U.S. Data Breaches Remain at Record Highs in 2025, Driven by Social Engineering
The Identity Theft Resource Center’s (ITRC) 2025 Data Breach Report reveals that U.S. data compromises continue at near-record levels, with 3,322 publicly reported incidents this year. Phishing, smishing, and business email compromise (BEC) remain the leading causes, reinforcing social engineering as the dominant attack vector for cybercriminals.
A concerning trend is the decline in breach transparency: only 30% of 2025 breach notices disclosed how incidents occurred, down from near-universal reporting five years ago. This lack of clarity complicates risk assessment for investors and hampers the development of effective defensive strategies for organizations.
The economic impact of cyber incidents is particularly severe for small businesses, with 81% reporting a breach or attack and nearly 40% raising prices to cover remediation costs. The ITRC suggests these dynamics may contribute to inflation, as financial burdens are passed on to consumers.
Individuals also face significant losses, with a notable share of victims reporting fraud-related damages exceeding $10,000, and some experiencing six- or seven-figure impacts. Beyond financial harm, the report highlights severe non-financial consequences, including a majority of victims considering self-harm, underscoring the broader societal and regulatory urgency around identity protection.
For small businesses, the ITRC recommends layered defenses, including strict access controls, strong authentication, vendor risk oversight, automated patching, and continuous employee training to combat social engineering. Additionally, reducing publicly available employee data such as information on data broker sites could limit attackers’ ability to craft targeted phishing and BEC campaigns.
From an investor perspective, the report signals a growing market for cybersecurity and identity-protection solutions, particularly those addressing social engineering and data-broker risks. While demand for such services may rise, competitive pressures, regulatory changes, and customer spending trends will shape the long-term financial impact.
Small Businesses TPRM report: https://www.rankiteo.com/company/small-business-majority
"id": "sma1770949658",
"linkid": "small-business-majority",
"type": "Cyber Attack",
"date": "1/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': '81% reported a breach or attack',
'location': 'U.S.',
'size': 'Small',
'type': 'Small Businesses'},
{'customers_affected': 'Majority experienced financial '
'and non-financial consequences',
'location': 'U.S.',
'type': 'Individuals'}],
'attack_vector': ['Phishing', 'Smishing', 'Business Email Compromise (BEC)'],
'data_breach': {'personally_identifiable_information': 'Likely',
'sensitivity_of_data': 'Personally Identifiable Information '
'(PII) likely compromised'},
'date_publicly_disclosed': '2025',
'description': 'The Identity Theft Resource Center’s (ITRC) 2025 Data Breach '
'Report reveals that U.S. data compromises continue at '
'near-record levels, with 3,322 publicly reported incidents '
'this year. Phishing, smishing, and business email compromise '
'(BEC) remain the leading causes, reinforcing social '
'engineering as the dominant attack vector for cybercriminals. '
'A concerning trend is the decline in breach transparency, '
'with only 30% of 2025 breach notices disclosing how incidents '
'occurred. The economic impact is severe for small businesses, '
'with 81% reporting a breach or attack and nearly 40% raising '
'prices to cover remediation costs. Individuals face '
'significant financial and non-financial consequences, '
'including fraud-related damages and severe emotional '
'distress.',
'impact': {'financial_loss': 'Fraud-related damages exceeding $10,000 for '
'individuals; some experiencing six- or '
'seven-figure impacts',
'identity_theft_risk': 'High',
'operational_impact': 'Nearly 40% of small businesses raised '
'prices to cover remediation costs'},
'lessons_learned': 'Decline in breach transparency complicates risk '
'assessment and defensive strategy development. Social '
'engineering remains the dominant attack vector, requiring '
'layered defenses such as strict access controls, strong '
'authentication, vendor risk oversight, automated '
'patching, and continuous employee training.',
'motivation': ['Financial Gain', 'Data Exfiltration'],
'post_incident_analysis': {'corrective_actions': 'Layered defenses, employee '
'training, and reducing '
'publicly available employee '
'data',
'root_causes': 'Social engineering (phishing, '
'smishing, BEC) and lack of breach '
'transparency'},
'recommendations': ['Implement layered defenses including strict access '
'controls and strong authentication',
'Oversee vendor risks',
'Automate patching processes',
'Conduct continuous employee training to combat social '
'engineering',
'Reduce publicly available employee data to limit '
'targeted phishing and BEC campaigns'],
'references': [{'date_accessed': '2025',
'source': 'Identity Theft Resource Center (ITRC)'}],
'stakeholder_advisories': 'Investors should note the growing market for '
'cybersecurity and identity-protection solutions, '
'particularly those addressing social engineering '
'and data-broker risks.',
'title': 'U.S. Data Breaches Remain at Record Highs in 2025, Driven by Social '
'Engineering',
'type': 'Data Breach',
'vulnerability_exploited': 'Social Engineering'}