Breach Frequency by Sector
This table gives an indicative annual breach probability for each sector, derived from Verizon DBIR incidence data, alongside an approximate "1 in N years" reading of the same rate. Across the sectors shown the annual probability ranges from about 20.0% to 32.0% — that is, from roughly one expected breach every 5 years to one every 3 years. These are base rates for a sector, not a forecast for any one business.
| Sector | Annual breach probability | Approx. "1 in N years" |
|---|---|---|
| Healthcare | 32.0% | 1 in 3 |
| Financial services | 30.0% | 1 in 3 |
| Technology / SaaS | 27.0% | 1 in 4 |
| Public sector | 26.0% | 1 in 4 |
| Professional services | 25.0% | 1 in 4 |
| Retail / e-commerce | 24.0% | 1 in 4 |
| Education | 23.0% | 1 in 4 |
| Manufacturing / industrial | 22.0% | 1 in 5 |
| Other | 22.0% | 1 in 5 |
| Energy / utilities | 21.0% | 1 in 5 |
| Pharmaceutical | 21.0% | 1 in 5 |
| Consumer / other services | 20.0% | 1 in 5 |
round(1 / p)): a 25% annual probability is about one expected breach every four years.
These are indicative base rates derived from Verizon DBIR incidence across an industry — they are
not a prediction for a specific business, which can sit well above or below the sector rate
depending on its size, attack surface, data held and security maturity. Use them as a starting annualized rate of
occurrence (ARO), then adjust for your own circumstances.
What the probability actually represents
The annual breach probability is the chance, in a given year, that an organization in a sector experiences a reportable data breach, inferred from the incidence patterns in the Verizon Data Breach Investigations Report. It is a sector aggregate: it blends large enterprises and small businesses, mature and immature security programs, and a wide range of attack surfaces. Two firms in the same row of this table can face very different real-world odds. The value of a base rate is that it gives you a defensible, source-anchored starting point — a number to begin from rather than a number to end on.
Sectors that handle the most valuable or most heavily targeted data tend to sit highest. Healthcare and financial services lead the table because they combine sensitive records, strong attacker incentives and complex environments. Technology and professional services follow, often because they hold client data and sit upstream of many other organizations in the supply chain. Lower-probability sectors are not "safe" — they simply experience reportable breaches less frequently in the aggregate, and a single incident can still be very costly.
To turn a probability into money, pair it with a loss figure. Multiplying the annual rate of occurrence by a single-loss expectancy gives the annual loss expectancy (ALE = ARO × SLE), the standard way to express risk as an expected annual cost. To work directly from these sector rates and tune them to your own profile, start with the breach probability calculator. Both tools take these base rates as defaults and let you override them, so the result reflects your situation rather than the sector average.
Figures verified on Jun 25, 2026 against Verizon Data Breach Investigations Report (incidence by industry). Every value shown is overridable in the tools.
Disclaimer. BreachCostLab provides cost and risk estimates for informational purposes only, based on published industry benchmarks (e.g. IBM/Ponemon Cost of a Data Breach, Verizon DBIR) and publicly available statutory figures as of the verification date shown (Jun 25, 2026). These figures are estimates for planning, not a prediction of the cost of any specific incident, and are not legal, financial, insurance, or compliance advice. Actual breach costs vary widely; for regulatory obligations consult qualified counsel. Always verify current figures with the cited sources.