U.S. data compromise incidents reached a new annual high in 2025 with 3,332 confirmed incidents, while the number of individuals affected declined compared to the previous year.
Record Total of Data Compromises in 2025
The Identity Theft Resource Center (ITRC) reported 3,332 data compromise incidents in the United States during 2025. This figure represents a 4 percent increase from 2024’s total. 2025 is the third consecutive year with more than 3,000 reported compromises. The ITRC is a non-profit group committed to helping individuals affected by data breaches, scams, and identity theft. ITRC also helps to educate consumers on how to protect themselves from identity theft and fraud. ITRC monitors data compromises, such as data breaches, data leaks, and accidental breaches of sensitive consumer information.
Despite the rising number of incidents, the total number of individuals affected by data breaches dropped to 278.8 million from 1.36 billion in 2024. This annual total is the lowest since 2014. The decrease in affected individuals was attributed to the absence of large-scale breaches that had resulted to higher totals in the past years.
The biggest confirmed data compromises of 2025 (based on number of victims) are the following:
- PowerSchool – 71.9 million
- AT&T – 44 million
- Aflac – 22.7 million
- Prosper Funding – 17.6 million
- Conduent Business Services – not yet final, but 14.7 million individuals affected in Texas alone.
The sectors targeted by data breaches include the financial services, which is ranked one with 739 confirmed cases, followed by healthcare with 534 compromises of HIPAA-covered entities in 2025. Professional services h
Consumer Response Patterns
An ITRC survey of 1,000 U.S. consumers showed that 80% received at least one breach notification in 2025, and 40% received 3 to 5 breach notifications. 88% of those who received a breach notice said they experienced negative consequences, like an account takeover, getting more spam emails, more phishing attacks, or mental health problems. Individuals who received notices and did not take action reported doing so because of fatigue (48.3%), feelings of helplessness (46.1%), thoughts that the breach was not serious (41.6%), and skepticism that the notice was a scam (36%).
ad 478 compromises, the manufacturing industry had 299, and education had 188 data breaches.
ITRC reported the growing risk due to supply chain data breaches. In one year, the entities affected by supply chain breaches almost doubled from 660 in 2024 to 1,251 in 2025. Currently, supply chain breaches make up 30% of all breaches involving a minimum of one third party.
For a few years now, ITRC has pointed out that breached entities fail to give consumers enough details about a data breach. Hence, consumers cannot make informed decision regarding the risk they face brought about by their exposed data. For example, a healthcare provider only notifies the victim about a data incident affecting his/her protected health information (PHI). However, the reality is that a ransomware group already stole their data, and leaked them on the dark web.
In 2020, almost all data breach notifications mention the root cause of the data breach, while in 2025, just 30% did. This reduction in breach reporting transparency is a problem that must also be addressed.
Image credit: Pixel Studio, Adobestock / logo©ITRC
