For purposes of quarterly and annual reporting, the ITRC aggregates data events based on the date the breach, exposure or leak was entered into the database rather than the date the event occurred. This avoids the confusion and data conflicts associated with the need to routinely update previous reports and compromise totals. The date of the original compromise, if known, and the date of the event report are noted in the ITRC’s Breach Alert data compromise tracking database.
The number of victims linked to individual compromises are updated as needed and can be accessed in the ITRC’s Breach Alert breach tracking solution. The ITRC reports Third-Party/Supply Chain Attacks as a single attack against the company that lost control of the information. The total number of individuals impacted by third-party incidents is based on notices sent by the multiple organizations impacted by the single data compromise.
Unless otherwise noted, all data reported here was entered into the ITRC Breach Alert database between January 7, 2025, through June 30, 2025.
