According to the Identity Theft Resource Center, nearly 80% of respondents in a new survey said they received at least one data breach notice in the past 12 months.
About 40% of respondents received three to five different notices during that period. The survey polled 1,040 individuals in November.
The survey found that of those who recently received a data breach notice, 88% reported at least one negative outcome, such as an increase in phishing or other scam attempts, more spam emails or robocalls, or attempted account takeovers.
The number of data compromises increased by 5% last year – with 3,322 incidents in 2025 vs. 3,152 in 2024 – a record, according to ITRC’s new annual report. The non-profit organization has been tracking public reports of data compromises for 20 years.
“We have once again reported more violations in a single year than in any previous year,” the ITRC said. President James E. Lee
New questions about government data management
The new data comes amid new government scrutiny over the handling of personally identifiable information at the Social Security Administration.
The Justice Department recently presented new information in a court case involving the Social Security Administration that reveals alleged misuse of personal data at the agency.
The court filing includes “communications, data use, and other actions” by the Department of Government Efficiency’s team at the Social Security Administration, which the Justice Department described as “potentially outside” the agency’s policy and/or not consistent with the March temporary restraining order that blocked DOGE’s access to the agency’s personally identifiable information.
According to the Justice Department’s example, correspondence sent via encrypted, password-protected email attachments contained personal information, including names and addresses, of approximately 1,000 people. According to the filing, it is not clear whether the password required to access the data was also shared.
The new court filing follows an August whistleblower report by the Social Security Administration’s former chief data officer alleging “serious data security lapses” that could jeopardize the security of data on more than 300 million Americans, including the use of vulnerable cloud servers.
“We’re doing a triple review, but I would say Americans’ data is safe and in good shape,” Social Security Administration Commissioner Frank Bisignano told CNBC on Thursday.
In a follow-up statement, a Social Security Administration spokesperson told CNBC.com via email that the agency is “committed to protecting the personal data of every American.”
“Our systems are continuously monitored by carrier professionals in accordance with federal and industry security standards,” the spokesperson said.
‘Everyone’s identity has already been stolen’
Experts say it’s generally best for consumers to assume that their data has already been exposed in various breaches.
“Everyone’s identity has already been stolen,” said Haywood Talkow, CEO of government at LexisNexis Risk Solutions. “The only question is, has it been used?”
Consumers may not be fully aware of how their personal information has been compromised.
Because the government is generally exempt from state data breach laws, federal data breaches are not always public, Lee said.
Additionally, according to Lee, organizations that provide data breach notices have reduced the amount of information included in those disclosures due to litigation risk. He said that in 2020, all organizations involved in such events provided information on what, how and why the breach occurred and what they did in response. By 2025, it will apply to only 30% of notices, he said.
According to Lee, the remaining 70% of last year’s data breach notices lacked actionable information.
According to ITRC’s annual report, the top industries to see data compromise in 2025 include financial services, healthcare, professional services, manufacturing, and education.
Steps to protect your personal data
By taking a few steps, Talkov said, you can significantly improve your chances of “not getting messed with” and “will be in better shape than almost every single person in the country.”
- Sign up for Informed Delivery: It’s a free service through the U.S. Postal Service that sends you preview images of your incoming mail, Talkow said. By signing up, you can also prevent criminals’ attempts to use this service to see when a check or other valuable item will arrive in your mailbox, Talkov said.
- Register for Property Fraud Alert: If you own a home, go to your local county and put an alert on your ownership, Talkow said. That way, he said, if someone tries to steal your title, you’ll be notified.
- freeze your credit: Doing this with all the major credit bureaus – Experian, Equifax and TransUnion – can prevent identity thieves from opening new accounts in your name. According to the Identity Theft Resource Center, this step is the “most effective way” to prevent unauthorized accounts from being opened.
- Set up account alerts: Do this across all your bank and other financial accounts so you can see when the money is going out, Talkow said.
- Use passkey: Leverage passkeys instead of passwords whenever possible, Lee said. Passkeys let you sign in to accounts via fingerprint or face scan or PIN instead of a password, and they’re more resistant to data breaches or phishing scams.
- Use a password manager: According to Lee, this is a smart move for accounts that still require passwords. This will help ensure that each account has a unique, complex password and remove the temptation to use the same password for multiple accounts.
- Add multifactor authentication: Logging into an account requires two or more proofs of identity, especially for accounts with sensitive information like email and banking.
Correction: This story has been amended to reflect that the number of data compromises has increased by 5% in the past year. The previous version used an incorrect term for the percentage change that was provided by the Identity Theft Resource Center, which has since updated its website.
<a href=