ITRC 2025 Annual Data Breach Report

Please add your information below to download a copy of the 2025 Annual Data Breach Report PDF

*First Name

*Last Name

*Email

Title

Company

City

State/Province

*Zip

Phone

Mobile

Industry–None–AgricultureApparelBankingBiotechnologyChemicalsCommunicationsConstructionConsultingEducationElectronicsEnergyEngineeringEntertainmentEnvironmentalFinanceFood & BeverageGovernmentHealthcareHospitalityInsuranceMachineryManufacturingMediaNot For ProfitOtherRecreationRetailShippingTechnologyTelecommunicationsTransportationUtilities

Employees

 

 

 

About the 2025 Annual Data Breach Report

Since 2005, the Identity Theft Resource Center has tracked publicly reported data breaches in the United States. What began as a collection of basic information has grown into a database of more than 25.2K tracked data compromises, leading to nearly 12B victim notices and exposing approximately 79B records. Now in its 20th year, the ITRC’s 2025 Data Breach Report looks at the number of data compromises, the types of data compromised, the root causes of data compromises and much more. The ITRC uses information voluntarily collected from you to communicate effectively and efficiently with you and to provide best-in-class services. The ITRC does not sell or share any information about individual users. For more details, read our privacy policy.

Data Breach Report Methodology

For purposes of reporting, the ITRC aggregates data events based on the date the breach, exposure, or leak was entered into the database rather than the date the event occurred. This avoids the confusion and data conflicts associated with the need to routinely update previous reports and compromise totals. The date of the original compromise, if known, and the date of the event report are noted in the ITRC’s comprehensive data breach database.

The number of victims linked to individual compromises are updated as needed and can be accessed in the ITRC’s data breach tracking solution.

The ITRC reports Third-Party/Supply Chain Attacks as a single attack against the company that lost control of the information. The total number of individuals impacted by third-party incidents is based on notices sent by the multiple organizations impacted by the single data compromise.

In November 2025, the ITRC asked 1,040 consumers selected at random via the online survey platform SurveyMonkey if they had received a data breach notice in the past 12 months, and their attitudes and actions following receiving the notice. Respondents were primarily tech-literate, middle-aged, mid-to-upper income and used mobile devices.