The Real Cost of a Data Breach in Canada (2025)

Canada is moving in the wrong direction on breach economics.

In 2025, the average cost of a data breach for a Canadian organization climbed to CA$6.98 million, a 10.4% increase from CA$6.32 million in 2024, according to IBM's Cost of a Data Breach Report. Over the same period, the global average fell 9% to USD$4.44 million. Most countries got cheaper to breach. Canada got more expensive.

That divergence is the story. It is not a one-year anomaly: Statistics Canada data shows Canadian businesses doubled what they spend recovering from cyber incidents between 2021 and 2023, from $600 million to $1.2 billion, while prevention and detection budgets grew far more slowly. The country is paying more, more often, to clean up after attacks, and the per-incident bill keeps rising.

This post walks through the verified numbers behind that gap, the cost categories inside an average breach, why Canadian financial services takes the worst of it, and what a single high-profile incident, the 2023 Indigo Books & Music ransomware attack, looked like in disclosed financial terms. The intent is reference, not alarm. Every figure here is sourced to IBM, Statistics Canada, or Indigo's own securities filings.

The number that matters: $6.98M

CA$6.98 million is the all-industry average organizational cost of a data breach in Canada in 2025, drawn from IBM's annual study of real incidents. It is not a hypothetical. It is the mean of disclosed costs across detection, escalation, customer notification, regulatory response, lost business, and post-breach remediation. The figure rolls together direct out-of-pocket spend and the harder-to-measure revenue losses that follow a public security failure.

A few things to hold in mind when reading the headline:

• It is an average, not a median. Large incidents skew the mean upward. A small SaaS company breached on a Tuesday will not face $7 million in costs. A regulated mid-market bank could face several times that.
• It is Canadian dollars. IBM publishes the global figure in USD ($4.44M) and the Canadian figure in CAD. Currency conversion is part of why the gap looks larger than it is, but only part. Even at parity, Canada is meaningfully above the global mean.
• It moves with the threat landscape, not with general inflation. A 10.4% year-over-year increase, while global costs fell, points to factors specific to the Canadian operating environment: regulatory exposure, sector mix, and incident severity.

The same IBM report notes that the financial sector leads Canadian breach costs at CA$9.97 million, a 7.4% increase from $9.28 million in 2024. That figure is the other anchor of this analysis, and the section on financial services explains why.

Recovery spending is doubling. Prevention isn't keeping up.

Breach costs do not exist in isolation. They sit inside a national spend pattern that Statistics Canada has been tracking for several survey cycles. The 2023 cycle, released in October 2024, surveyed 12,462 enterprises with 10 or more employees across most sectors. Two figures stand out:

• Recovery spending doubled. Canadian businesses spent approximately $600 million recovering from cybersecurity incidents in 2021 and $1.2 billion in 2023. That is a 100% increase in two years.
• Prevention and detection spending grew, but not at that pace. Spend on prevention and detection rose from $9.7 billion in 2021 to $11.0 billion in 2023, a 13.4% increase.

Stated plainly: recovery cost growth outran prevention growth by roughly 7-to-1 over that two-year window. The ratio is the story. Canadian businesses are not under-investing in security in absolute terms, and $11 billion is a large number. But the marginal dollar is increasingly being spent after the incident rather than before it.

There are a few ways to read this:

1. Threat severity is rising faster than defensive capability, so the same investment level produces worse outcomes per incident.
2. Investment is going into the wrong layers, more tooling, less program operation, leaving real gaps that defenders cannot see until the gaps are exploited.
3. Reporting is improving. Some of the 2023 spike may reflect better disclosure rather than more incidents.

All three are likely contributing. The fact remains that, at the national level, the cleanup line is rising faster than the prevention line, and that is not a sustainable trajectory.

What's actually inside that $6.98M

A common assumption is that the bulk of breach cost is lost business: customers leaving, deals collapsing, brand damage. That is not what the data shows. According to IBM's 2025 Cost of a Data Breach Report, the global cost breakdown across the four standard categories is:

Detection and escalation is the largest cost driver, and according to IBM it has held that position for four consecutive years. The investigation phase is now the most expensive part of an average breach.

That has implications for where program investment pays back. If detection and escalation is one-third of incident cost, then anything that compresses detection time, mature SIEM coverage, well-defined incident response runbooks, retained forensic counsel, internal communication protocols, has direct dollar impact. A company that detects an intrusion in 30 days instead of 200 is not just better prepared. It is materially cheaper to recover.

