Reported U.S. data breaches hit record high in 2025

Analyzing the causes, consequences and industry impact of a surge in cyberattacks

Takeaways

• U.S. data breaches reached a record high in 2025, with 3,322 reported incidents, representing a 4% increase over the previous year.
• Cyberattacks remain the leading cause, responsible for 80% of data breaches, mostly targeting personally identifiable information such as Social Security numbers and bank account details.
• Financial services, healthcare, and professional services sectors experienced the highest number of reported breaches.
• The number of breach notifications sent to consumers dropped sharply compared to 2024, likely due to fewer mega breaches.
• Regulatory changes may have contributed to higher reporting rates, making it unclear if actual incidents increased or if transparency improved.

According to the nonprofit Identity Theft Resource Center (ITRC), the number of data beaches reported last year reached an all-time high in the U.S. with 3,322 being reported, representing a 4% increase over the previous year.

On the plus side, the number of breach notifications sent last year — approximately 279 million — was reduced sharply from 2024, which saw 1.4 billion notifications sent in the wake of several mega breach incidents.

What’s not clear, however, is the degree to which that number of data breaches is an increase in the total of actual incidents versus a reflection of the simple fact that more breaches are being reported. There are now more regulations requiring disclosure, so it may turn out that more incidents are simply being reported.

What is evident, however, is that 80% of these breaches (2,656 incidents) were a direct result of cyberattacks. In these cases, cybercriminals primarily targeted personally identifiable information, which is difficult to change, rather than credit card number that can be replaced more easily. Two-thirds of the breaches reported last year involved Social Security numbers, followed by a third that disclosed bank account information, driver’s license numbers or both.

Financial services firms reported the greatest number of breaches (739), followed by healthcare (534), professional services (478), manufacturing (299) and education (188).

The impact of a successful data breach

As troubling as all that may seem, however, there are tens of millions of businesses in the U.S., so 3,322 incidents may not be all that high, relatively speaking. Of course, not every business is going to report every data breach, but on the whole many organizations appear to be doing a credible job protecting data.

Unfortunately, when there is an incident, the impact is usually substantial. A separate survey of 1,040 consumers conducted by the ITRC finds 80% of respondents having received a data breach notice in the last 12 months. Nearly 40% said they have received three to five separate notices in the past year.

A full 88% of the individuals who received a data breach notice experienced at least one negative consequence after a breach, including an increase in targeted phishing attempts after a breach (54%), an increase in spam emails or robocalls (49%), an increase in phishing or scam attempts (40%), and attempted takeover of an existing account (40%).

Not all those attacks are successful, but there are clearly enough of them to warrant ongoing investments in cybersecurity. The challenge, of course, is striking the right balance between the threat to the business and the total cost of investment being made in cybersecurity.

As the percentage of the IT budget being allocated to cybersecurity has increased in recent years, more business leaders are becoming concerned. In their minds, every dollar spent on cybersecurity is one less that might be better used to drive additional revenue.

Cybersecurity leaders that aggressively look to increase spending each year will inevitably encounter skepticism about the actual risk there is to the business. The challenge, as always, is to ensure the right level of cybersecurity is being attained without breaking the proverbial bank.