According to a recent report from the Identity Theft Resource Center, data breaches and compromises reached unprecedented levels in 2025, signaling significant security challenges for organizations. The findings reveal that companies often fail to provide clear guidance to affected individuals following such incidents, raising concerns about the adequacy of their response strategies.
James Lee, president of the Identity Theft Resource Center (ITRC), has been monitoring publicly reported data compromises for over 20 years. This year’s report marks a notable milestone, being the 20th edition since its inception. Lee highlighted a dramatic increase in reported breaches, indicating a surge from just over 100 incidents in 2005 to a staggering 3,322 in 2025. This escalation reflects an all-time high and raises critical questions about organizational cybersecurity practices.
The economic ramifications of data breaches are substantial. The ITRC found that approximately 81 percent of small businesses experienced cyberattacks or data breaches in the previous year, with many incidents reportedly driven by artificial intelligence. Notably, nearly 40 percent of these businesses indicated they had to increase prices to recoup recovery costs, illustrating the direct financial impact of such security incidents.
A key finding from the report suggests a concerning trend regarding transparency in breach notifications. Lee noted that many companies fail to adequately inform individuals about the nature of the breach, including how it occurred, what specific data was compromised, and what preventive measures are being implemented to avert future occurrences. This lack of clarity can leave affected individuals vulnerable and uninformed, complicating their ability to respond effectively.
Conversely, there is one encouraging trend: individuals are becoming more proactive in reading breach notices and taking subsequent steps. Lee remarked that there were no reported instances of recipients ignoring such notifications. Moreover, individuals expressed a desire to understand the potential implications of a breach and what actions to take moving forward, reflecting a growing awareness of cybersecurity risks.
In light of these developments, the ITRC advises individuals receiving breach notifications to take specific precautions. It is essential to retain the notice for future reference. Furthermore, recipients should avoid clicking on any links or sharing personal information, especially from unsolicited contacts. In instances where personal data may have been compromised, considering a credit freeze can be a proactive measure to mitigate potential identity theft. Employing unique passwords across different accounts can also reduce the risk of a broader compromise. Additionally, enabling multi-factor authentication is recommended to bolster account security where available.
From a cybersecurity perspective, the tactics referenced in the MITRE ATT&CK framework can provide insight into potential adversary behaviors associated with these breaches. Tactics such as initial access, where attackers exploit vulnerabilities to gain entry into systems, and privilege escalation, which allows them to elevate their access rights within compromised networks, are of significant concern. Understanding these tactics is essential for organizations to strengthen their defenses and formulate effective response plans.
Copyright 2026 Gray Media Group, Inc. All Rights Reserved.