AI breaches aren’t just a scare story any more – they’re happening in real life
IBM research shows proper AI access controls are leading to costly data leaks
AI adoption is greatly outpacing AI security and governance – that’s the message being sent by IBM following the release of its latest Cost of Data Breach report.
According to the company, 20% of the 600 organizations it surveyed had suffered a breach “due to security incidents involving shadow AI”.
“For organizations with high levels of shadow AI, those breaches added USD 670,000 to the average breach price tag compared to those that had low levels of shadow IT or none,” it added.
While shadow AI is a problem in its own right according to the IBM report, legitimate AI tools can also cause problems.
“On average, 13% of organizations reported breaches that involved their AI models or applications,” the report reads.
Most commonly, these weren’t direct attacks, but instead took place in the supply chain, for example through compromised apps, APIs, or plug-ins. The knock-on effects include operational disruption (31%) and broad data compromise (60%).
The report goes on to note, however, that once again a lack of governance and oversight was a significant factor in these breaches. Indeed, only 3% of organizations affected had proper AI access controls in place.
Generative AI is being used as an attack tool
Poor internal AI governance and shadow AI aren’t the only risks the technology presents to organizations. Cyber criminals are themselves making use of generative AI as a new tool in their arsenal.
IBM noted that one-in-six breaches in the past year involved AI, with would-be attackers able to polish and scale phishing campaigns and other social engineering attacks.
“IBM previously found gen AI reduced the time needed to craft a convincing phishing email from 16 hours down to only five minutes,” the report noted.
“This year’s report shows the impact: on average, 16% of data breaches involved attackers using AI, most often for AI-generated phishing (37%) and deepfake impersonation attacks (35%).”
Data breach winners and losers
While it’s hard to claim there are any winners when it comes to being the receiving end of a data breach, some find themselves losing more than others.
IBM found that the cost of a data breach in the US had increased by just under $1 million, bringing the average cost from $9.36 million to $10.22 million in 2025.
Organizations in the Middle East, the second most expensive region in which to experience a data breach, faced an average cost of $7.29 million, down from $8.57 million in 2024.
Like the US, Benelux and Canada also experienced a rise in costs, albeit less significant, going from $5.90 million to $6.24 million and $4.66 million to $4.84 million respectively.
The remaining geographies surveyed all sat at $4.14 million or under, with Brazil coming in last at $1.22 million, a fall of $140,000 from $1.36 million in 2024.
Another loser on the data breach scene is hackers themselves. IBM cited what it calls “ransomware fatigue”, with a slight majority (63%) of organizations hit by ransomware attacks in 2025 saying they didn’t pay the ransom, compared to 41% that did in 2024.
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
MORE FROM ITPRO
-
Google DeepMind CEO Demis Hassabis thinks this one area of the tech industry is probably in an AI bubbleNews AI startups raising huge rounds fresh out the traps are a cause for concern, according to Hassabis
-
Everything you need to know about Google and Apple’s emergency zero-day patchesNews A serious zero-day bug was spotted in Chrome systems that impacts Apple users too, forcing both companies to issue emergency patches
-
LastPass hit with ICO fine after 2022 data breach exposed 1.6 million users – here’s how the incident unfoldedNews The impact of the LastPass breach was felt by customers as late as December 2024
-
Researchers claim Salt Typhoon masterminds learned their trade at Cisco Network AcademyNews The Salt Typhoon hacker group has targeted telecoms operators and US National Guard networks in recent years
-
Trend Micro issues warning over rise of 'vibe crime' as cyber criminals turn to agentic AI to automate attacksNews Trend Micro is warning of a boom in 'vibe crime' - the use of agentic AI to support fully-automated cyber criminal operations and accelerate attacks.
-
Cyber budget cuts are slowing down, but that doesn't mean there's light on the horizon for security teamsNews A new ISC2 survey indicates that both layoffs and budget cuts are on the decline
-
NCSC issues urgent warning over growing AI prompt injection risks – here’s what you need to knowNews Many organizations see prompt injection as just another version of SQL injection - but this is a mistake
-
Chinese hackers are using ‘stealthy and resilient’ Brickstorm malware to target VMware servers and hide in networks for months at a timeNews Organizations, particularly in the critical infrastructure, government services, and facilities and IT sectors, need to be wary of Brickstorm
-
AWS CISO Amy Herzog thinks AI agents will be a ‘boon’ for cyber professionals — and teams at Amazon are already seeing huge gainsNews AWS CISO Amy Herzog thinks AI agents will be a ‘boon’ for cyber professionals, and the company has already unlocked significant benefits from the technology internally.
-
HPE selects CrowdStrike to safeguard high-performance AI workloadsNews The security vendor joins HPE’s Unleash AI partner program, bringing Falcon security capabilities to HPE Private Cloud AI
