U.S. Data Compromises Reach Record Levels as Mega-Breach Counts Fluctuate
The Identity Theft Resource Center (ITRC) reported that U.S. data compromises (breaches, leaks, and accidental exposures) reached a new record in 2025, rising 4% year-over-year to 3,332 incidents—an increase of 79% over five years and the third consecutive year exceeding 3,000 events. Despite the higher incident count, the number of affected individuals fell sharply to 278.8 million (down from 1.36 billion in 2024), which was attributed to the relative absence of “mega breaches” that have driven outsized victim totals in prior years.
Consumer impact indicators remained negative: an ITRC poll cited widespread breach-notice exposure (most respondents receiving at least one notice) and reported downstream harms including account takeover and increased phishing/spam, alongside “breach fatigue” reducing follow-on protective actions. Separately, Hackmageddon continued its annual tracking of mega breaches (defined as incidents involving >1 million records) for 2026, reinforcing that large-scale events are monitored as a distinct category that can disproportionately influence annual victim counts even when overall incident volume trends upward.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
ITRC warns of declining transparency in breach notifications
ITRC said breach notifications in 2025 increasingly omitted root-cause and attack-vector details, reflecting a decline in transparency. The organization urged businesses to prioritize clearer disclosure over liability concerns and noted consumer breach fatigue and distrust of notifications.
ITRC identifies major 2025 breach victims and sector trends
In its 2025 analysis, ITRC highlighted major confirmed compromises involving PowerSchool, AT&T, Aflac, and Prosper Funding, and noted Conduent Business Services as a major breach with at least 14.7 million affected in Texas alone. The report said financial services was the most targeted sector in 2025, with supply-chain breaches increasing in impact and static identifiers such as Social Security numbers remaining a key target.
ITRC records 3,332 U.S. data compromises in 2025
The Identity Theft Resource Center reported that U.S. data compromises reached a record 3,332 incidents in 2025, up 4% from 2024 across breaches, leaks, and accidental exposures. Despite the increase in incidents, the total number of affected individuals fell to 278.8 million, which ITRC attributed to the lack of mega breaches.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Record Surge in US Data Breaches and Identity Attacks Driven by Stolen Credentials
Data breaches in the United States have reached alarming levels in 2025, with 835 incidents reported in the third quarter alone, affecting 23 million individuals. Despite a slight downturn in Q3, the total number of breaches for the year has already reached 2,563, impacting nearly 202 million victims, according to the Identity Theft Resource Center. The majority of these compromises—83%—were caused by cyberattacks, while physical attacks have also increased, with 53 incidents reported so far, surpassing the total for the previous year. Major organizations affected include Anne Arundel Dermatology, DaVita, Radiology Associates of Richmond, TransUnion, and Absolute Dental Group, each sending millions of breach notifications to affected individuals. The financial sector has been particularly hard hit, experiencing 188 breaches, making it the most impacted industry. A significant concern highlighted by the ITRC is that 71% of breach notifications lacked details about the attack vectors, which complicates efforts to mitigate identity theft and fraud. Microsoft’s 2025 Digital Defense Report corroborates the trend, noting a 32% surge in identity-based attacks in the first half of the year, with over 97% of these attacks leveraging stolen passwords. Hackers are increasingly using credential leaks, infostealer malware, and social engineering tactics such as help desk scams to obtain access to sensitive accounts. The Scattered Spider group has been linked to several high-profile attacks using these methods. Microsoft has also played a role in disrupting infostealer operations, notably taking down the Lumma Stealer infrastructure, though new variants continue to emerge. The prevalence of password-based attacks underscores the need for stronger authentication measures and better user education. The lack of transparency in breach notifications further exacerbates the risk, as individuals and organizations are left without critical information to protect themselves. The rise in both cyber and physical attacks demonstrates the evolving threat landscape facing US organizations. The healthcare and financial sectors remain prime targets due to the sensitive data they hold. Experts warn that unless organizations improve their security posture and reporting practices, the US is on track for another record-breaking year in data breaches. The combination of sophisticated attack techniques and inadequate breach disclosures increases the risk of widespread identity theft and financial fraud. Security professionals are urged to prioritize credential protection, implement multi-factor authentication, and ensure timely, detailed breach notifications to mitigate the growing threat.
Mar 21, 2026
January 2026 Data Breaches and Exposures Roundups
Two security-news roundups highlighted a broad set of **unrelated cyber incidents** rather than a single cohesive event. *Security Magazine* summarized seven January 2026 breach/exposure headlines and cited the Identity Theft Resource Center’s 2025 Data Breach Report, which reported **2025 as the highest year on record for breach counts** while **victim notices fell 79% year-over-year**, suggesting a shift away from 2024-style “mega-breaches” toward more frequent, targeted theft of high-value data. Among the incidents called out were the alleged theft and public release of roughly **860 GB of Target internal source code and developer documentation** (posted to *Gitea*), a breach of **BreachForums** that exposed metadata for about **324,000** associated individuals (e.g., usernames, emails, registration dates, IP addresses), and an **ICE data leak** involving an uploaded database that reportedly exposed sensitive information on personnel (including roughly **2,000 agents** and **150 supervisors**). Separately, *The Cyber Express* weekly roundup described a **cyberattack disrupting Spain’s Ministry of Science, Innovation, and Universities**, forcing a partial IT shutdown and temporary closure of its electronic headquarters, and also covered AI/policy items (e.g., OpenAI controlled access for cyber defense models), reinforcing that the reporting was a multi-topic digest rather than a single incident narrative.
Mar 21, 2026
US Data Breach Reporting Transparency and State Notification Enforcement Gaps
The Identity Theft Resource Center (ITRC) reported a record **3,322** data breaches in the US last year, while noting that roughly **70% of breach notices lacked key incident details**, limiting defenders’ ability to understand scope, root cause, and affected data. The reporting gap was attributed to inconsistent state breach-notification laws and uneven enforcement; while all states and several US territories require some form of consumer notification for certain PII exposures, only **34 states** require breach reporting to state agencies. The ITRC also cited the **PowerSchool** incident as the largest US cyber incident of the year. Separately, Blue Cross Blue Shield of Montana (BCBSMT) disclosed that up to **462,000** members may have been affected by a “cyber incident” at third-party vendor **Conduent**, and the matter is now trending toward litigation over whether the Montana State Auditor has authority to investigate under a new state breach-reporting law effective **Oct. 1, 2025**. BCBSMT argues the incident pre-dated the law’s effective date and that its notification to the auditor was a courtesy, while reporting also noted the apparent absence (as of publication) of a corresponding entry from BCBSMT or Conduent on the US HHS public HIPAA breach portal. A separate blog post about a purported “**16 billion leaked credentials**” compilation describes an aggregated infostealer-driven credential corpus rather than a single breach and does not materially relate to the US breach-notification transparency and enforcement issues described above.
Mar 21, 2026