AI adoption is greatly outpacing AI security and governance – that’s the message being sent by IBM following the release of its latest Cost of Data Breach report.
According to the company, 20% of the 600 organizations it surveyed had suffered a breach “due to security incidents involving shadow AI”.
“For organizations with high levels of shadow AI, those breaches added USD 670,000 to the average breach price tag compared to those that had low levels of shadow IT or none,” it added.
While shadow AI is a problem in its own right according to the IBM report, legitimate AI tools can also cause problems.
“On average, 13% of organizations reported breaches that involved their AI models or applications,” the report reads.
Most commonly, these weren’t direct attacks, but instead took place in the supply chain, for example through compromised apps, APIs, or plug-ins. The knock-on effects include operational disruption (31%) and broad data compromise (60%).
The report goes on to note, however, that once again a lack of governance and oversight was a significant factor in these breaches. Indeed, only 3% of organizations affected had proper AI access controls in place.
Generative AI is being used as an attack tool
Poor internal AI governance and shadow AI aren’t the only risks the technology presents to organizations. Cyber criminals are themselves making use of generative AI as a new tool in their arsenal.
IBM noted that one-in-six breaches in the past year involved AI, with would-be attackers able to polish and scale phishing campaigns and other social engineering attacks.
“IBM previously found gen AI reduced the time needed to craft a convincing phishing email from 16 hours down to only five minutes,” the report noted.
“This year’s report shows the impact: on average, 16% of data breaches involved attackers using AI, most often for AI-generated phishing (37%) and deepfake impersonation attacks (35%).”
Data breach winners and losers
While it’s hard to claim there are any winners when it comes to being the receiving end of a data breach, some find themselves losing more than others.
IBM found that the cost of a data breach in the US had increased by just under $1 million, bringing the average cost from $9.36 million to $10.22 million in 2025.
Organizations in the Middle East, the second most expensive region in which to experience a data breach, faced an average cost of $7.29 million, down from $8.57 million in 2024.
Like the US, Benelux and Canada also experienced a rise in costs, albeit less significant, going from $5.90 million to $6.24 million and $4.66 million to $4.84 million respectively.
The remaining geographies surveyed all sat at $4.14 million or under, with Brazil coming in last at $1.22 million, a fall of $140,000 from $1.36 million in 2024.
Another loser on the data breach scene is hackers themselves. IBM cited what it calls “ransomware fatigue”, with a slight majority (63%) of organizations hit by ransomware attacks in 2025 saying they didn’t pay the ransom, compared to 41% that did in 2024.
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
MORE FROM ITPRO
-
Google wants to take hackers to courtNews You don't have a package waiting for you, it's a scam – and Google is fighting back
-
Laid off Intel engineer accused of stealing 18,000 files on the way outNews Intel wants the files back, so it's filed a lawsuit claiming $250,000 in damages
-
GitHub is awash with leaked AI company secrets – API keys, tokens, and credentials were all found out in the openNews Wiz research suggests AI leaders need to clean up their act when it comes to secrets leaking
-
When cyber professionals go rogue: A former ‘ransomware negotiator’ has been charged amid claims they attacked and extorted businessesNews The attackers are alleged to have demanded ransoms of up to $10 million
-
CISA just published crucial new guidance on keeping Microsoft Exchange servers secureNews With a spate of attacks against Microsoft Exchange in recent years, CISA and the NSA have published crucial new guidance for organizations to shore up defenses.
-
US telco confirms hackers breached systems in stealthy state-backed cyber campaign – and remained undetected for nearly a yearNews The hackers remained undetected in the Ribbon Communications’ systems for months
-
Google says reports of a 'huge' Gmail breach affecting millions of users are false, againNews Reports of a major Gmail affecting millions of users have been flooding the web this week – Google says they're "false" and you've nothing to worry about.
-
Enterprises can’t keep a lid on surging cyber incident costsNews With increasing threats and continuing skills shortages, AI tools are becoming a necessity for some
