Data Breach Cost by Industry
See the average data breach cost and cost per record for your industry, from published IBM/Ponemon analysis. Pick a sector to highlight it; the full table below lets you compare all of them side by side. Healthcare is the most expensive, the public sector the least — a spread of more than 2.5× per record. These are representative averages across breaches of all sizes; to tailor the figure to your own records and security posture, use the data breach cost estimator. Benchmarks as of Jun 25, 2026 — sources.
| Industry | Average breach cost | Cost per record |
|---|---|---|
| Healthcare | $7.42M | $408 |
| Financial services | $5.56M | $336 |
| Pharmaceutical | $5.1M | $295 |
| Technology / SaaS | $5M | $300 |
| Professional services | $4.8M | $290 |
| Energy / utilities | $5.29M | $280 |
| Manufacturing / industrial | $5.56M | $190 |
| Education | $3.7M | $220 |
| Retail / e-commerce | $3.48M | $200 |
| Public sector | $2.55M | $160 |
| Consumer / other services | $3.9M | $165 |
| Other | $4.44M | $164 |
Highlighted row tracks your selection. Sorted from highest to lowest cost per record.
avg_breach_m × 1,000,000). "Cost per record" is the per-record figure used by the
quick linear estimate. Both are published averages across breaches of
all sizes — your own number depends on the records you hold and your security controls.
How it works
This page is a reference, not a model: it surfaces two published numbers for each sector and lets you compare them. The first, average breach cost, is the total cost of a typical incident in that industry, drawn from the IBM/Ponemon Cost of a Data Breach analysis and expressed here in millions of dollars. The second, cost per record, is the average total divided by the number of records in a typical breach — the per-record figure that feeds the quick linear estimate. We show both because they answer different questions: the average breach cost tells you what a sector-typical incident looks like end to end, while the cost per record lets you scale to the specific volume of data you hold.
The reason industry matters so much is that the data itself differs in value and in regulatory weight. Healthcare tops the table at $408 per record because health data (PHI) is highly sensitive, attracts strict HIPAA notification duties, and carries a long tail of remediation and reputational cost. Financial services and pharmaceutical follow, for similar reasons — payment data and clinical-trial or IP data are both costly to lose. At the other end, the public sector sits at $160 per record: the data is often less commercially sensitive and the breaches less likely to trigger customer churn. Retail and manufacturing fall in the middle, where the data is valuable but the regulatory regime is lighter than in health or finance.
A subtlety worth noting: a sector can have a high cost per record yet a moderate average breach, or vice versa, because the two depend on different things. Cost per record reflects the sensitivity of each individual record; average breach cost reflects both that sensitivity and the typical size of breaches in the sector. Manufacturing, for example, has a relatively low per-record cost but a sizeable average breach, because incidents there tend to involve large volumes or heavy operational disruption. That is exactly why we show both columns rather than collapsing them into one — and why, for a decision that turns on your actual records and posture, you should move from this reference to the full estimator.
Finally, treat these as representative figures, not predictions. They are SMB-appropriate values consistent with the cited reports, dated to their source and deliberately conservative relative to the largest enterprise headline numbers you sometimes see quoted (for example the ~$10.22M US-wide average). Every figure in the calculators built on this dataset is editable, so if you have a better number — from your insurer, a prior incident, or a more recent report — you can substitute it and the math still holds.
A worked example
Imagine you run a small healthcare provider and want a first sense of what a breach might cost. Selecting Healthcare above shows an average breach cost of $7.42M and a cost per record of $408.
- If you hold, say, 25,000 patient records, the quick linear estimate is 25,000 × $408 = $10,200,000.
- Switch the selector to Retail and the per-record figure drops to $200, taking the same 25,000 records to $5,000,000 — a vivid illustration of how much the sector assumption drives the answer.
- The average breach cost ($7.42M for healthcare) is your sanity check on the headline order of magnitude, independent of your record count.
From here, refine the estimate with the tools that add structure the reference cannot. The cost-per-record calculator lets you vary the per-record figure directly; the SMB estimator adds a fixed cost and a size factor so the per-record cost becomes realistically regressive; and the dated cost-per-record dataset documents every figure here against its primary source. Used together they turn a single industry average into a defensible planning range.
Frequently asked questions
Which industry has the most expensive data breaches?
Healthcare is consistently the most expensive sector, both per record and per breach. In the bundled benchmarks it sits at $408 per record and an average total breach cost of $7.42M, driven by the sensitivity of health data (PHI), strict HIPAA notification duties and the long tail of remediation. The public sector is the lowest at $160 per record.
What is the average cost of a data breach by industry?
Across the sectors shown here the average total breach cost ranges from about $2.55M to $7.42M. These are representative averages across breaches of all sizes; your own exposure depends on how many records you hold and how sensitive they are. Use the estimator to tailor it to your business.
How is cost per record different from average breach cost?
Average breach cost is the total for a typical incident in that sector; cost per record is that total divided by the number of records exposed. The two are not interchangeable — a sector can have a high cost per record but a moderate average breach because its typical breaches are smaller. Use cost per record for a quick linear estimate, and average breach cost for a sense of the headline figure.
Why are these figures lower than the headline "$10.22M" you sometimes see?
The widely quoted $10.22M is the US average; the global average is nearer $4.44M. The per-industry figures here are SMB-appropriate, representative values consistent with the cited reports rather than the largest enterprise headline numbers. They are dated and overridable in the calculators.
How current are these benchmarks?
They were verified on Jun 25, 2026 against the IBM/Ponemon Cost of a Data Breach industry analysis. See the dated cost-per-record table for the full reference.
Disclaimer. BreachCostLab provides cost and risk estimates for informational purposes only, based on published industry benchmarks (e.g. IBM/Ponemon Cost of a Data Breach, Verizon DBIR) and publicly available statutory figures as of the verification date shown (Jun 25, 2026). These figures are estimates for planning, not a prediction of the cost of any specific incident, and are not legal, financial, insurance, or compliance advice. Actual breach costs vary widely; for regulatory obligations consult qualified counsel. Always verify current figures with the cited sources.