The number of US corporate data breaches and downstream victims appeared to slow in the third quarter of the year, according to new data from the Identity Theft Resource Center (ITRC).
The nonprofit tracked publicly reported breaches nationwide to compile its Q3 2025 Data Breach Analysis.
It revealed that there were 835 separate data compromises in the period, resulting in around 23 million victim notices.
That’s down somewhat on the first half of the year, when there were 1732 incidents, leading to over 165.7 million breach notifications.
Read more on ITRC news: Mega Data Breaches Push US Victim Count to 1.7 Billion
That said, the US is still on track for another record year for data breaches.
In the first three quarters of 2025, the ITRC tracked 2563 compromises, resulting in nearly 202 million victims. That means it’s only around 640 incidents from an all-time high, and the non-profit hasn’t tracked fewer than 800 compromises in a quarter this year.
The vast majority (83%) of breaches were attributed to cyber-attacks, versus 46 explained by system and human error, 33 supply chain attacks and 19 categorized as physical attacks. Interestingly, the latter appear to be on the rise: the ITRC has recorded 53 physical attacks in 2025 year-to-date, versus just 33 in the whole of 2024.
Among the top corporate victims this quarter were Anne Arundel Dermatology which was forced to send out nine million notices, DaVita (seven million), Radiology Associates of Richmond (four million), TransUnion (4.4 million) and Absolute Dental Group (two million).
The financial services sector was the most impacted in Q3, accounting for 188 compromises, followed by healthcare, professional services, manufacturing and education.
The ITRC criticized the growing trend of data breach notices being issued without any details of how the incident occurred. In Q1, 68% of notices did not include these details, rising to 71% in Q3 2025.
“This troubling trend will continue to leave victims of these breaches vulnerable to identity theft, fraud and scams,” the ITRC warned.
