Record High Data Compromises Documented in 2025 Annual Report by the Identity Theft Resource Center
According to the Identity Theft Resource Center® (ITRC), a total of 3,322 data compromises were reported in 2025, marking a notable increase of five percentage points compared to the previous year, which recorded 3,152 breaches. This increase not only sets a new record for the number of tracked compromises but also highlights a worrying trend that has seen data breaches soar 79 percent over the past five years.
The latest findings were disclosed in the ITRC’s 2025 Annual Data Breach Report, presented at the Identity, Authentication, and the Road Ahead Forum hosted by the Better Identity Coalition and the FIDO Alliance in San Diego on January 29, 2026. This year’s report is particularly significant as it reflects the 20th edition of the annual review, which serves as a comprehensive assessment of data security trends impacting consumers and businesses alike.
Despite the uptick in data compromises, the report also identified a dramatic decline in the number of victim notices, which plummeted to 278,827,933 from a staggering 1,367,117,021 the previous year. This stark decrease is attributed to the absence of “mega-breaches” in 2025, which were prevalent in 2024. As a result, this year recorded the fewest victim notifications since 2014, underscoring a critical shift in data security dynamics.
In assessing which industries faced the most breaches, the report found that the Financial Services sector experienced the highest number of compromises at 739, followed closely by Healthcare with 534, and Professional Services reporting 478. The Professional Services sector, in particular, demonstrated a significant rise in instances of data attacks, often acting as conduits for compromising multiple client organizations.
James E. Lee, President of the ITRC, commented on the evolving landscape of data attacks. He emphasized a shift from straightforward identity theft to increasingly sophisticated and automated forms of attacks that are challenging to detect. As businesses bolster cybersecurity measures, they are still vulnerable to these more intricate forms of criminality.
From a technical perspective, the incidents documented in the report can be analyzed through the MITRE ATT&CK framework, which provides insights into the tactics and techniques employed by adversaries. Initial access tactics may have involved phishing campaigns or exploitation of public-facing applications, while persistence might have been achieved through unauthorized use of stolen credentials. The complexities of privilege escalation could also arise from exploiting vulnerabilities or misconfigurations, underscoring the multi-faceted nature of these attacks.
The report also surveyed consumer attitudes toward data breach notifications, revealing that a surprising 80 percent of respondents reported receiving at least one notice within the prior year. Almost 40 percent received three to five separate notifications, indicating that data breaches are an all-too-familiar concern for consumers. Additionally, the findings pointed out that 88 percent of those who received breach notifications experienced negative consequences, including heightened instances of phishing attempts.
As the risks associated with data breaches remain high, the ITRC urges affected consumers to take proactive measures. They recommend credit freezing and the adoption of advanced identity verification methods, such as passkeys, as essential steps to enhance digital security.
For additional support, consumers can reach out to the ITRC via its toll-free number or visit their website for resources aimed at navigating the complexities of identity theft and data breaches. As organizations and individuals alike grapple with these escalating threats, a collective emphasis on transparency, robust cybersecurity practices, and consumer education will be essential in mitigating future risks and vulnerabilities.
