TL;DR:

  • 3,322 data breaches in 2025: a new record, up 79% over five years
  • 70% of breach notices in 2025 didn't explain how the breach happened: up from 65% in 2024 and just 7% in 2020
  • 80% of Americans received at least one breach notice last year: 40% received three to five
  • 88% of breach victims experienced negative consequences: spam, phishing, account takeovers, mental health impacts
  • 46% of victims did nothing because they felt "powerless" or had "breach fatigue"
  • Financial services led all industries with 739 breaches, followed by healthcare (534) and professional services (478)

The Transparency Collapse

Five years ago, when a company got breached, they told you what happened. How attackers got in. What data they took. What you should do about it.

Not anymore.

The Identity Theft Resource Center's 2025 Annual Data Breach Report (their 20th) reveals what security researchers have been warning about for years: corporate America figured out that vague breach notifications face less legal liability. So they stopped being specific.

"Transparency is on life support," the ITRC declared in their report, released during Data Privacy Week 2026.

The numbers are stark. In 2020, nearly 100% of data breach notices included the attack vector, the specific method hackers used to break in. By 2023, that dropped to 55%. By 2024, it was 35%. In 2025? Just 30%.

That means 70% of companies that suffered breaches last year sent victims notices that essentially said: "We got hacked. Here's some free credit monitoring. Good luck."

Why Companies Stopped Talking

ITRC President James E. Lee didn't mince words: "Businesses should prioritize transparency over liability mitigation."

But they don't. Here's why.

The U.S. is a lawsuit-happy country. When a company discloses exactly how attackers broke in (say, an unpatched server or an employee who fell for phishing) that admission becomes evidence in class action lawsuits. Plaintiffs' attorneys love specifics.

So corporate legal departments started advising: say less. State breach notification laws require you to tell people a breach happened. Most don't require you to explain how.

The result? Companies discovered they could technically comply with the law while telling victims almost nothing useful. A breach notice that says "unauthorized access to systems" protects the company's legal position while leaving you unable to assess your own risk.

"A breach is a failure of security, but a lack of disclosure is a failure of trust," Lee said.

Companies have chosen to fail at trust.

Record Breaches, Record Silence

Meanwhile, the breaches keep coming. 3,322 data compromises in 2025, up 5% from 2024's 3,152, and a staggering 79% increase over five years.

The 2025 numbers would look even worse if attackers hadn't shifted tactics. In 2024, we saw mega-breaches: Ticketmaster, Change Healthcare, each exposing hundreds of millions of records in single incidents. Those generated massive victim notification counts.

In 2025, hackers went smaller and more targeted. More frequent attacks on high-value data repositories. Social Security numbers, driver's licenses, bank account information: the "static identifiers" you can't change, unlike a credit card number.

Two-thirds of 2025 breaches involved Social Security numbers. One-third involved bank accounts or driver's license numbers. This is the data identity thieves actually want.

And here's the kicker: hackers are using AI to repackage old stolen data for new attacks. One of 2025's top compromises used records from a 2021 AT&T breach. Your data from years ago is still being weaponized today.

Who Got Hit Hardest

Financial services led all industries with 739 breaches in 2025. Banks, investment firms, payment processors: the places holding your most sensitive financial data.

Healthcare came second with 534 breaches. Medical records are particularly valuable because they contain everything: Social Security numbers, insurance information, addresses, and health details useful for social engineering.

Professional services (478 breaches) rounded out the top three. Law firms, accounting firms, consultants: organizations that hold other companies' secrets and often have weaker security than their clients.

Manufacturing (299) and education (188) followed. The PowerSchool breach discovered on December 28, 2024 eventually generated 71.9 million victim notifications, one of the largest in U.S. history.

You're Not Crazy. It's Breach Fatigue

The ITRC surveyed 1,040 Americans about their breach experiences. The results explain why so many people have given up.

80% received at least one breach notification in the past year. 40% received between three and five. Some people got so many they lost count.

When breaches become constant, people stop responding. Of those who received notices, 46% took no protective action. Nearly half (48.3%) cited "breach fatigue": they'd gotten so many notices that another one just didn't register as urgent anymore.

Another 46.1% said they felt "helpless": there was nothing they could do that would actually protect them. When every major company has already lost your data, what's one more breach?

They're not entirely wrong. If your Social Security number has been exposed in five different breaches over the past decade (which is increasingly common) freezing your credit for the sixth breach feels like closing the barn door years after the horses left.

The Consequences Are Real

Breach fatigue might be understandable, but the consequences of inaction aren't theoretical.

88% of breach victims experienced at least one negative outcome:

  • 49% saw increased spam and robocalls
  • 40% received more phishing attempts
  • 40% faced account takeover attempts

The psychological impact was just as severe. 60% reported immediate anxiety after receiving a breach notice. 59% felt frustration. 50% feared financial fraud.

This isn't paranoia. When criminals have your static identifiers (the data that can't be changed) they can keep using it for years. That 2021 AT&T breach data is still valuable to attackers in 2026.

States Are Finally Getting Serious

While companies hide behind vague notifications and federal regulators remain absent, some states are tightening the rules.

California's SB 446, effective January 1, 2026, imposes real deadlines. Companies must notify victims within 30 days, not "reasonably quickly," not "without unreasonable delay," but 30 days. If 500 or more California residents are affected, the Attorney General must be notified within 15 days.

Oklahoma's SB 626, also effective January 1, 2026, expanded what counts as protected personal information to include biometric data and government-issued IDs. Companies affecting 500+ residents must notify the state AG within 60 days.

But here's the gap: 20 states still have no specific numeric deadline for notifying victims. The language varies: "expedient," "reasonable," "without unreasonable delay." Those words mean whatever companies want them to mean.

Only 34 states require companies to report breaches to state agencies. In the other 16, breaches can happen and no regulator ever knows, unless victims file complaints.

What You Can Actually Do

The system is failing you, but you're not completely helpless. Most breach victims who took action used these strategies:

  • Change passwords (59.8%): Especially if the breach involved credentials. Use a password manager and unique passwords for every account.
  • Set up passkeys (49.4%): Passkeys are phishing-resistant and increasingly supported. They're better than passwords.
  • Use free credit monitoring (47.1%): The monitoring itself is basic, but the free identity theft insurance that often comes with it can be valuable.
  • Freeze your credit: At all three bureaus (Equifax, Experian, TransUnion). It's free and prevents new accounts from being opened in your name.
  • Request your data broker files: Services like data broker opt-out tools can reduce your exposure, though it's ongoing work.

The ITRC's report noted one hopeful trend: passkey adoption jumped significantly in 2025. Nearly half of breach victims who took action set up passkeys. That's real progress. Passkeys are meaningfully more secure than passwords and can't be phished.

The Real Problem

None of this should be necessary. Companies collect your data. They fail to protect it. They send you a vague letter. And then you're responsible for cleaning up the mess.

James E. Lee put it bluntly: consumers and small businesses are "operating blind." They can't make informed decisions about their own security when companies won't tell them what happened.

The transparency collapse isn't just annoying. It's dangerous. Security researchers can't identify patterns when 70% of breaches are shrouded in vague language. Other organizations can't learn from incidents they don't understand. Regulators can't enforce laws they can't see being violated.

Until companies face real consequences for opacity (not just for breaches, but for hiding the details) this will keep getting worse. The 2020 standard of near-universal transparency didn't disappear because it stopped working. It disappeared because companies realized silence was cheaper than honesty.

Sources