by Herb Weisbaum, The ConsumerMan

Last updated February 12, 2026

There’s a good chance you’ve received a data breach notice recently—perhaps several within the last year.

Data breaches have become “a near-universal experience for consumers,” according to the new Data Breach 2025 Report from the nonprofit Identity Theft Resource Center (ITRC). A survey done for that report found that 80 percent of American adults reported receiving a breach notice in the past 12 months; nearly 40 percent said they’d received between three to five.

The constant stream of breach notices is causing anxiety, fear, and frustration, survey respondents said. Their prime concern—and rightly so—is that their stolen information will be used to commit financial fraud.

“The 2025 data make it clear that people have to be on guard for a wide range of identity misuse that results from data breaches,” said ITRC president James Lee. “They should expect to see more phishing attacks like spam calls, emails, and texts, as well as attempted and actual account takeovers.”

Armed with the personal data stolen in these breaches, criminals can tailor their attacks, making them more effective. As a result, fraudulent emails and phone calls are becoming harder to detect.

Many people recognize the growing threat and take steps to protect themselves after being notified of a breach, such as changing the passwords on affected accounts, the survey found. But there’s also a “significant undercurrent of breach fatigue and powerlessness” felt by those who didn’t do anything after receiving a breach notification, the report noted. Nearly half (46 percent) said they felt there was nothing they could do that would help protect their personal information.

“Now is not the time to relax and adopt an ‘I can’t do anything about it’ attitude,” Lee told Checkbook. “There are actions people can and should take before and after they receive a data breach notice.”

Lack of Transparency Grows 

The U.S. experienced a record number of data breaches last year, with hackers compromising 3,322 databases, up five percent from 2024, according to the ITRC report. And that’s a conservative estimate, since some types of breaches are not required to be made public.

All 50 states have breach notification laws, but only 30 percent of notices sent last year included details on the cause of the breach, leaving consumers in the dark about what went wrong.

The ITRC would like to see new state laws and regulations that would require public notifications to include the exact cause of the breach, in clear non-technical terms, and a list of the specific personal data that was compromised (or potentially compromised), such as Social Security numbers, credit card information, driver’s license numbers, or birthdates.

“We need to know that,” Lee said, “so we know how to defend ourselves.”

What to Do When You Receive a Data Breach Notice

If you are notified that a database containing your personal information was compromised—even if the notice says there’s no indication that data has been used by criminals— there are steps you should take to protect yourself. Here’s what the ITRC recommends:

Change impacted passwords: Immediately update the password for the affected account and any other accounts where you used that same password. Security experts warn against using a password across multiple accounts, yet people do it.

When possible, switch to passkeys instead of passwords. As Checkbook explains in this article, passkeys are significantly more secure than passwords because they are encrypted and cannot be lost or stolen.

Place a security freeze with the three major credit bureaus: This is the most effective way to prevent identity theft. It bars any activity that requires a credit check, such as opening a new bank account, getting a new credit card, or renting an apartment in your name.

NOTE: Don’t wait for a breach notice to freeze your credit files. You need to do this at each website for Equifax, Experian, and TransUnion. It’s free.

Be vigilant: Armed with your personal information, cybercriminals could attempt to access your financial or medical accounts. It’s a good idea to monitor those accounts more frequently than normal. When it comes to identity theft, quickly spotting the problem can reduce the harm.

Be highly suspicious: Take your time before responding to any unsolicited emails, texts, or calls. Make sure they’re legit. Criminals may use your compromised information to tailor their nefarious communications with you.

The ITRC survey found that more than a third (36 percent) of people who received breach notices didn’t take any action because they suspected it was a scam. You can verify the notice through the company’s official website.

Sign up for free monitoring: Most companies offer free credit or identity monitoring from a third party in their breach notices. It’s free, so why not get the extra protection? That monitoring company could spot potentially fraudulent activity. Expect to get pitches from the monitoring company for “premium” services. You do not need to pay for them.

Be Proactive

There are many things you can do to protect your identity. Here are some resources from Checkbook:

 

Become a Smarter Consumer Get free, expert advice delivered to your inbox every Wednesday when you sign up for the Weekly Checklist newsletter.



Contributing editor Herb Weisbaum (“The ConsumerMan”) is an Emmy award-winning broadcaster and one of America's top consumer experts. He has been protecting consumers for more than 40 years, having covered the consumer beat for CBS News, The Today Show, and NBCNews.com. You can also find him on Facebook, Blue Sky, X, Instagram, and at ConsumerMan.com.