Record 3,322 Data Breaches in 2025: What the ITRC Report Means for You

The identity theft Resource Center (ITRC) has released its 20th Annual data breach Report, and the numbers confirm what security professionals have been warning about: 2025 was the worst year on record for data compromises in the United States.

With 3,322 documented breaches — a 79% increase over five years — the report paints a picture of a data security crisis that continues to accelerate. But perhaps more troubling than the raw numbers is what the report reveals about transparency: the vast majority of breached organizations are telling consumers less and less about what happened.

The Key Findings

The ITRC report covers all publicly reported data compromises in the United States, including breaches, exposures, and leaks. Here are the most significant findings from the 2025 data.

Record-Breaking Volume

The 3,322 total compromises represents a steady upward trajectory that shows no sign of leveling off. For context: in 2020, the ITRC recorded approximately 1,860 compromises. The 79% increase since then reflects both the growing sophistication of attackers and the expanding attack surface created by cloud migration, remote work, and third-party integrations.

Transparency Is “On Life Support”

The ITRC used stark language to describe the state of breach disclosure: transparency is “on life support.” A full 70% of breach notifications filed in 2025 omitted the attack vector — meaning the organization did not disclose how the breach occurred.

This is a significant increase from 65% in 2024, and it represents a fundamental problem for both consumers and the security community. Without knowing whether a breach was caused by phishing, a software vulnerability, credential stuffing, or an insider threat, affected individuals cannot properly assess their personal risk level.

Supply Chain Attacks Nearly Doubled

Supply chain attacks — where criminals compromise a vendor, service provider, or software platform to gain access to their clients’ data — nearly doubled year-over-year. These attacks are particularly dangerous because a single breach can cascade across hundreds or thousands of organizations that rely on the compromised vendor.

The MOVEit breach of 2023 was an early example of this pattern at scale. In 2025, similar supply chain compromises continued to ripple through industries, with some organizations learning they were affected months after the initial breach occurred.

Consequences for Breach Victims

The report also surveyed breach notification recipients and found that 88% experienced at least one negative consequence after receiving a notification. These consequences ranged from financial losses and emotional distress to time spent resolving fraud and difficulty obtaining credit.

What Types of Data Were Exposed

Not all data breaches are equal. A breach exposing email addresses carries different risk than one exposing Social Security numbers or medical records. The ITRC report breaks down the types of data most frequently compromised in 2025:

• Social Security numbers: Remain the most valuable piece of data for identity thieves and appeared in a significant percentage of breaches. Unlike credit cards, an SSN cannot be changed.
• Financial account data: Bank account numbers, credit card details, and payment information.
• Medical records: Health insurance information, diagnosis codes, and treatment histories — highly valued on the dark web because they enable medical identity theft and insurance fraud.
• Login credentials: Email and password combinations, often reused across multiple sites, that enable account takeover attacks.
• Driver’s license numbers: Increasingly used as identity verification, making exposure particularly risky for synthetic identity fraud.

Industries Most Affected

The financial services and healthcare sectors continued to bear the heaviest burden, consistent with prior years. These industries are attractive targets because they hold the most valuable personal data and often operate with complex, interconnected systems that create multiple potential entry points.

Healthcare breaches are especially concerning because medical data has a longer shelf life than financial data. A stolen credit card can be canceled; a stolen medical history cannot. Criminals use medical identity theft to obtain prescription drugs, file insurance claims, and receive medical treatment under someone else’s name — creating corrupted medical records that can have life-threatening consequences for the victim.

The technology sector also experienced significant breach activity, particularly through compromised cloud services and SaaS platforms. Government agencies, educational institutions, and retail organizations rounded out the most-affected sectors.

What This Means for Consumers

The practical takeaway from the ITRC report is straightforward but sobering: the question is no longer whether your personal data has been exposed, but how many times and in how many places.

With over 3,300 breaches in a single year and a multi-year trend of record-breaking numbers, the statistical reality is that most Americans have had significant personal information compromised at least once. The 2024 National Public Data breach alone exposed billions of records, and 2025’s total only added to that exposure.

Passive Defenses Are No Longer Enough

Waiting for breach notification letters and then reacting is no longer a viable strategy. By the time a notification reaches you — often weeks or months after the breach — your data may already be in circulation on the dark web and being used for fraud.

Layered Protection Is Essential

No single measure provides complete protection. The most effective approach combines multiple layers:

• Credit freezes at all three bureaus prevent new credit accounts from being opened.
• Fraud alerts require creditors to verify your identity before extending credit.
• credit monitoring catches unauthorized inquiries and new accounts.
• dark web monitoring detects when your data appears in criminal marketplaces.
• SSN surveillance alerts you when your Social Security number is used in applications.
• identity theft insurance covers the financial costs of recovery if prevention fails.

Looking Ahead

The ITRC’s report makes clear that the data breach crisis is not a temporary spike — it’s a structural problem that’s getting worse. The combination of increasing attack sophistication, growing volumes of digitized personal data, and declining breach transparency creates an environment where consumers must take active responsibility for their own data protection.

The 20th edition of this report carries an implicit message: two decades of data breach tracking show a consistent upward trajectory with no signs of reversal. Individual preparedness — through credit freezes, active monitoring, and identity theft protection services — is no longer optional. It’s a necessary component of personal financial hygiene.

Recommended Identity Protection Services

LifeLock

★★★★ 9.2/10

Best for: Consumers who want the most recognized name in identity theft protection with tiered plan options from budget to comprehensive, Norton 360 cybersecurity bundle options, 3-bureau credit monitoring on the top tier, and up to $3M in identity theft insurance -- especially those already using Norton security products.

From: $7.50/mo

Read Review Visit Site

IdentityIQ

★★★★ 8.0/10

Best for: Budget-conscious users who want affordable 1-bureau credit monitoring with optional upgrade paths, families who need child identity protection, and users who want the option to add Bitdefender device security tools.

From: $8.49/mo

Read Review Visit Site

IDShield

★★★★ 8.0/10

Best for: Budget-conscious individuals and families who want identity theft insurance with licensed private investigator restoration services, plus bundled device security tools (VPN, antivirus, password manager) from Trend Micro.

From: $14.95/mo

Read Review Visit Site