top of page

ITRC 2025 Annual Breach Report: Record Number of Data Compromises; Finservs Top Targets

  • Writer: Roy Urrico
    Roy Urrico
  • 4 minutes ago
  • 4 min read

By Roy Urrico



In its 2025 Annual Data Breach Report, the Identity Theft Resource Center (ITRC) revealed the number of data compromises reported in the U.S. in 2025 (3,322) increased by five percentage points compared to 2024 (3,152). The ITRC also set a new record for the number of data compromises tracked in a year, up four percentage points from the previous all-time high in 2023 (3,202), and a 79% increase over the last five years.


For credit unions, banks and other financial services organizations, the ITRC findings showed they are the top target for fraudsters. Not only does financial services top the list of compromised industries with 739 compromises, but criminals have prioritized attacking static identifiers, such as banking accounts, that facilitate long-term identity fraud over easily replaceable data, such as credit cards.


Notices Decreasing


The ITRC, an El Cajon, Calif.-based national nonprofit organization that supports victims of identity theft, fraud and scams, released its 2025 Annual Data Breach Report, its 20th edition, at the Identity, Authentication and the Road Ahead Identity Policy Forum (January 28, 2025 in Washington, D.C.) hosted by the Better Identity Coalition, the FIDO Alliance and the ITRC.


The report also disclosed the number of victim notices (278,827,933) decreased by 79% from 2024 (1,367,117,021). The massive decrease in victim notices is due to the lack of “mega-breaches” in 2025, unlike 2024. ITRC claimed it is the lowest number of victim notices since 2014 and the lowest number since the last U.S. state and territories adopted data breach laws in 2018.


James E. Lee, president, ITRC.
James E. Lee, president, ITRC.

“In this report, we not only look back on 2025, but on the last five years to paint a picture of an inflection point: We have moved beyond an era of simple identity theft into a ‘State of More.’ More attacks that are more precise, more automated and more difficult to detect,” said James E. Lee, president, ITRC. “Perhaps the most troubling finding in this report is the continued downward trend in transparency. In 2020, nearly every organization that suffered a breach provided clear details on how it happened. By the end of 2025, that figure had collapsed to just 30%. When organizations withhold the root cause of an attack to mitigate their own legal or reputational risk, they leave the American consumer and other businesses in the dark.”


Other Key Findings


  • The number of total victims dropped sharply from 1.36 billion in 2024 to 278.8 million in 2025 because attackers are being more effective. This represents the lowest number of victims since 2014 and the lowest number since the last U.S. states and territories adopted data breach laws in 2018.

  • Supply chain attacks almost doubled between 2021 and 2025, and now about 30% of all breaches involve a third party.

  • Ransomware attacks dropped for the second year in a row, as criminals switch tactics to just steal the data instead of encrypting it.



Top Compromises by Industry


With 739 compromises,  financial services topped all industries, followed by healthcare (534 compromises), professional services (478 compromises), manufacturing (299 compromises) and education (188 compromises).


While financial services is still the top sector hit, the professional services industry (lawyers, accountants, consultants) saw the biggest growth in attacks, making them a common stepping stone to hack their multiple clients, the report suggested.


Key Issues and Trends


The annual report also provided analysis and insight on a number of trends and issues including:


  • The “no comment” crisis. “Transparency is on life support. In 2020, nearly every company gave details on the cause of the breach; by 2025, only 30% did. This means consumers and other at-risk organizations are totally in the dark about what went wrong and how they can protect themselves from similar attacks.”

  • Old data is still dangerous. “A new trend involves ‘previously compromised data’ (PCD), where hackers are using artificial intelligence (AI) to repackage old stolen records to launch new attacks, including account takeover and new account creation.

  • Fear factor. “The impact of data breaches is significant, causing immediate anxiety (60%) and frustration (59%). The primary fear is immediate financial fraud (50%), a fear that is well-founded, as 54% of consumers reported an increase in targeted phishing attempts after a breach.”


Evolution of Attack Vectors and Data Types


Phishing, smishing (SMS phishing) and business email compromise (BEC) remained the top root causes of data breaches in the past year, increasing slightly to 466 incidents in 2025 from 458 in 2024, according to the ITRC annual report. Ransomware decreased for a second consecutive year, falling to 143 incidents in 2025 from 194 in 2024, as attackers switch tactics to just stealing data and threatening to release it.


A major new trend in 2025 was the resurgence of physical skimming, which jumped from four incidents in 2024 to 34 in 2025 – a 750% increase – as attackers switch to Bluetooth-enabled skimming devices.


With the shift by criminals to using to static identifiers, compromises involving Social Security numbers nearly doubled, from 1,146 in 2021 to 2,236 in 2025; driver’s licenses jumped from 456 in 2021 to 1,094 in 2025 as the use of driver’s license information has increased with the rise of remote transactions; and banking accounts increased from 410 in 2021 to 1,099 in 2025.


“It’s time to consider if the desire for speed and convenience in every transaction is making us less safe and secure,” said Lee. “A little process friction may be the difference between avoiding unnecessary risks and becoming a cyber victim with all the losses that result from attacks against businesses and people.”

bottom of page