The notification line is the smallest, but it is also the most regulated. Canadian breach notification obligations under PIPEDA, Quebec's Law 25, and provincial health privacy regimes such as PHIPA do not scale with breach size. A small breach with mandatory notification to thousands of individuals can carry surprisingly fixed costs.

Why financial services pays the 43% premium

Canadian financial services breaches average CA$9.97 million in 2025, per IBM, versus the all-industry average of CA$6.98 million. That is a 43% premium ($9.97M / $6.98M = 1.428).

The premium has structural causes, not random variance:

• Regulatory exposure is layered. Federally regulated financial institutions answer to OSFI, FINTRAC, the Privacy Commissioner under PIPEDA, and provincial regulators where applicable. Each adds notification obligations, examination overhead, and remediation expectations after an incident.
• Customer data sensitivity is unusually high. A breach exposing financial account data, transaction history, or credit information has higher per-record harm potential than a breach of, for example, a marketing database. That drives identity protection costs, litigation exposure, and customer churn.
• Operational continuity costs more. When a bank's customer-facing systems go down for hours, the cost of recovery includes not only the technical response but the contractual and reputational consequences of disrupted payment, lending, or trading operations.
• The threat actor mix is harsher. Financial services is a known high-value target for organized ransomware groups and state-aligned actors. Average breach severity is higher because the attackers selecting the sector are, on average, more sophisticated.

The 7.4% year-over-year increase in this segment ($9.28M to $9.97M) is consistent with the broader Canadian trajectory: regulated, high-data-sensitivity industries are seeing the costliest breaches and the steepest cost growth.

A case study in real numbers: Indigo, 2023

Industry averages are useful framing. Real incidents sharpen the picture. Indigo Books & Music, Canada's largest book retailer, was hit by ransomware on February 8, 2023. The company's own Q4 FY23 earnings disclosure and subsequent annual filings give a rare clean view of what a refused-ransom recovery actually costs.

The numbers worth holding side by side: $5.2 million in disclosed direct breach costs versus $26.5 million in Q4 revenue decline versus a $49.6 million annual net loss.

Direct costs, the line that usually shows up in news coverage, were less than 11% of the annual net loss. The recovery bill is real, but the revenue and operating impact of being offline for four weeks during a ransomware response was several multiples larger. This is the part that the IBM lost business category exists to capture, and Indigo's case is a textbook example of why that line is 31% of the average breach and not 5%.

It is also a real example of the trade-off that gets discussed mostly in theory. Indigo refused to pay, accepted four weeks of downtime, and absorbed an annual loss. Whether that was the right call commercially is a separate question. From a pure cost-accounting standpoint, the disclosed numbers show that the ransom decision is rarely the largest financial decision in a ransomware incident. The recovery and revenue lines are.

For deeper reading on the response side of these incidents, see Truvo's ransomware response guide and the Canadian ransomware paradox widget, which pairs with this post and visualizes payer behaviour in the Statistics Canada data.

Frequently asked questions

What is the average cost of a data breach in Canada in 2025?

The average organizational cost of a data breach in Canada was CA$6.98 million in 2025, according to IBM's Cost of a Data Breach Report. That is a 10.4% increase from CA$6.32 million in 2024. The figure is a mean drawn from real, disclosed incidents and rolls up four cost categories: detection and escalation, lost business, post-breach response, and notification. It is not a median, so a small number of severe incidents pull the average upward. A small organization breached on an average day will not face $7 million in costs, but a regulated mid-market business handling sensitive data could face several times that. The headline is useful for direction, not budgeting.

Why is the Canadian breach cost rising while the global average is falling?

The divergence is the part of the 2025 numbers that stands out. Canadian breach costs rose 10.4% year over year to CA$6.98 million, while the global average fell 9% to USD$4.44 million, per IBM. IBM's release attributes the Canadian increase to factors specific to the operating environment, including regulatory exposure and sector mix. Currency conversion explains part of the headline gap, but only part: even at parity, Canada is meaningfully above the global mean. The pattern is also consistent with the broader Statistics Canada trend, where post-incident recovery spending doubled between 2021 and 2023 while prevention spending grew far more slowly, per StatCan's 2023 cycle. The country is paying more to recover, more often.

