If 2025 seemed like a particularly active year for security, that’s because it was. The U.S. clocked 3,322 data compromises—a 79% uptick over the past five years that set a new record, according to the Identity Theft Resource Center 2025 Data Breach Report. 

The number of victims, though, dropped to 278.8 million from 1.36 billion the year before. If that sounds like good news, think again. The researchers at ITRC say that though that is the lowest number of victims since 2014, the drop simply reflects “quality over quantity,” attackers are simply “being more effective.” 

The number of ransomware attacks was also on the downswing last year—dropping for a second year, which ITRC says can be attributed to attackers switching tactics, stealing data “instead of encrypting it.” Not surprisingly once attack vector that grew was supply chain attacks, which doubled from 2021 to 2025, and with 30% of all breaches now involving a third party. 

“Modern data breaches seldom begin with a ‘Hollywood-style’ hack of a core system. More often, they originate from forgotten development environments, over-permissioned service accounts, or third-party integrations that bypass normal security controls,” says Heath Renfrow, co-founder and CISO at Fenix24.  

Attackers squarely took aim at professional services, which lodged the biggest jump in attacks, the report says. Bad actors typically tap members of that sector—lawyers, accountants, consultants and the like—to get to their clients. But financial services are still the prime target for attack. 

Sounds like a good time to inform consumers and other organizations of the risk, right? Disturbingly, that’s not the case, with those potential victims being left “totally in the dark about what went wrong and how they can protect themselves from similar attacks.” That’s a break from the tactics of 2020 when “nearly every company gave details on the cause of the breach; by 2025, only 30% did,” the report said. 

And if you had any hope that old data was no longer dangerous, let me dash it. In a new trend, hackers are using AI to “repackage” previously compromised data (PCD) to launch new attacks, including account takeover and new account creation.”  

Who pays for all these foibles? Why, increasing the consumer. “Almost 40% of small businesses are passing their breach cleanup costs on to consumers through price increases, turning cyber-risk into a national inflationary issue,” the report said.  

“Small and mid-sized enterprises are often underserved when it comes to the implementation of cybersecurity best practices, even though we find that they are 2.5x more likely to face cyber incidents,” says Matthieu Chan Tsin, senior vice president, head of cybersecurity services at Cowbell.  

“This means that many of them are both unable to adequately defend themselves against cyber-attacks, as well as recover as quickly as they need to after an incident occurs,” he says. 

And, he says, “Unfortunately, it is not just the obvious consequences like ransom payments, business interruption, and corrupted data that victims of a cyber event must worry about, but also the risk of a legal lawsuit after client, vendor, or partner data is exposed.” 

Most consumers, 80%, have received a data breach notice in 12 months, with 40% receiving 3-5 separate notices in that same time period. Nearly nine in ten (88%) of those receiving a notice “experienced at least one negative consequence after a breach.” 

The scenario is not likely to improve soon, and in fact, security will be challenged further by emerging technologies. “The combination of AI and quantum computing could signal the downfall of many existing security practices,” says Adam Everspaugh, cryptography expert at Keeper Security.  

Noting that “AI-generated voice and video deepfakes are becoming increasingly realistic and accessible,” Everspaugh says, “voice and video-based authentication techniques will become less useful in 2026 as attackers start to exploit this technology.”  

The result will be “a rise in data breaches and account takeovers, forcing firms to replace long-standing verification methods with fake-resistant alternatives,” he contends. 

Dana Simberkoff, chief risk, privacy and information security officer at AvePoint, says that new AI tools and open-source software “being rapidly created and shared every day” and being used without the right guardrails and education is a growing threat. “Developing AI literacy is essential due to the growing list of challenges for humans when AI is used,” says Simberkoff, pointing to findings from the State of AI in 2025 report, which shows “99.5% of organizations have used a range of interventions to strengthen AI literacy among employees.” 

With traditional security approaches no longer sufficient, John Watters, CEO and managing partner of iCOUNTER, says, “To effectively defend against AI-driven rapid developments in targeted attacks, organizations need more than mere actionable intelligence—they need AI-powered analysis of attack innovations and insights into their own specific weaknesses that can be exploited by external parties.” 

Organizations are in a Race Against Time to Respond to Breaches 

“The window between initial access and public disclosure has collapsed. Organizations no longer have days or weeks to quietly investigate. They have hours,” says Renfrow. “That compresses technical response, legal analysis, and communications into a single operational problem. In 2026, incident response is as much about narrative control as it is about containment.” 

As the report findings show, consumers at least have had enough and want more details on breaches—”75% want a specific list of the personal data that was compromised, among other public policy updates.” 

Recent Articles By Author

• Job Seekers Make for Vulnerable Targets
• MSG Breach: Knicks Take the NBA Championship, ShinyHunters Takes the Data 
• Conan O’Brien Deadpans Deepfakes

More from Teri Robinson