Data Breach Costs Decline Globally but Increase in Canada: IBM Report

Data Breach Costs Decline Globally but Increase in Canada: IBM Report
The uOttawa-IBM Cyber Range at the University of Ottawa, in Ottawa, is seen on May 22, 2024. The Canadian Press/Justin Tang
|Updated:

The global average cost of a data breach has dropped for the first time in five years, although not in Canada, a new report indicates.

The average cost of a data breach between March 2024 and February 2025 decreased to $6.4 million from $6.6 million the year before, according to a July 30 report by technology giant IBM and U.S.-based cybersecurity research centre Ponemon Institute.

Although global costs are declining due to less time taken to investigate breaches resulting in shorter breach life cycles, cyberattack costs in Canada have increased, the report indicates.

“Data breaches in Canada are becoming more costly and complex,” a July 30 IBM press release says.

Organizations in Canada paid an average of $6.98 million per data breach in 2025, which is a 10.4 percent increase from $6.32 million in 2024.

Costs in Canada are higher due to an increase in detection and escalation expenses, which include costs for forensic investigators, regulatory responses, legal counsel, and crisis communications, IBM Canada’s security delivery leader Daina Proctor said.

Breach detection costs amount to $470,000 on average in Canada, while post-breach recovery costs are approximately $270,000. Meanwhile, Canada is also facing rising costs as a result of “slower adoption of AI-driven defences and governance gaps,” Proctor said.

Organizations “extensively” using AI and automation report average data breach costs of $5.19 million, while those not using these tools report average breach costs of $8.53 million, the release says.

“Additionally, these technologies helped organizations achieve faster detection and containment, shortening breach lifecycles by 59 days for those using them extensively,” IBM says.

“AI tools automate manual cybersecurity tasks, including across threat detection and response, allowing security teams to focus on higher-priority initiatives.”

The report indicates that one in three Canadian businesses said they do not have access controls on AI systems, which speed up response times and lessen the impact of data breaches.

Shadow AI

The report also found a increase of “unsanctioned AI,” known as shadow AI, which it says can amplify risks, escalate costs, and expose sensitive consumer data and is often introduced by employees using AI systems that are not approved by their employer in order to boost their productivity.

“The use of shadow AI was also found to be a top breach cost driver for Canadian businesses, with breaches involving shadow AI increasing costs by $308,000,” the release says.

Around 20 percent of the organizations studied noted they suffered a data breach due to security incidents involving shadow AI. Using shadow AI added $967,011 on average to breach costs and led to more personal identifiable information and intellectual property being compromised, according to global organizations that faced high levels of shadow AI.

Proctor says companies need to give workers more approved AI tools and conduct audits regularly to combat the risks associated with shadow AI.

Most Expensive Breaches

The most expensive breach costs in Canada were experienced by the financial sector with an average of $9.97 million in costs this year, which is a 7.4 percent increase from $9.28 million last year.

Industrial sector breaches averaged $8.39 million, while pharmaceutical breaches cost on average $7.99 million, the release says.

When organizations face millions of dollars in costs from cyberattacks, the impacts on Canadians include higher costs for goods and services, stolen personal data, and service disruptions.

The report recommends that Canadian businesses develop policies to manage the use of AI, prevent shadow AI, and ensure compliance with privacy laws. They can also invest in security automation, using AI tools to detect and contain breaches more quickly.

In addition, businesses are advised to invest in integrated AI security and AI governance software and expand employee training to strengthen security awareness and minimize human error.

The Canadian Press contributed to this report.