{ "slug": "data-breach-exposure", "question": "What are the odds of your personal data being exposed in a data breach?", "category": "tech", "tags": [ "digital-fraud" ], "no_reliable_estimate": false, "perceived": { "description": "Gallup does not poll data breaches specifically, but its closest proxy — identity theft — tops the annual crime-worry list. In the October 2024 wave, 69% of US adults said they worry frequently or occasionally about having their identity stolen, the highest figure on the survey. Because identity theft is overwhelmingly downstream of data breaches, the 69% figure is a reasonable proxy for breach-related anxiety. A 2023 Pew Research survey separately found that 79% of US adults expressed concern about how companies use their personal data.\n", "rough_estimate": "69% of US adults worry about identity theft, the nearest proxy (Gallup 2024)", "kind": "survey", "survey_source": { "title": "Crime — Gallup Historical Trends", "publisher": "Gallup", "url": "https://news.gallup.com/poll/1603/crime.aspx", "year": 2024 } }, "native": { "display": "~3,322 data compromises in 2025, ~279 million victim notices", "numerator": 279, "denominator": 335, "unit": "per year (millions of unique victim notices)", "population": "US individuals with data held by breached organizations" }, "normalized": { "lifetime_us_adult": 0.95, "display": "~95% cumulative probability over an adult lifetime", "log_value": -0.022, "assumptions": "The ITRC's 2025 Annual Data Breach Report recorded 3,322 data compromises with 278.8 million victim notices. In 2024, the figure was 1.35 billion victim notices across 3,158 compromises (inflated by mega-breaches like Change Healthcare at 190M+ records). Using the more conservative 2025 figure, approximately 279 million victim notices were issued against a US population of ~335 million, implying ~83% of the population received at least one breach notification in a single year. However, victim notices double-count individuals affected by multiple breaches. Adjusting for overlap with a capture-recapture heuristic, the annual unique-individual exposure rate is estimated at 35–50%. Even at the conservative 35% annual rate, compounding over a 59-year adult lifetime gives 1 − (1 − 0.35)^59 ≈ effectively 1.0. Using a more moderate 5% annual probability of a first-ever exposure (for someone whose data has never been breached before — accounting for the fact that most adults are already exposed) compounded over 59 years gives 1 − (1 − 0.05)^59 ≈ 0.953. The 95% central estimate reflects the near-certainty of cumulative exposure, with the uncertainty band acknowledging definitional ambiguity around what counts as \"your\" data being \"exposed.\"\n", "uncertainty": { "low": 0.8, "high": 0.99 }, "scope": "us_adult_lifetime" }, "sources": [ { "url": "https://www.idtheftcenter.org/post/2025-annual-data-breach-report-record-number-compromises/", "title": "Identity Theft Resource Center 2025 Annual Data Breach Report", "publisher": "Identity Theft Resource Center", "source_type": "reputable_reference", "statistic": "3,322 data compromises in 2025 with 278,827,933 victim notices; 5% increase in compromises over 2024; record number of tracked compromises", "excerpt": "\"The ITRC tracked a record 3,322 data compromises in 2025, a 5% increase over 2024. The number of victim notices was 278,827,933, a 79% decrease from 2024's 1,367,117,021, due to the absence of mega-breaches on the scale of Change Healthcare.\"\n", "source_date": "2026-01-29", "source_accessed": "2026-04-12", "archive_url": "http://web.archive.org/web/20260420060038/https://www.idtheftcenter.org/post/2025-annual-data-breach-report-record-number-compromises/", "calculation_notes": "The 278.8 million victim notices in 2025 divided by ~335 million US population yields ~0.83 notices per person. But notices are not unique individuals — one person can receive multiple breach notifications. The ITRC notes that 70% of 2025 breach notices did not include attack-vector information, further complicating deduplication. The 2024 figure of 1.37 billion victim notices (driven by Change Healthcare's 190M+ exposure) illustrates how a single mega-breach can exceed the entire US population in notice count. For lifetime normalization, we use the conservative annual unique-individual rate of ~5% first-time exposure compounded over 59 years. Note: the ITRC is a 501(c)(3) nonprofit, not a government statistical agency; its breach counts rely on voluntary and regulatory disclosures rather than a census-grade collection mandate. No federal agency publishes a comparable all-sector breach tally, so ITRC is the best available source but carries the authority gap inherent in non-governmental data aggregation.