The number of US data “compromises” in 2025 reached a record high of 3332, a 5% increase on the previous year, according to new figures from the Identity Theft Resource Center (ITRC).
The non-profit has been tracking these figures since 2005. In its telling, a “compromise” could mean a breach, an accidental exposure or a leak of previously stolen data.
The figure for 2025 is 4% higher than the previous all-time record of 3202 in 2023.
The good news is that there were far fewer individual victims in 2025 than 2024: 279 million versus 1.4 billion. This is largely due to the lack of the “mega breaches” we saw two years ago that impacted Snowflake customers.
It represents the lowest number of victim notices since 2014, the ITRC said.
Read more on US breaches: Mega Data Breaches Push US Victim Count to 1.7 Billion
Financial services was the most impacted industry in 2025, accounting for 739 compromises (22%). Next came healthcare (16%), professional services (14%), manufacturing (9%) and education (5.6%).
The ITRC repeated its warning that incidents like this act as an inflationary “cyber tax” on consumers and businesses. Some 38% of US small businesses were forced to put their prices up last year to cover the costs of remediation and recovery, it previously noted.
Victims Are Suffering
The ITRC also said 70% of breach notices sent to victims included no information on the type of attack the organization suffered. That’s up from 65% in 2023 and virtually zero in 2020. It means consumers and institutions caught up in breaches find it difficult to assess their level of risk and take appropriate steps to protect themselves.
“Businesses should prioritize transparency over liability mitigation,” urged ITRC president, James Lee.
“This includes embracing Zero Trust security models, engaging in robust employee training, requiring enhanced identity verification for employees and customers, and recognizing that supply chain risk extends beyond direct vendors.”
In some cases, these incidents are having a serious impact on victims’ mental health, the report warned. Some 88% of those who received a breach notice experienced at least one negative consequence including an increase in spam/phishing or attempted account takeover.
Overall, 80% of respondents to the ITRC’s poll of 1000 US consumers said they received a breach notification in the past year, and two-fifths said they received between three and five separate notices.
