Data Breaches: Why They Happen & How to Minimize Risk

Published: October 8, 2025

Have you noticed your inbox filling up with “Important Security Notice” emails lately? Between banks, retailers and social platforms, it feels like every week someone’s alerting you to yet another data breach.

While the headlines make it seem like hackers are cracking through firewalls with sophisticated tools, the reality is simpler — and more human. Most breaches start when someone is tricked.

How Most Breaches Actually Happen

According to Verizon’s Data Breach Investigations Report, nearly 70% of all breaches involve a human element — things like phishing, stolen credentials or social engineering scams. In other words, most cyber incidents don’t begin with technical exploits; they start with manipulation.

IBM’s Cost of a Data Breach Report echoes this pattern, listing phishing and stolen credentials as the two most common entry points. Attackers aren’t usually battering down digital doors — they’re persuading someone to open them.

Your Data Has Market Value

Why do criminals bother? Because personal data still sells — and in 2025, its price tag shows no signs of dropping. According to the PrivacySharks Dark Web Price Index, here’s roughly what stolen data goes for online right now:

Social Security Number: around $1–$10
“Fullz” (SSN + name, date of birth, address): $60–$120+
Credit card or bank account details: $5–$110 depending on balance and limits
Medical or health records: $10–$1,000 per file
Login credentials: about $1–$10 depending on the account type

Even those lower prices become significant when multiplied across millions of records leaked in a single breach.

Just How Common Are Data Breaches?

The Identity Theft Resource Center’s 2024 Annual Data Breach Report counted nearly 3,200 publicly reported breaches, amounting to over 1.35 billion victim notices.

While one mega breach can skew those totals, the ITRC notes that the median breach still hits 1,000–5,000 people — enough to make “data breach notifications” a near constant feature of modern life.

What You Can Do to Lower Your Risk

You can’t control how every company stores information, but you can reduce how much of yours is out there — and how useful it would be if exposed. These best practices come straight from consumer protection authorities like the Federal Trade Commission and the National Cybersecurity Alliance:

Limit what you share. Only provide personally identifiable information when it’s required.
Delete what’s not essential. Many apps and websites now have “delete my data” or “close account” tools — use them, especially for services you don’t need.
Check privacy policies. A quick review of a platform’s security page can tell you a lot about how seriously it protects user data.
(Bonus) Freeze your credit. The FTC confirms that credit freezes with Equifax, Experian and TransUnion are free and typically take less than an hour each. Once frozen, your report can’t be used to open new lines of credit without your approval.

Where Do We Go From Here?

Last week, we looked at email spoofing — how attackers disguise messages to trick people into giving away data. Now you’ve seen what happens when those tricks succeed: stolen information lands on the dark web, turning into real world damage for millions.

Up next in our Cybersecurity Awareness Month series: we’ll share everyday security hygiene for employees — simple actions that stop social engineering attacks before they start.