Q3 data breaches hit 23 million victims, ITRC warns of rising risk

New ITRC figures show over 23 million individuals were affected by confirmed data breaches between July and September 2025.

What happened

According to the Identity Theft Resource Center (ITRC), there were 835 data compromise incidents in Q3 2025, down slightly from 913 in Q2. These breaches impacted over 23 million individuals, with a cumulative 202 million victim notices issued so far this year. Despite the slight quarterly dip, 2025 is on track to surpass previous records, needing only 640 additional compromises in Q4 to break the all-time annual high.

Going deeper

The largest breach in Q3 occurred at credit bureau TransUnion, which resulted in 4.46 million victim notices. The next four largest incidents were all in the healthcare sector: DaVita (2.69 million victims), Anne Arundel Dermatology (1.9 million), Radiology Associates of Richmond (1.4 million), and Absolute Dental Group (1.2 million). These follow a broader pattern from the first half of 2025, when five of the ten biggest breaches involved protected health information.

Out of the 835 Q3 compromises, 749 were confirmed data breaches. These were broken down as follows:

• 691 cyberattacks: 22,985,802 victims
• 46 system/human errors: 62,297 victims
• 33 supply chain breaches: 3,793,381 victims
• 19 physical breaches: 5,352 victims

The most affected sectors included financial services (188 incidents), healthcare (149), professional services (114), manufacturing (76), and education (45).

What was said

The ITRC outlined an ongoing concern: 71% of Q3 victim notices did not disclose the cause or method of the breach. This is an increase from 69% in the first half of the year. According to the ITRC, failure to disclose the attack vector makes it harder for affected individuals to assess their risk and take protective action.

In response, the ITRC recommends that individuals take proactive steps to protect themselves regardless of whether they’ve received a breach notice. This includes freezing their credit with the three main credit bureaus and adopting strong cybersecurity habits such as enabling multi-factor authentication and using long, unique passwords.

The big picture

According to the 2025 Mid-Year Email Breach Data Reveals There’s No Slowing Down report, healthcare remains one of the most heavily targeted sectors contributing to this year’s record breach activity. By July, 107 email-related incidents had already been reported to the HHS Office for Civil Rights (OCR), keeping pace with the 180 reported in all of 2024. The average cost of a healthcare breach has now reached $11 million, the highest of any industry for 14 consecutive years.

Most of these breaches stem from hacking or IT incidents rather than accidental disclosures. The report found that 81% of healthcare email breaches involved cyberattacks, with Microsoft 365 platforms accounting for over half of those cases due to configuration flaws and credential compromises. Compounding the issue is the rise of “Shadow AI,” as nearly all surveyed organizations (95%) suspect staff are already using generative AI tools without oversight. These unmonitored tools introduce new attack surfaces and are expected to accelerate the growth of AI-powered phishing and impersonation campaigns, a risk that mirrors the wider surge in identity-based attacks seen across industries in 2025.

FAQs

What is a victim notice, and why is it important?

A victim notice is a formal notification sent to individuals whose data was compromised. It alerts them to the breach and provides guidance on protective steps, such as credit monitoring.

Why are attack vectors often missing from breach notices?

Organizations may withhold details due to ongoing investigations, legal advice, or reputational concerns. However, this limits victims’ ability to understand the nature and risk of the exposure.

What is the difference between a data compromise and a data breach?

A data compromise includes any incident where data security is affected, while a data breach specifically refers to confirmed unauthorized access, exposure, or theft of data.

How does a credit freeze help after a breach?

Freezing your credit prevents new accounts from being opened in your name without your approval, offering protection against identity theft even if your data has been leaked.

What role do supply chain attacks play in data breaches?

Supply chain attacks target third-party vendors or partners, which can lead to widespread impact if those vendors provide services to multiple organizations across sectors.