U.S. Data Breach Severity Reaches New High

CHICAGO, March 27, 2025 (GLOBE NEWSWIRE) — Despite the volume of U.S. data breaches declining in 2024 from highs reached a year prior, data breach severity reached levels never seen since TransUnion’s measurement began in 2020. These findings were revealed as part of the newly-released TransUnion® (NYSE: TRU)  H1 2025 Update to the State of Omnichannel Fraud Report.

In 2024, the number of primary data breaches dipped to 2,577 from 2,842 the year prior, while third-party data breaches fell precipitously to 515 from 2,731 in 2023. However, the severity of those data breaches increased by 34% from one year earlier, with the primary US Breach Risk Score (BRS)¹ rising from 4.1 to 5.6 and third party rising from 4.2 to 5.2. Breach Risk Score is measured on a 1–10 scale, where 1 represents the least severe and 10 most.

A primary data breach represents a direct attack on an organization. A third-party data breach, also known as a supply-chain attack, value-chain attack, or backdoor breach, is when an attacker accesses an entity’s network via third-party vendors or suppliers — payroll processing or medical billing, for instance.

The study found that the 2024 U.S. data breaches targeted more high-quality credentials, and consumers reported being targeted by data harvesting scams in every channel, including email, text, phone and online. Exposed identity data enables cybercriminals to power automated, identity-based attacks on organizations and individuals more readily.

“The reversal of the multi-year U.S. data breach growth is certainly a step in the right direction. However, the significant jump in data breach severity is a cause for concern,” said Steve Yin, global head of fraud at TransUnion. “Breach severity is a leading indicator of future fraud. This year’s growth in severity means organizations must be even more diligent moving forward and work even harder to defend against the oncoming identity fraud attacks such as those in account creations, social engineering scams, and account takeovers.”

_______________
¹ The BRS is based on the quantity and severity of the particular identity credentials the affected entity determined to have been exposed.

These data breaches played a key role in significant financial losses faced by consumers due to fraud. Among consumers TransUnion surveyed in 18 countries and regions in November and December 2024, 29% said they lost money due to online, email, phone or text message fraud in the last year. The newly-released TransUnion (NYSE: TRU) H1 2025 Update to the State of Omnichannel Fraud Report found that the median amount those consumers said they lost due to fraud in the past year was $1,747.

Communities and Video Gaming Among Top Industries Targeted by Suspected Digital Fraud Globally
Communities, which include venues such as online dating and forums, had the highest rate of suspected digital fraud² attempts globally in 2024. Nearly 12% of all attempted communities transactions were suspected to be digital fraud last year. This is closely followed by video gaming (11%), with gaming (including online betting, poker, etc.) at 8% and retail (8%) rounding out the top four.

The logistics industry, which has seen growth in shipping fraud (often perpetrated by organized crime rings), saw the greatest suspected digital fraud volume growth globally in 2024, up more than 100% over 2023. That being said, the fraud rate remains at a relatively modest 3%. Gaming also saw a significant year-over-year (YoY) volume change, up 20%. Telecommunications (-79%), insurance (-29%) and video gaming (-23%) saw the greatest decreases in suspected digital fraud volume YoY.

“Digital fraud on community platforms is by no means a new phenomenon. However, in 2024, it appears that fraudsters targeted these areas with a renewed vigor,” said Richard Tsai, senior director of global fraud solutions at TransUnion. “Cybercriminals, taking advantage of the trust inherent on community-based platforms, targeted members with a wide range of scammer solicitations, the most reported type of digital fraud in communities.”

For transactions where the consumer or fraudster was located in the U.S., gaming continues to see the highest suspected digital fraud rate. About 14% of attempted transactions were suspected to be digital fraud, roughly the same as 2023. This marks the fifth consecutive year since TransUnion began research on this metric five years ago, where 13% or more of attempted gaming transactions in the U.S. were suspected to be digital fraud.

_______________
² The rate or percentage of suspected digital fraud attempts reflects those which TransUnion customers determined met one of the following conditions: 1) denial in real time due to fraudulent indicators, 2) denial in real time for corporate policy violations, 3) fraudulent upon customer investigation, or 4) a corporate policy violation upon customer investigation — compared to all transactions assessed. The country and regional analyses examined transactions in which the consumer or suspected fraudster was located in a select country or region when conducting a transaction. Global statistics represents every country worldwide and not just the select countries and regions.

As part of the same aforementioned consumer survey, 11% of U.S. respondents indicated that they were targeted by online, email, phone call or text messaging fraud from August to December 2024 and fell victim to it. Four in 10 respondents (41%) indicated that they were aware of being targeted, but did not fall victim. Among those able to identify being targeted, the most commonly reported fraud scheme in the U.S. was smishing. Smishing is a type of phishing that uses text messages to mislead people into giving away personal information. The term combines “SMS” and “phishing”.

“While cybercriminals will attack at any time using any channel, they appear to focus on channels most popular in the regions they are targeting,” said Yin. “Text messaging remains incredibly popular in the U.S. and, among many demographic groups, is a far more ubiquitous way to communicate with mobile devices than phone calls. As such, it would stand to reason that smishing would be such a common fraud tactic among fraudsters targeting this region.”

In contrast, nearly half of respondents (48%) indicated that they were not targeted by these types of fraud at all. This raises questions as to whether these respondents were in fact targeted, yet simply unaware.

TransUnion came to its conclusions about digital fraud and data breaches based on intelligence from TransUnion TruValidate and TruEmpower respectively.

Specific country and regional data in the report include the United States, Botswana, Brazil, Canada, Chile, Colombia, the Dominican Republic, Guatemala, Hong Kong, India, Kenya, Mexico, Namibia, the Philippines, Puerto Rico, Rwanda, South Africa, Spain, the United Kingdom and Zambia. Download the TransUnion H1 2025 Update to the State of Omnichannel Fraud Report for more information and insights about the global fraud trends.

About TransUnion (NYSE: TRU)

TransUnion is a global information and insights company with over 13,000 associates operating in more than 30 countries. We make trust possible by ensuring each person is reliably represented in the marketplace. We do this with a Tru™ picture of each person: an actionable view of consumers, stewarded with care. Through our acquisitions and technology investments we have developed innovative solutions that extend beyond our strong foundation in core credit into areas such as marketing, fraud, risk and advanced analytics. As a result, consumers and businesses can transact with confidence and achieve great things. We call this Information for Good® — and it leads to economic opportunity, great experiences and personal empowerment for millions of people around the world.

https://www.transunion.com/business