | $372 | 14,400 | $5.37M |
| Technology | $348 | 14,300 | $4.97M |
| Education | $305 | 11,800 | $3.60M |
| Manufacturing | $286 | 16,300 | $4.65M |
| Retail | $233 | 16,200 | $3.78M |
| Government | $224 | 18,700 | $4.19M |
| Transportation | $217 | 15,900 | $3.45M |
Source: IBM Cost of a Data Breach Report 2025. Per-record costs include detection, notification, response, and lost business components.
Regulatory Fine Exposure
Up to 4% of global annual turnover or EUR 20M
Applies to any org processing EU resident data. Fines increasingly enforced: EUR 1.2B issued in 2024 alone.
$7,500 per intentional violation, $2,500 per unintentional
No cap. Class action lawsuits add $100-$750 per consumer per incident in statutory damages.
$100 to $50,000 per violation, max $1.5M per category per year
OCR enforcement has increased 42% since 2022. Business associates equally liable.
Card brand fines of $5,000 to $100,000 per month until compliant
Plus fraud liability, increased interchange fees, and potential loss of card processing ability.
Breach Cost by Attack Vector
| Attack Vector | Avg Cost | % of Breaches | Avg Lifecycle |
|---|---|---|---|
| Business Email Compromise | $4.88M | 12% | 261 days |
| Phishing | $4.76M | 16% | 243 days |
| Stolen / Compromised Credentials | $4.53M | 15% | 292 days |
| Vulnerability Exploitation | $4.33M | 14% | 218 days |
| Cloud Misconfiguration | $4.14M | 11% | 198 days |
| Social Engineering | $4.10M | 8% | 215 days |
Business email compromise (BEC) produces the highest per-incident cost despite being only 12% of breaches. Stolen credentials have the longest lifecycle at 292 days because they are the hardest to detect. Both vectors are primarily addressed through employee training, MFA enforcement, and email security controls.
Breach Lifecycle and Cost Impact
Under 200 Days
$3.61M
Avg cost with fast detection
Over 200 Days
$4.72M
Avg cost with slow detection
Cost Difference
$1.11M
Detection speed premium
The average breach lifecycle is 241 days (197 to detect, 44 to contain). Every day of undetected breach increases costs through expanding data exposure, deeper attacker persistence, and growing lost-business impact. Organizations using AI-assisted detection tools shortened their lifecycle by 108 days on average (IBM 2025).
Data Breach Cost FAQ
What is the average cost per record in a data breach?
The global average is $165 per record (IBM 2025). However, this varies dramatically by industry: healthcare records cost $614 each, financial records $402, and retail records $233. Per-record cost also increases with breach size, geographic scope, and regulatory jurisdiction.
How does detection speed affect breach cost?
Enormously. Breaches detected in under 200 days cost an average of $3.61M, while those detected after 200 days cost $4.72M. That $1.11M difference makes AI-assisted detection, SIEM tuning, and threat hunting among the highest-ROI security investments.
What are the biggest hidden costs of a data breach?
Lost business costs (customer churn, revenue loss, brand damage) account for 38% of total breach cost but are the hardest to predict. Other hidden costs include increased customer acquisition cost for 2-3 years post-breach, insurance premium increases of 20-30%, and executive distraction valued at $50K-$200K.
How do GDPR fines affect total breach cost?
GDPR fines can exceed the breach itself. EU regulators issued EUR 1.2 billion in GDPR fines in 2024. The maximum penalty of 4% of global annual turnover means a $10B company faces up to $400M in potential fines. Our calculator includes a jurisdiction-specific fine estimate.
Which attack vector causes the most expensive breaches?
Business email compromise (BEC) at $4.88M average, followed by phishing at $4.76M. Stolen credentials are notable for having the longest lifecycle (292 days), which inflates costs through extended undetected exposure. See our attack vector comparison table above.
How accurate are breach cost estimates?
All estimates are based on averages from IBM's study of 604 organizations globally. Your actual cost depends on factors including regulatory jurisdiction, data sensitivity, detection speed, IR preparedness, and insurance coverage. Use these figures for planning and budget justification, not as precise predictions.