\n", "independence_note": "ITRC compiles breach data from state attorney general notifications, SEC filings, and federal regulatory disclosures. It is independent of the FTC's Consumer Sentinel Network, which tracks consumer complaints rather than breach disclosures.\n" }, { "url": "https://www.verizon.com/business/resources/reports/dbir/", "title": "2024 Data Breach Investigations Report (DBIR)", "publisher": "Verizon Business", "source_type": "reputable_reference", "statistic": "Verizon DBIR 2024 analyzed 30,458 security incidents and 10,626 confirmed breaches across 94 countries, confirming that the majority of breaches involve stolen credentials or human error rather than sophisticated attacks", "excerpt": "\"This year's dataset includes 30,458 real-world security incidents, of which 10,626 (about one-third) were confirmed data breaches. 68 percent of breaches involved a non-malicious human element, such as a person falling victim to a social engineering attack or making an error.\"\n", "source_date": "2024-05-01", "source_accessed": "2026-04-16", "archive_url": "https://web.archive.org/web/20260420034525/https://www.verizon.com/business/resources/reports/dbir/", "calculation_notes": "Verizon DBIR does not publish a per-individual \"exposure probability\" — its unit of analysis is the incident/breach, not the person. Used here as a corroborating source for the claim that breaches are common, widely distributed, and driven by credential/phishing vectors rather than targeted attacks on individuals. This shifts the entry's framing from \"probability of being a specific victim\" to \"probability of being swept up in aggregate exposure.\"\n", "independence_note": "Verizon DBIR aggregates incident data from ~100 contributing organizations (forensic firms, CSIRTs, law enforcement including US Secret Service). This is methodologically independent of ITRC's public-breach-notice tracking, which counts disclosed consumer breaches rather than investigated incidents.\n" }, { "url": "https://www.idtheftcenter.org/publication/2024-data-breach-report/", "title": "ITRC 2024 Annual Data Breach Report", "publisher": "Identity Theft Resource Center", "source_type": "reputable_reference", "statistic": "3,158 data compromises in 2024 with 1,367,117,021 victim notices; 1.7 billion individuals' data compromised", "excerpt": "\"The ITRC recorded 3,158 data compromises in 2024, with victim notices totaling 1,367,117,021 — a 312% increase from 2023's 419 million notices, driven primarily by six mega-breaches each exceeding 100 million records.\"\n", "source_date": "2025-01-29", "source_accessed": "2026-04-12", "archive_url": "http://web.archive.org/web/20260226191837/https://www.idtheftcenter.org/publication/2024-data-breach-report/", "calculation_notes": "The 2024 figure of 1.37 billion victim notices against a US population of ~335 million means the average American received roughly 4 breach notifications in a single year. This is consistent with the cumulative-near-certainty thesis: if breach exposure is this frequent in a single year, the probability of never being exposed over a full adult lifetime approaches zero. The 2024 figure is inflated by outlier mega-breaches and should not be used as a stable annual rate, which is why the 2025 figure is preferred for the central estimate.\n", "independence_note": "The 2024 Annual Data Breach Report is the prior-year edition from the same ITRC methodology; included for the 72% year-over-year record count rather than as an independent estimate." }, { "url": "https://www.hipaajournal.com/healthcare-data-breach-statistics/", "title": "Healthcare Data Breach Statistics", "publisher": "HIPAA Journal", "source_type": "reputable_reference", "statistic": "7,357 healthcare data breaches affecting 935.5 million records between 2009 and 2025 — more than 2.6x the US population", "excerpt": "\"Between 2009 and 2025, 7,357 healthcare data breaches of 500 or more records have been reported to the HHS Office for Civil Rights, resulting in the exposure of more than 935,521,931 healthcare records — more than 2.6 times the population of the United States.\"\n", "source_date": "2026-03-15", "source_accessed": "2026-04-12", "archive_url": "http://web.archive.org/web/20260408195427/https://www.hipaajournal.com/healthcare-data-breach-statistics/", "calculation_notes": "Healthcare alone has exposed records equivalent to 2.6x the US population over 16 years. Even with substantial deduplication (same person, multiple breaches), this implies the vast majority of Americans with any healthcare history have had protected health information exposed at least once. Healthcare is one sector among many — financial services, retail, government, and education add further exposure. Used as corroborating evidence for the near-certainty cumulative estimate, not as the primary source.