Feldnig | E+ | Getty Images
It’s the letter most consumers dread receiving: a notification that your personal information has been involved in a data breach.
According to , nearly 80% of respondents to a new survey said they had received at least one data breach notification in the past 12 months. Identity Theft Resource Center.
Almost 40% of respondents received between 3 and 5 separate notifications during that period. The survey was conducted in November among 1,040 people.
Among those who recently received a data breach notification, the study found that 88% reported at least one negative impact, including an increase in phishing and other fraudulent activity, an increase in spam and robocalls, and account takeover attempts.
Number of data breaches increased by 5% last year, reaching 3,322 in 2025 According to the ITRC’s new annual report, there will be 3,152 people in 2024, a record number. The nonprofit organization has been tracking public reports of data breaches for 20 years.
“The number of breaches reported in a single year has once again exceeded the previous year,” the ITRC said. President James E. Lee.
New questions about government data processing
The new data comes amid renewed scrutiny of the government’s handling of personally identifiable information at the Social Security Administration.
The Department of Justice recently filed new information A lawsuit involving the Social Security Administration reveals allegations of improper handling of personal data at the agency.
The court filing includes “communications, data uses, and other actions” by the Social Security Administration’s Office of Government Efficiency team that the Justice Department said “may deviate” from the agency’s policies and/or do not comply with a March temporary restraining order that barred DOGE from accessing the agency’s personally identifiable information.
According to the Department of Justice, the communications sent through encrypted, password-protected email attachments contained personal information about about 1,000 people, including names and addresses. It is unclear whether the passwords needed to access the data were also shared, the filing said.
A new court filing followed in August. Whistleblowing report The Social Security Administration’s former chief data officer alleged “serious data security flaws” that could jeopardize the security of more than 300 million Americans’ data, including the use of vulnerable cloud servers.
Social Security Administration Secretary Frank Bisignano told CNBC on Thursday: “We’re doing a triple review, and I can tell you that Americans’ data is safe and in good standing.”
In a subsequent statement, a spokesperson for the Social Security Administration told CNBC.com via email that the agency is “committed to protecting the personal data of all Americans.”
“Our systems are continuously monitored by career professionals in accordance with federal and industry security standards,” the spokesperson said.
“Everyone’s identity has already been stolen.”
Experts say it’s generally best for consumers to assume that their data has already been exposed in various breaches.
“Everyone’s identity has already been stolen,” said Heywood Talcove, CEO of government at LexisNexis Risk Solutions. “The only question is whether it was used.”
Consumers may not have all the information about how their personal information was compromised.
Federal data breaches are not always made public because the government is typically exempt from state data breach laws, Lee said.
Additionally, organizations that provide data breach notifications are reducing the amount of information they include in their disclosures due to litigation risk, Lee said. In 2020, all organizations involved in such events provided information about what, how and why the breach occurred and what they did in response, he said. By 2025, it will apply to only 30% of notifications, he said.
According to Lee, the remaining 70% of data breach notifications last year lacked actionable information.
According to the ITRC’s annual report, the top industries with data breaches in 2025 include financial services, healthcare, professional services, manufacturing, and education.
Steps to protect your personal data
By taking certain steps, Talkove said, you can significantly increase your chances of “not having a bad day” and “be better off than virtually everyone else in the country.”
- Sign up for informed delivery: Talcove said it’s a free service provided by the U.S. Postal Service that sends preview images of incoming emails. Registering also avoids attempts by criminals to use the service to see when checks and other valuables will arrive in your mailbox, Talcove said.
- Sign up for property fraud alerts. If you own a home, Talcove says to go to your local county and file a title alert. That way, he said, if someone tries to steal your title, you will be notified.
- freeze your credit: By working with all the major credit bureaus, including Experian, Equifax, and TransUnion, you can prevent identity thieves from opening new accounts in your name. According to the Identity Theft Resource Center, this step is the “most effective method” to prevent fraudulent account openings.
- Set up account alerts. If you do this for all your bank and other financial accounts, you’ll know when money is leaving, Talcove said.
- Use passkey. Lee said to use passkeys instead of passwords whenever possible. Passkeys allow you to sign in to your account using your fingerprint, face scan, or PIN instead of a password, making it more resistant to data breaches and phishing scams.
- Use a password manager. Lee says this is a smart step for accounts that still require passwords. This gives each account a unique and complex password, eliminating the temptation to use the same password for multiple accounts.
- Add multi-factor authentication. Therefore, you will need more than one form of identification to log into your account, especially if it contains sensitive information such as email or banking information.
Correction: This article has been corrected to reflect that the number of data breaches has increased by 5% in the last year. A previous version used incorrect terminology for rate of change provided by the Identity Theft Resource Center, but the website has since been updated.