3,322 Data Breaches Happened in 2025—But 70% Won't Tell You How

The Year of the Data Breach—And the Cover Up

Data breaches hit an all time high in 2025. The Identity Theft Resource Center tracked 3,322 separate compromises across the United States—a 79% increase over just five years and the third consecutive year with more than 3,000 incidents.

But the real story isn't the number of breaches. It's what companies refuse to tell you about them.

According to the ITRC's 20th annual data breach report, 70% of breach notifications in 2025 failed to explain how the breach occurred. That's up from 65% in 2024 and a dramatic collapse from 2020, when nearly 100% of companies disclosed their attack vectors.

The Transparency Crisis

"Businesses should prioritize transparency over liability mitigation," said James E. Lee, President of the ITRC. But that's not what's happening.

The decline in transparency leaves victims unable to assess their risk. It leaves security professionals unable to learn from incidents. And it leaves regulators without the information they need to enforce the law.

The problem isn't a lack of laws. All 50 states plus the District of Columbia, Puerto Rico, Guam, and the U.S. Virgin Islands require breach notifications. But only 34 states require reporting to a state agency—and even states with strong laws often don't enforce them.

"Most states don't require enough information to be included in breach notices," Lee noted. Notification thresholds vary wildly: Oregon requires disclosure when 250 people are affected, Pennsylvania when 500 are affected, and Alabama only when 1,000 or more are impacted.

Who's Getting Breached

Financial services led all industries with 739 breaches in 2025. Healthcare came second with 534 compromises, followed by professional services (478), manufacturing (299), and education (188).

The professional services sector saw the most significant growth in attacks. These firms often serve as stepping stones—breach one accounting firm or law practice, and you gain access to dozens of their clients.

Social Security numbers were involved in two thirds of all breach reports. One third involved either bank accounts or driver's license numbers. These static identifiers—numbers that never change—make victims vulnerable for years after an incident.

The PowerSchool Wake Up Call

The largest single incident affected PowerSchool, an educational software vendor used by school systems across the country. Discovered on December 28, 2024, and publicly announced on January 29, 2025, the breach required more than 71.9 million victim notices—making it one of the largest in U.S. history.

Over 100 school districts are now involved in related litigation. The breach exposed student records, parent information, and educational data that can never be changed or replaced.

New Laws, Same Problems

California and Oklahoma both strengthened their breach notification laws for 2026. California's SB 446 now requires companies to notify victims within 30 days of discovering a breach—down from the vague "without unreasonable delay" standard. Companies affecting more than 500 California residents must also notify the Attorney General within 15 days.

Oklahoma expanded its definition of protected information to include biometric data and unique electronic identifiers for the first time since 2008.

But laws mean little without enforcement. California's Attorney General secured a $6.75 million fine from one company for misleading the public about a breach's impact—a rare example of accountability. Most violations go unpunished.

What Victims Can Do

The ITRC's advice is direct: freeze your credit and switch to passkeys. These two steps provide the foundation for digital safety in an era when companies won't protect your data and won't tell you when they lose it.

"Consumers must move from reacting to acting," Lee said. "Consumers can take all of the right steps, businesses can have the best cybersecurity and still fall victim to criminals."

The State of More, as the ITRC calls it, means more attacks that are more precise, more automated, and more difficult to detect. And until transparency becomes the norm rather than the exception, victims will continue flying blind.