top of page

Experian Forecasts AI to Become Major Cybersecurity Threat In 2026

  • Writer: Roy Urrico
    Roy Urrico
  • 2 minutes ago
  • 5 min read

By Roy Urrico


ree

Artificial intelligence (AI) could surpass human error as the leading cause of data breaches in 2026, according Experian’s 13th Annual Breach Industry Forecast, which offers a look at the evolving cyber threat landscape. The report also addresses how the coming year could usher in a new wave of sophisticated attacks against financial institutions and other organizations.


“We see 2026 as the year of AI not surprisingly. Now, new AI-driven threat vectors stand to increase the scope, frequency and cost of data breaches,” said the Forecast. The Costa Mesa, Calif.-based Experian also featured a number of AI-related predictions, such as the use of “exfiltrated data to create pristine synthetic identities.”

Michael Bruemmer, vice president of global data breach resolution at Experian.
Michael Bruemmer, vice president of global data breach resolution at Experian.

Other trends Experian foresees include the increasing use of mutating malicious code by hackers for long-game attacks, brain-computer interface (BCI) vulnerabilities and the gender divide decreasing among criminal hackers.


“Technology is evolving at breakneck speed, and cybercriminals are often the first to adopt tools like AI to outpace defenses and exploit vulnerabilities,” said Michael Bruemmer, vice president of global data breach resolution at Experian and a contributor to the Forecast. “It’s an uphill battle but organizations can also harness these same innovations to strengthen their security posture. With the right preparation and use of technology, companies can be in a solid position to combat attacks, but they should also be ready to deal with the fallout of a security incident.”


Assessing the Threats


There was no slowing down in 2025. The past year has seen a dramatic increase in the scope and frequency of global data breaches. The study cited research from intelligence firm Statista that reported nearly 94 million data records leaked in data breaches during the second quarter of 2025 alone; and the 2025 Verizon Data Breach Investigations Report that counted 12,195 data breaches last year.

Jim Steven, head of crisis and data response services at Experian global data breach resolution in the United Kingdom.
Jim Steven, head of crisis and data response services at Experian global data breach resolution in the United Kingdom.

This year’s predictions Experian explained come from its long history of helping companies navigate data breaches over the past 23 years. Experian tallied more than 8,000 global data breaches in the first half of 2025 with approximately 345 million records exposed. Among Experian clients, the top countries hit hardest are the United States, United Kingdom and Canada.


“We’re entering a new era where cyberattacks are no longer just about stealing data, they’re about manipulating reality,” said Jim Steven, head of crisis and data response services at Experian global data breach resolution in the United Kingdom and a contributor to the Forecast. “Organizations must prepare for threats that are faster, smarter, and harder to detect. The time to act is now.”


Experian research among consumers in the U.S. and U.K. disclosed that many are feeling the impact of savvy attacks and anxious about cyber threats worsening. Additionally, findings revealed that younger generations are increasingly vulnerable to scams, while many victims feel unsupported after a data compromise. Consumers question whether the organizations they trust (Including financial institutions) are ready to defend against sophisticated cyber threats.


Overall, key Experian findings include:

  • More than 4 in 5 are concerned about AI being used to create fake identities that are indistinguishable from real people.

  • One in four millennial adults surveyed said they have been a victim of identity theft in the past year.

  • Nearly a quarter said they have fallen for a phishing attack at home or work in the past 12 months.


Key U.S. findings:

  • Thirty-five percent of adults worry about being found personally liable for monetary loss as a result of a cybersecurity mistake at work.

  • Sixty-nine percent do not believe their financial institution or retailer is adequately prepared to defend against AI driven cyberattacks or they are unsure.

  • Over three-quarters (76%) believe that cybercrime will continue to increase and be impossible to slow down because of AI.


Top U.K. results:

  • A quarter of millennial adults (25%) say they have been a victim of identity theft in the past year.

  • One in three (33%) U.K. adults worry about damaging their professional reputation due to a cybersecurity mistake at work.

  • Among those who have had their data stolen or exposed in a data breach, more than 3 in 5 (62%) did not say the organization provided adequate support.


Source: Experian’s 13th Annual Breach Industry Forecast.
Source: Experian’s 13th Annual Breach Industry Forecast.

Looking Back


As part of its retrospective of last year’s predictions, Experian cited a recent report from OPSWAT / Ponemon Institute that indicated 61% of all U.S. companies suffered from insider data breaches in the past two years. “It’s not just large companies either.”


Recent news of an insider breach at Sandy, Utah-based FinWise Bank was given as an example, said the Forecast. FinWise Bank experienced an insider data breach in which a former employee accessed sensitive customer information after their employment ended. The breach, which affected approximately 689,000 customers, was disclosed in September 2025.


“If you thought that some of the recent mega-breaches were bad, there’s something far worse that they could enable. Since January 2024, five well reported MOABs (Mother of All Breaches) alone accounted for more than 60 billion comprised records and login credentials,” noted the Forecast. “With sophisticated AI, hackers could perform unprecedented data harvesting on these many billions of records and stitch together enriched identity profiles that are ‘more real than real.’ Imagine synthetic IDs with proof-of-life documents, voice, and video that appear so authentic, they will be indistinguishable from real people. Get ready for a potentially massive spike in identity theft.”


The Forecast further confirmed “right now, human error accounts for approximately 68% to 95% of data breaches, depending on which industry research report you read.” Common causes include social-engineering scams, phishing attacks, insider threats, and accidental misconfigurations. “Make no mistake, bad actors will continue to exploit these methods to trick humans.”


Looking Ahead


“AI agents are the next frontier for fraud and cybercrime, and we predict this may overtake human error as the leading cause of data breaches,” suggested the report. “The rise of agent-based AI that can perform complex, multi-step operations may tip the scales. These AI agents carry out tasks and solve problems without frequent human intervention. Savvy hackers could exploit their target’s AI-agent network by injecting their own AI agents to disrupt the orchestration or governance of the victim’s AI agents. At a minimum, this disruption could impact an organization’s operations or siphon money, goods, or information. Equally bad, a hacker’s AI agents could perform ransomware-like actions on that network.”


The Forecast suggested by combining generative AI, which can create new content, with quantum computing, which can solve problems far quicker than traditional computers, “you have a sobering data-breach threat that could overwhelm current, pre quantum biometric authentication, breaking through traditional thumbprint, retinal scan, or voice print identifiers.”


Another threat due to emerge in 2026 is what the cybersecurity industry calls polymorphic or metamorphic malware aka mutating malicious code. “Mutating malicious code morphs itself or data elements in real time to evade signature-based antivirus or other detection methods, then changes back to its original form or another to avoid detection. The biggest danger with this chameleon code: It enables bad actors to play the long game, keeping the malware dormant until they are ready to strike.”


Then there are consumer brain to computer interfaces (BCIs) worn like caps, glasses, or headphones coming to market soon. “They’re perfect for a wide range of applications, like gaming, ecommerce, dating, and much more. Of course, this innovation may add a worldwide, virtually unpoliceable threat surface, as cybercriminals could use AI to develop ‘thought phishing’ malware that detects and manipulates decision-making impulses. It’ll literally be brain-hacking,” said the 2025 Annual Breach Industry Forecast.


The Breach Industry Forecast also predicted, “We’re about to potentially see an explosion in the number of female criminal hackers, the percentage may double in 2026.” What is driving it? An increase of young females in STEM (science, technology, engineering, and mathematics) and coding. The report also cited stats showing women now make up 24–25% of the cybersecurity workforce, up from 11% in 2017and a report about cybercriminals and gender finds that at least 30% of users on cybercrime forums are women.

bottom of page