Compromises Almost Even, Notices Up, but Details Lacking: ITRC Breach Report

By Roy Urrico

The Identity Theft Resource Center (ITRC) tracked 824 data compromises in the first quarter of 2025, leading to 91,344,628 victim notices. The financial services industry was most impacted.

The ITRC, an El Cajon, Calif.-based national nonprofit organization supports identity crime victims. Its Q1 2025 Data Breach Analysis report found that the number of compromises was nearly even quarter-over-quarter, with 837 compromises tracked in the first quarter of 2024.

Although the number of victim notices increased by 138% over the same time period, the ITRC also found an increasing number of data breach notices that did not contain attack vector details.

“Unfortunately, we continue to see an increase in the number of notices without attack vector details,” stated the Data Breach Analysis. The ITRC reported in the first quarter of 2025 68% of notices did not contain those details, up from 65% in 2024. In addition, the analysis noted the percentage of notices with actionable information has dropped from nearly 100% in 2018 to 32% in the first quarter of 2025. “The lack of actionable information leaves victims more vulnerable to an identity crime,” claimed the report.

Industries Targeting and Most Impactful Breaches

The top five industries most impacted in 2025’s first quarter:

·         Financial Services (193 compromises)

·         Healthcare (136)

·         Professional Services (86)

·         Manufacturing (75)

·         Education (63)

Of the 824 data compromises, 638 were cyberattacks, 60 were system and human errors, 11 were physical attacks and 115 were unspecified.

The top compromises by victim notice count in the first quarter of 2025:

1. PowerSchool, with 71.9 million victim notices issued. In late December 2024, this third-party breach exposed the personal and sensitive information of the PowerSchool’s Student Information System, which helps school districts keep track of K-12 students. Sensitive information potentially exposed included names, addresses, birth dates, Social Security numbers, medical alerts, and grades.

2. DISA Global Solutions, Inc. (3.3 million victim notices). DISA, a third-party employment screening services provider, discovered on April 22, 2024, that it was the victim of cyber-attack that gave “an unauthorized third party” access to individuals’ personal information. In a notice on its website, DISA said the personal Identifiable Information (PII) accessed could have included names, Social Security, driver’s license and other government ID numbers, financial account information and other data elements.

3. New York University (NYU, 3 million victim notices). On March 22, 2025, NYU’s website was compromised for approximately two hours. The breach exposed sensitive data including names, test scores, majors, zip codes, family and financial aid details, citizenship status, and common application information. This data included records of both accepted and rejected applicants, dating back to 1989.

4. Community Health Center, Inc. (1.1 million victim notices). CHC, a nonprofit with healthcare practices located in medically underserved areas of Connecticut, said that on Jan. 2, it noticed unusual activity in its computer systems. It found a hacker had gotten into its system and might have taken PII including patient names, birthdates, addresses, phone numbers, email addresses, diagnoses, progress notes, medications, test results, records, Social Security Number and health insurance, guarantor and treatment information.

5. Hospital Sisters Health System (882,000 victim notices). HSHS, which operates a network of physician practices and 15 local hospitals across Illinois and Wisconsin notified its patients that an August 2023 data breach exposed their personal and health information. The information accessible by the threat actors included names, addresses, birthdates, treatment and health insurance information, medical records, and Social Security and driver's license numbers.