Which Canadian industry has the highest breach costs?

Financial services. Canadian financial sector breaches averaged CA$9.97 million in 2025, a 7.4% increase from CA$9.28 million in 2024, per IBM. That is roughly a 43% premium over the all-industry Canadian average of CA$6.98 million ($9.97M / $6.98M = 1.428). The premium has structural causes rather than random variance: regulatory exposure is layered across OSFI, FINTRAC, the federal Privacy Commissioner under PIPEDA, and provincial regulators; the underlying data is unusually sensitive; operational continuity carries contractual and reputational consequences when systems go down; and the threat actor mix targeting the sector is more sophisticated on average. The combination produces both the costliest breaches and some of the steepest cost growth in the country.

What does the typical breach cost actually pay for?

Most of an average breach is not customer churn. According to IBM's 2025 Cost of a Data Breach Report, the global cost breakdown is detection and escalation 33%, lost business 31%, post-breach response 27%, and notification 9%. Detection and escalation, the work of investigating what happened and how bad it is, has been the largest cost category for four consecutive years. That has direct program implications: anything that compresses detection time, such as mature monitoring, defined incident response runbooks, and retained forensic counsel, has measurable dollar impact. Notification is the smallest line but the most regulated, governed by PIPEDA, Quebec's Law 25, and provincial health privacy regimes such as PHIPA. Notification cost does not scale with breach size, so even small incidents carry surprisingly fixed costs.

How much did the Indigo ransomware attack cost in 2023?

Indigo Books & Music was hit by ransomware on February 8, 2023. The company refused to pay, kept Indigo.ca offline for roughly four weeks, and disclosed approximately $5.2 million in direct breach-related costs in its Q4 FY23 earnings reporting. The same disclosures attributed approximately $26.5 million of Q4 revenue decline substantially to the disruption, and the full fiscal year 2023 net loss came in at approximately $49.6 million. The numbers worth holding side by side are $5.2 million in disclosed direct costs versus $26.5 million in Q4 revenue impact versus $49.6 million in annual net loss. Direct costs were less than 11% of the annual loss. The recovery and revenue lines, not the ransom decision, drove the financial outcome.

Are Canadian businesses spending more on prevention or recovery?

Both are growing, but recovery is growing much faster. Statistics Canada's 2023 cycle, released October 2024 and based on 12,462 enterprises with 10 or more employees, shows recovery spending doubled from approximately $600 million in 2021 to $1.2 billion in 2023, a 100% increase in two years. Prevention and detection spending rose from $9.7 billion to $11.0 billion over the same period, a 13.4% increase. Recovery cost growth outran prevention growth by roughly 7-to-1. Prevention is still the larger absolute number, and $11 billion is a meaningful figure, but the marginal dollar is increasingly being spent after the incident rather than before it. An effective security program that compresses detection time and produces audit-ready evidence sits on the cheaper side of that ratio.

Sources and methodology

This post draws exclusively on primary sources. No secondary or vendor-blog citations were used.

• IBM Canada Newsroom, Canadians' Data Security Under Increased Threat, While Breach Costs Surge, July 30, 2025: canada.newsroom.ibm.com
• IBM, Cost of a Data Breach Report 2025: ibm.com/reports/data-breach
• IBM Think, 2025 Cost of a Data Breach Report: Navigating the AI rush without sidelining security: ibm.com/think/x-force
• Statistics Canada, Impact of cybercrime on Canadian businesses, 2023, The Daily, October 21, 2024: statcan.gc.ca
• Indigo Books & Music, Investor Relations and Q4 FY23 earnings disclosure: indigo.ca/en-ca/investor-relations

The Indigo timeline is reconstructed from the company's public disclosures and securities filings. Direct cost ($5.2M) and revenue impact ($26.5M Q4 decline; $49.6M annual net loss) figures are as reported by Indigo in Q4 FY23 reporting.

The IBM cost-category breakdown reflects the corrected 2025 global figures (detection/escalation 33%, lost business 31%, post-breach response 27%, notification 9%). Detection and escalation has been the largest cost category for four consecutive years per IBM.

For related coverage, see Truvo's posts on SOC 2 consultants in Canada, CPCSC Level 1 readiness, ISO 27001 readiness, and the fractional CISO model for SaaS companies.