Background and context
The United States recorded a new high in reported data breaches in 2025, even as the number of affected individuals fell year over year, according to the Identity Theft Resource Center (ITRC). The headline figure matters because it shows that breach activity is still rising, but the shape of that activity appears to be changing. Instead of a handful of giant exposures driving the annual total, the data points to a larger number of smaller or more tightly scoped incidents Infosecurity Magazine ITRC.
That distinction is more than statistical trivia. Breach counts and victim counts measure different things. A single software supply-chain event can expose millions of people at once, while dozens of separate credential theft incidents may affect only a few thousand records each. Both patterns are harmful, but they imply different weaknesses in enterprise security and different consequences for consumers.
ITRC has tracked U.S. breach disclosures for years, and its reports have repeatedly shown that the volume of incidents remains stubbornly high. Recent years have also brought stronger disclosure expectations from regulators, more public reporting by victims, and more extortion-driven attacks in which criminals steal data before encrypting systems. Those shifts can increase the number of reportable incidents even when total exposed records do not spike in parallel ITRC Data Breach Reports.
The broader backdrop supports that interpretation. Verizon’s Data Breach Investigations Report has consistently found that credential abuse, phishing, exploitation of vulnerabilities, and third-party involvement remain central drivers of breaches, while ransomware and data extortion continue to shape incident response across sectors Verizon DBIR. CISA and FBI alerts have likewise warned that internet-facing appliances, remote access tools, and identity systems remain common entry points for attackers CISA Advisories.
What may be driving more breaches but fewer victims
The most plausible explanation is fragmentation. Attackers are still getting in, but many incidents are hitting narrower datasets, single business units, specific vendors, or limited groups of customers rather than massive consumer databases. That can happen for several reasons.
First, identity attacks continue to scale well for criminals. Phishing kits, infostealer malware, session cookie theft, MFA fatigue attacks, and password reuse all create frequent opportunities for compromise without necessarily producing a mega-breach. If a criminal logs into a payroll portal or a departmental SaaS account, the resulting incident may be serious but limited in scope Microsoft threat intelligence.
Second, ransomware operations increasingly combine exfiltration and extortion. In many cases, the attacker is not trying to dump the largest possible database onto the internet. The goal is leverage: steal enough sensitive data to pressure the victim into paying. That can lead to many reportable breaches involving employee files, contracts, medical documents, or financial records, but each event may involve fewer people than classic mass-exposure incidents. CISA has repeatedly noted that data theft is now a standard part of ransomware tradecraft CISA StopRansomware.
Third, third-party and supply-chain incidents can inflate breach counts in a different way. When a service provider is compromised, multiple downstream organizations may each have separate notification duties. The result can be one technical intrusion that turns into many legally distinct breach disclosures. Depending on how much data each customer stored with the vendor, total victim numbers may not rise at the same pace as incident totals.
Fourth, better segmentation and earlier detection may be limiting blast radius in some environments. Security teams are not preventing enough intrusions, but they may be containing them faster. If an organization detects suspicious activity before attackers move laterally into broader customer databases, the breach still counts, yet the number of exposed individuals can stay lower.
Finally, cloud and SaaS adoption has changed breach mechanics. Misconfigured storage, exposed API keys, weak identity governance, and over-privileged service accounts can all create reportable incidents. These are often messy, recurring failures rather than one-time catastrophic leaks. They are frequent, and they are often preventable.
Technical details readers should watch
Although the ITRC figures describe a trend rather than a single campaign, the technical patterns behind the rise in breaches are familiar. Public-facing systems remain a major weak point, especially remote access appliances, file transfer tools, identity platforms, and edge devices. Over the last two years, defenders have repeatedly dealt with mass exploitation of internet-facing software, from secure file transfer tools to VPN and gateway products. Once attackers gain initial access, they commonly pivot to credential harvesting, privilege escalation, data staging, and exfiltration.
Identity is a recurring thread. A stolen password is still useful, but attackers increasingly target tokens, cookies, and federated access paths that bypass traditional password controls. That is one reason phishing-resistant MFA and tighter conditional access policies have become more important. Where organizations still rely on weak MFA implementations, social engineering can bridge the gap.
