How to protect personal information, as data breaches hit a new high

It’s the letter most consumers dread receiving — the notification that your personal information has been involved in a data breach.

About 80% of respondents to a new survey said they received at least one data breach notice in the prior 12 months, according to the Identity Theft Resource Center.

Nearly 40% of respondents received three to five separate notices over that period. The survey polled 1,040 individuals in November.

Of those who recently received a data breach notice, 88% reported at least one negative consequence, such as increased phishing or other scam attempts, more spam emails or robocalls or an attempted account takeover, the survey found.

The number of data compromises rose 5% last year — with 3,322 events in 2025 versus 3,152 in 2024 — a record, according to the ITRC’s new annual report. The nonprofit organization has been tracking public reports of data compromises for 20 years.

“We have once again had more breaches in a single year reported than in any previous year,” said ITRC President James E. Lee.

The new data comes amid new scrutiny on the government’s handling of personally identifiable information at the Social Security Administration.

The Justice Department recently submitted new information in a court case involving the Social Security Administration, which reveals alleged mishandling of personal data at the agency.

The court filing includes “communications, use of data, and other actions” by the Department of Government Efficiency team at the Social Security Administration that the Justice Department described as “potentially outside” of the agency’s policy and/or not compliant with a March temporary restraining order that barred DOGE access to the agency’s personally identifiable information.

Personal information, including names and addresses, of about 1,000 people was included in correspondence sent via an encrypted, password-protected email attachment, according to a Justice Department example. It is unclear whether the password needed to access the data was also shared, according to the filing.

The new court filing follows an August whistleblower report by the Social Security Administration’s former chief data officer alleging “serious data security lapses” that may put the security of more than 300 million Americans’ data at risk, including the use of a vulnerable cloud server.

“We’re doing a triple review, but I would say Americans’ data is secure and in good shape,” Social Security Administration Commissioner Frank Bisignano told CNBC on Thursday.

In a follow-up statement, a Social Security Administration spokesperson told CNBC.com via email that the agency is “committed to safeguarding the personal data of every American.”

“Our systems are continuously monitored by career professionals in accordance with federal and industry security standards,” the spokesperson said.

Experts say it’s generally best for consumers to assume their data has already been exposed in various breaches.

“Everyone’s identity has already been stolen,” said Haywood Talcove, CEO of government at LexisNexis Risk Solutions. “The only question is, has it been used?”

Consumers may not have all the information about how their personal information has been compromised.

Because the government is generally exempt from state data breach laws, federal data breaches are not always public, Lee said.

Moreover, organizations that provide data breach notices have reduced the amount of information included in those disclosures due to litigation risk, according to Lee. In 2020, all organizations involved in such events provided information around what, how and why a breach happened, and what they did in response, he said. By 2025, that only applied to 30% of notices, he said.

The remaining 70% of data breach notices from the last year lacked actionable information, according to Lee.

The top industries to see data compromises in 2025 included financial services, health care, professional services, manufacturing and education, according to the ITRC’s annual report.

By taking certain steps, you can greatly improve your chances of “not getting screwed with” and “will be better off than virtually every single person in the country,” Talcove said.

• Sign up for Informed Delivery: This is a free service through the U.S. Postal Service that sends you preview images of your incoming mail, Talcove said. By signing up, you can circumvent criminals’ attempts to also use the service to see when a check or other valuable item will be landing in your mailbox, Talcove said.

• Register for a property fraud alert: If you own a home, go to your local county and put an alert on your title, Talcove said. That way, if anyone tries to steal your title, you will be notified, he said.

• Freeze your credit: Doing so with all the major credit bureaus — Experian, Equifax and TransUnion — can prevent identity thieves from opening new accounts in your name. This step is the “most effective way” to prevent unauthorized accounts from being opened, according to the Identity Theft Resource Center.

• Set up account alerts: Do this on all of your bank and other financial accounts so that you see when money is going out, Talcove said.

• Use passkeys: Take advantage of passkeys instead of passwords whenever possible, Lee said. Passkeys let you sign into accounts via fingerprints or face scans or PINs rather than passwords, and they are more resistant to data breaches or phishing scams.

• Use a password manager: It’s a smart step for accounts that still require passwords, according to Lee. This will help ensure that each account has a unique, complex password and remove the temptation to use the same password for multiple accounts.

• Add multifactor authentication: This requires two or more proofs of identity to log into an account, particularly for accounts with sensitive information like email and banking.

Correction: This story has been revised to reflect that the number of data compromises rose 5% last year. A previous version used an incorrect term for the percentage change that was provided by the Identity Theft Resource Center, which has since updated its website.