AI adoption is greatly outpacing AI security and governance – that’s the message being sent by IBM following the release of its latest Cost of Data Breach report.
According to the company, 20% of the 600 organizations it surveyed had suffered a breach “due to security incidents involving shadow AI”.
“For organizations with high levels of shadow AI, those breaches added USD 670,000 to the average breach price tag compared to those that had low levels of shadow IT or none,” it added.
While shadow AI is a problem in its own right according to the IBM report, legitimate AI tools can also cause problems.
“On average, 13% of organizations reported breaches that involved their AI models or applications,” the report reads.
Most commonly, these weren’t direct attacks, but instead took place in the supply chain, for example through compromised apps, APIs, or plug-ins. The knock-on effects include operational disruption (31%) and broad data compromise (60%).
The report goes on to note, however, that once again a lack of governance and oversight was a significant factor in these breaches. Indeed, only 3% of organizations affected had proper AI access controls in place.
Generative AI is being used as an attack tool
Poor internal AI governance and shadow AI aren’t the only risks the technology presents to organizations. Cyber criminals are themselves making use of generative AI as a new tool in their arsenal.
IBM noted that one-in-six breaches in the past year involved AI, with would-be attackers able to polish and scale phishing campaigns and other social engineering attacks.
“IBM previously found gen AI reduced the time needed to craft a convincing phishing email from 16 hours down to only five minutes,” the report noted.
“This year’s report shows the impact: on average, 16% of data breaches involved attackers using AI, most often for AI-generated phishing (37%) and deepfake impersonation attacks (35%).”
Data breach winners and losers
While it’s hard to claim there are any winners when it comes to being the receiving end of a data breach, some find themselves losing more than others.
IBM found that the cost of a data breach in the US had increased by just under $1 million, bringing the average cost from $9.36 million to $10.22 million in 2025.
Organizations in the Middle East, the second most expensive region in which to experience a data breach, faced an average cost of $7.29 million, down from $8.57 million in 2024.
Like the US, Benelux and Canada also experienced a rise in costs, albeit less significant, going from $5.90 million to $6.24 million and $4.66 million to $4.84 million respectively.
The remaining geographies surveyed all sat at $4.14 million or under, with Brazil coming in last at $1.22 million, a fall of $140,000 from $1.36 million in 2024.
Another loser on the data breach scene is hackers themselves. IBM cited what it calls “ransomware fatigue”, with a slight majority (63%) of organizations hit by ransomware attacks in 2025 saying they didn’t pay the ransom, compared to 41% that did in 2024.
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
MORE FROM ITPRO
-
Jaguar Land Rover says IT disruption set to continueNews The automotive manufacturer is still not fully operational after the recent cyber attack
-
Nearly 700,000 customers impacted after insider attack at US fintech firmNews FinWise, which provides loans on behalf of US financial services firms, revealed a former employee accessed sensitive customer information after leaving the firm.
-
How to check if you’ve been affected by Salesforce attacks – and stop hackers dead in their tracksNews The FBI has issued a fresh advisory over the threat posed to Salesforce customers by two threat groups. Here's how you can stay safe and mitigate any risks.
-
Kids hacking for kicks are causing security headaches at schoolsNews More than half of cyber incidents at schools are caused by students, with some tech-savvy pupils attempting to bypass security and network controls.
-
Mobile app security is a huge blind spot for developer teams – 93% are confident their applications are secure, but 62% reported breaches last yearNews Organizations are overconfident about their mobile app security practices, according to new research, and it’s putting enterprises and consumers alike at risk.
-
LNER warns customers to remain vigilant after personal data exposed in cyber attackNews LNER has warned customers to remain vigilant for social engineering attacks after a cyber attack on the rail operator exposed personal data.
-
Jaguar Land Rover u-turns on cyber attack containment claims, admits ‘some data has been affected’News Jaguar Land Rover (JLR) has admitted some data may have been accessed by hackers following a cyber attack which severely disrupted production.
-
Everything we know about the Plex data breach so farNews Plex advised users to sign out of any connected devices that are currently logged in and enable two-factor authentication if they haven’t already.
