How to protect your personal information as data breaches reach new heights

It’s the letter most consumers dread receiving: a notification that your personal information has been involved in a data breach.

According to the Identity Theft Resource Center, approximately 80% of respondents to a new survey said they had received at least one data breach notification in the past 12 months.

Almost 40% of respondents received between 3 and 5 separate notifications during that period. The survey was conducted in November among 1,040 people.

Among those who recently received a data breach notification, the study found that 88% reported at least one negative impact, including an increase in phishing and other fraudulent activity, an increase in spam and robocalls, and account takeover attempts.

The number of data breaches increased by 5% last year, hitting a new record of 3,322 in 2025, compared to 3,152 in 2024, according to the ITRC’s new annual report. The nonprofit organization has been tracking public reports of data breaches for 20 years.

ITRC Chairman James E. Lee said, “Once again, the number of reported breaches in a single year has exceeded the previous year.”

The new data comes amid renewed scrutiny of the government’s handling of personally identifiable information at the Social Security Administration.

The Department of Justice recently filed new information in a lawsuit involving the Social Security Administration, revealing alleged mishandling of personal data at the agency.

The court filing includes “communications, data uses, and other actions” by the Social Security Administration’s Office of Government Efficiency team that the Justice Department said “may deviate” from the agency’s policies and/or do not comply with a March temporary restraining order that barred DOGE from accessing the agency’s personally identifiable information.

According to the Department of Justice, the communications sent through encrypted, password-protected email attachments contained personal information about about 1,000 people, including names and addresses. It is unclear whether the passwords needed to access the data were also shared, the filing said.

The new court filing follows an August whistleblower report by the Social Security Administration’s former chief data officer alleging “serious data security deficiencies” that could jeopardize the security of more than 300 million Americans’ data, including the use of vulnerable cloud servers.

Social Security Administration Secretary Frank Bisignano told CNBC on Thursday: “We’re doing a triple review, and I can tell you that Americans’ data is safe and in good standing.”

In a subsequent statement, a spokesperson for the Social Security Administration told CNBC.com via email that the agency is “committed to protecting the personal data of all Americans.”

“Our systems are continuously monitored by career professionals in accordance with federal and industry security standards,” the spokesperson said.

Experts say it’s generally best for consumers to assume that their data has already been exposed in various breaches.

“Everyone’s identity has already been stolen,” said Heywood Talcove, CEO of government at LexisNexis Risk Solutions. “The only question is whether it was used.”

Consumers may not have all the information about how their personal information was compromised.

Federal data breaches are not always made public because the government is typically exempt from state data breach laws, Lee said.

Additionally, organizations that provide data breach notifications are reducing the amount of information they include in their disclosures due to litigation risk, Lee said. In 2020, all organizations involved in such events provided information about what, how and why the breach occurred and what they did in response, he said. By 2025, it will apply to only 30% of notifications, he said.

According to Lee, the remaining 70% of data breach notifications last year lacked actionable information.

According to the ITRC’s annual report, the top industries with data breaches in 2025 include financial services, healthcare, professional services, manufacturing, and education.

By taking certain steps, Talkove said, you can significantly increase your chances of “not having a bad day” and “be better off than virtually everyone else in the country.”

Sign up for Informed Delivery: This is a free service from the U.S. Postal Service that sends preview images of incoming emails, Talcove said. Registering also avoids attempts by criminals to use the service to see when checks and other valuables will arrive in your mailbox, Talcove said. Sign up for a real estate fraud alert: If you own a home, go to your local county and set up a alert on your title, Talcove said. That way, he said, you’ll be notified if someone tries to steal your title. Freeze your credit: We work with all major credit bureaus: Experian, Equifax, and TransUnion to prevent identity thieves from opening new accounts in your name. According to the Identity Theft Resource Center, this step is the “most effective method” to prevent fraudulent account openings. Set up account alerts: Do this for all your bank and other financial accounts so you can see when your money is leaving, Talkove said. Use passkeys: Utilize passkeys instead of passwords whenever possible, says Lee. Passkeys allow you to sign in to your account using your fingerprint, face scan, or PIN instead of a password, making it more resistant to data breaches and phishing scams. Use a password manager: Lee says this is a smart step for accounts that still require passwords. This ensures that each account has a unique and complex password, eliminating the temptation to use the same password for multiple accounts. Add multi-factor authentication: You’ll need two or more pieces of identification to log into your account, especially if it includes sensitive information like email or banking.

Correction: This article has been corrected to reflect that the number of data breaches has increased by 5% in the last year. A previous version used incorrect terminology for rate of change provided by the Identity Theft Resource Center, but the website has since been updated.