Another trend is the continued convergence of cybercrime tools. The same criminal ecosystem that sells stolen credentials also supports ransomware affiliates, infostealer operators, and initial access brokers. That makes breach activity more industrialized and more frequent. IBM’s annual cost analysis has shown that compromised credentials remain one of the costliest and most persistent causes of breaches, while detection and containment times strongly influence total damage IBM Cost of a Data Breach Report.
For consumers, the technical details may sound abstract, but the practical result is simple: a breach no longer has to be huge to be dangerous. A small compromise involving tax records, health information, or HR files can be more damaging than a larger leak of basic contact data.
Impact assessment
The sectors most likely to feel this trend are the same ones that sit on large stores of personal and regulated data: healthcare, financial services, education, retail, government, and professional services. Healthcare deserves special attention because HHS’s breach portal continues to show a steady stream of incidents involving providers, insurers, and business associates, often with sensitive medical and billing information at stake HHS OCR Breach Portal.
For businesses, a record breach count means more legal review, more notification work, more forensic investigations, and more pressure from insurers and regulators. Even a relatively small incident can trigger state notification laws, contractual duties, class-action risk, and reputational damage. Public companies also face investor scrutiny under SEC cyber disclosure rules when incidents are material SEC cybersecurity disclosure guidance.
For individuals, a decline in total victim numbers should not be read as reassurance. The severity of harm depends on the type of data exposed, not just the number of records. A breach involving Social Security numbers, health data, driver’s license details, or payroll information can enable identity theft, tax fraud, account takeover, medical fraud, and targeted phishing. Notification fatigue is another concern: when people receive repeated breach notices, they may stop taking action.
From a national risk perspective, the trend suggests the U.S. still has a prevention problem, but perhaps a somewhat improved containment picture in some cases. More incidents with fewer victims could mean organizations are segmenting data better or catching intrusions earlier. It could also simply mean threat actors are spreading their efforts across more targets and monetizing smaller hauls more efficiently. Either way, the volume of breaches remains too high.
How to protect yourself
For organizations, the priorities are well known and still too often unfinished:
1. Harden identity systems. Use phishing-resistant MFA where possible, reduce standing privileges, review conditional access, and monitor for impossible travel, token misuse, and suspicious login patterns. Identity is now one of the main battlegrounds.
2. Patch internet-facing systems fast. Remote access tools, file transfer software, firewalls, and edge appliances should be treated as high-priority assets. Maintain an accurate inventory and remove unsupported products. If staff connect remotely, protect sessions with strong authentication and, where appropriate, a reputable VPN service.
3. Limit blast radius. Segment sensitive data, restrict service account permissions, and separate administrative accounts from everyday user accounts. Good segmentation can turn a major intrusion into a smaller reportable event.
4. Improve third-party oversight. Review what vendors can access, what data they store, and how quickly they must notify you after an incident. Supply-chain risk is now a primary breach driver.
5. Practice exfiltration detection. Many teams focus on ransomware encryption and miss the data theft stage. Monitor unusual archive creation, outbound transfers, and access to sensitive repositories.
For individuals, the advice is equally practical:
1. Treat breach notices seriously. If a company says your data was exposed, act quickly. Change passwords, especially reused ones, and enable MFA on important accounts.
2. Freeze your credit. A credit freeze is one of the best defenses against new-account fraud in the U.S. It is free and can be temporarily lifted when needed.
3. Watch financial and medical statements. Fraud may appear months after a breach. Look for unfamiliar charges, claims, or account changes.
4. Be skeptical of follow-up messages. Criminals often exploit public breach news with phishing emails, fake settlement offers, or bogus support calls.
5. Protect your connections and accounts. Use a password manager, keep devices updated, and when handling sensitive data on public networks, use trusted privacy protections such as hide.me VPN.
What the numbers really mean
The ITRC’s latest findings do not suggest that the breach problem is easing. They suggest it is splintering. The U.S. is seeing more incidents, spread across more organizations, using a familiar mix of identity abuse, ransomware, vendor compromise, and exposed online systems. The fact that fewer people may have been affected overall is welcome, but only in a limited sense. Smaller breaches still carry real consequences, and a record incident count means defenders are still losing too many battles.
The more useful takeaway is that security teams should stop measuring risk with one headline number. A year with fewer victims can still be a bad year if attackers are getting in more often, monetizing access faster, and forcing organizations into constant disclosure mode. That appears to be where the U.S. breach picture now stands.