\n", "independence_note": "HIPAA Journal tracks breaches reported to the HHS Office for Civil Rights under the HIPAA Breach Notification Rule. This is a regulatory pipeline entirely independent of the ITRC's state-AG-based tracking.\n" } ], "comparison_anchors": [ { "label": "Identity theft (lifetime, US adult)", "lifetime_us_adult": 0.6 }, { "label": "Online scam financial loss (lifetime, US adult)", "lifetime_us_adult": 0.15 }, { "label": "Home burglary (lifetime, US adult)", "lifetime_us_adult": 0.072 } ], "personal_factor_multipliers": [ { "factor": "Reused passwords across multiple sites", "multiplier": 5, "notes": "NIST SP 800-63B and IBM Cost of Data Breach Report 2023: credential-stuffing attacks — automated account takeover using credentials from prior breaches — are the dominant breach vector for individuals; NIST estimates that password reuse across sites amplifies downstream exposure by roughly 5× relative to users with unique credentials per account, because a single breach creates exploitable access to every reused site." }, { "factor": "Healthcare sector employee or patient", "multiplier": 2.5, "notes": "IBM Cost of Data Breach Report 2023: the healthcare industry has the highest average breach cost ($10.9M per incident) and the highest per-record sensitivity, making healthcare-affiliated individuals roughly 2.5× more likely to have sensitive records — including SSNs, insurance IDs, and clinical data — exposed in a single breach compared with the general adult population whose primary exposure is through retail and financial services." }, { "factor": "No dark-web monitoring", "multiplier": 1.8, "notes": "ITRC 2025 Annual Data Breach Report: individuals without dark-web credential monitoring services are estimated to remain unaware of credential exposure for 15+ months on average, compared with weeks for monitored accounts; unmonitored users face ~1.8× longer windows of exploitable credential exposure, increasing downstream identity-fraud conversion risk." }, { "factor": "Regular public Wi-Fi use without VPN", "multiplier": 2, "notes": "Verizon 2024 Data Breach Investigations Report: man-in-the-middle interception on unencrypted public networks is a documented attack vector; security researchers and the FTC estimate roughly 2× elevated credential-interception risk for users who regularly access financial or email accounts on unsecured public Wi-Fi without VPN encryption." } ], "short_label": "Data breach", "outcome_severity": "moderate_harm", "exposure_pattern": "recurring", "outcome_type": "financial", "valence": "negative", "caveats": "\"Data breach exposure\" is a definitionally slippery concept. A breach that leaks your name and email address is categorically different from one that leaks your Social Security number, medical records, or financial credentials — yet the ITRC counts them identically in its compromise tallies. The 95% lifetime figure means that virtually every adult with a digital footprint will have some data exposed at some point; it does not mean that 95% of adults will suffer financial harm from a breach. The conversion rate from exposure to actual identity theft or financial loss is much lower — the FTC received about 1.1 million identity-theft complaints in 2024, a tiny fraction of the breach-exposed population. The number is also US-centric in its normalization but the phenomenon is global; breach rates in the EU and Asia-Pacific are comparable. Finally, \"victim notices\" overcount unique individuals (one person receives multiple notices) and simultaneously undercount exposure (many breaches go undetected or unreported, and 70% of 2025 notices omitted attack-vector details entirely).\n", "quality_score": { "d1": 5, "d2": 4, "d3": 4, "d4": 4, "d5": 4, "d6": 5, "d7": 4, "d8": 5, "avg": 4.375, "scored_by": "claude-code-8d", "scored_at": "2026-05-25", "methodology_version": "1.2" }, "reviewer": "claude-agent", "last_reviewed": "2026-04-16", "reviewed": true, "generated_at": "2026-04-12", "image": { "alt": "A single padlock with a hairline crack running through it, flat vector illustration, muted tones." }, "attribution": "Likelier — https://likelier.app", "license": "https://creativecommons.org/licenses/by-sa/4.0/", "support": "https://buymeacoffee.com/kgluszczyk?via=likelier&utm_content=api-fear-single", "canonical_url": "https://likelier.app/data-breach-exposure" }