2025 Data Breach Report

In 2025, organizations across North Carolina continued to report data breaches affecting businesses, schools, government agencies, and nonprofits in our state. A record-setting total of 2,349 data breaches were reported to the North Carolina Department of Justice (NCDOJ), impacting 9,275,938 North Carolinians. Many North Carolinians' information was compromised in more than one breach.

In North Carolina, businesses and government agencies are required by state law to report security breaches to NCDOJ. These reports include details about how the breach occurred, the information involved, how many people were affected, and steps the organization is taking to address the incident and strengthen its security. Our office reviews every notice and may investigate to determine whether the organization had reasonable safeguards in place to protect the data and responded appropriately when the breach occurred. When necessary, we take legal action to hold these companies responsible and make sure that companies strengthen their business practices to protect against future data breaches.

As more of our daily lives move online, the risk of data exposure grows. We share sensitive personal and financial data daily through online shopping, banking, accessing medical records, and more. While technology brings convenience, it also creates opportunities for criminals to gain access to your information.

This report outlines the types and trends of data breaches reported to NCDOJ in 2025 and gives tips to help North Carolinians protect their private information. For additional resources to protect your identity and data, or to report a scam or fraud, contact our office at 1-877-5-NO-SCAM or visit https://www.ncdoj.gov.

HIGHLIGHTS

• Businesses reported a record 2,349 data breaches in 2025, the highest number of breaches ever reported to our office.
• More than 9 million North Carolinians were impacted by data breaches in 2025.
• Hacking-related incidents remained the leading type of breaches, causing 77 percent, or more than three-fourths, of all reported data breaches in 2025.
• Accidental release and public display breaches, lost data and stolen equipment incidents, and data theft by employees and contractors reports all decreased compared to prior years.

Since 2006, businesses have reported 19,318 data breaches that impacted 40,403,095 people in all.

HACKING AND PHISHING

Hacking and phishing remain two of the most common methods criminals use to access private information. Hacking occurs when someone gains access to a computer system, network, or online account to steal, change, or expose data, and in 2025, hacking-related breaches represented 77 percent of the total security breaches reported.

Phishing attempts are often designed to look like official communications from trusted companies, coworkers, or government agencies to trick someone into clicking a malicious link, downloading an infected attachment, or sharing login credentials, and in 2025, phishing-related breaches represented 16 percent of the total security breaches reported.

Taking simple precautions can significantly reduce the risk of falling victim to a hacking or phishing scheme.

• Carefully review emails, texts, and messages before clicking links or downloading attachments. Check the sender's address, spelling, tone, and any unexpected requests. When in doubt, contact the company or person directly to verify.
• Regularly update antivirus programs and security software on your computers, phones, and other smart devices. Updates often include security improvements.
• Use strong, unique passwords for each account and change them regularly. Enable multi-factor authentication whenever possible.
• Avoid accessing sensitive accounts or making financial transactions on public Wi-Fi networks, which are more vulnerable to hackers.
• If you believe your information has been compromised, consider placing a free security freeze on your credit and monitoring your financial accounts closely for suspicious activity. To learn more, visit ncdoj.gov/securityfreeze.

POWERSCHOOL DATA BREACH

In December 2024, PowerSchool, a company that sells software products used by schools across the country, was hacked. The hacker gained access to that software, potentially exposing Social Security numbers, addresses, and medical and disciplinary information of 62.4 million current and former students and teachers nationwide, including 4 million North Carolinians.

PowerSchool later paid a ransom to the hacker to delete the information that was stolen, but the hacker then tried to extort North Carolina public school districts again. Authorities later identified the hacker as Matthew Lane, and he pleaded guilty to cyber extortion conspiracy, cyber extortion, unauthorized access to protected computers, and aggravated identity theft.

Following the data breach, Attorney General Jackson issued a Civil Investigative Demand (CID) to PowerSchool to obtain detailed information about the cause of the breach and the company's data security practices. The office's investigation is ongoing.

ACCIDENTAL RELEASE AND DISPLAY

Data breaches can also occur through accidental release or display, when information is unintentionally shared with someone who is not authorized to see it. These incidents usually occur by sending private information to the wrong person, saving confidential files in an unsecured shared folder, or leaving a computer unmonitored in a public or high-traffic area. In 2025, accidental release and display incidents accounted for more than five percent of the total security breaches reported. Many of these situations are preventable with greater attention to everyday data handling practices.

To reduce the risk of accidental release or display:

• Double-check email recipients and attachments before sending sensitive information, and only share what is necessary.
• Log out of accounts and lock your computer when stepping away from your desk, especially in shared or public workspaces.
• Avoid saving passwords on shared devices and never share login credentials with others.
• Ensure confidential physical and digital files are stored in secure locations and not accessible to unauthorized individuals.

LOST DATA AND STOLEN EQUIPMENT

Data breaches can also occur when laptops, phones, external drives, or other equipment containing sensitive information are lost or stolen. Data breaches caused by lost or stolen equipment continued to decline in 2025, with 14 breaches that account for just 0.60 percent of all attacks. To avoid losing equipment, store laptops and other electronic devices in locked, secure locations when not in use, and avoid leaving them unattended in vehicles or public spaces. If you can, add tracking to your devices so you know where they are, even if they get lost or stolen.

DATA THEFT BY EMPLOYEES AND CONTRACTORS

Data theft by employees or contractors dropped by over half in 2025 compared to the previous year. These breaches occur when data is stolen by people who have access to it. Organizations that collect and store personal or financial information must carefully manage and monitor access to ensure that data is only used for business purposes.

EMAIL BREACHES

Email breaches increased by 78 reports in 2025, from 492 in 2024 to 570 in 2025, and represent 24.27 percent of all reported breaches. Email breaches include unauthorized access to email accounts, phishing attacks that compromise login credentials, and misdirected emails containing sensitive personal information. Email is a central communication tool, and it will always be a primary target for criminals.

• Create strong, unique passwords for your email accounts and avoid reusing the same password across different platforms.
• Activate multi-factor authentication on your email accounts to add an extra layer of protection and receive alerts if someone attempts to access your account.
• Approach email links and attachments with caution and verify that the message comes from a trusted and legitimate source before opening or clicking on anything.

RANSOMWARE ATTACKS

Ransomware attacks increased to 570 reports and contributed to more than half of all data breaches reported in 2025. Many ransomware attacks begin with a phishing attempt. This allows hackers to gain access to your device and network. Once they have access, they lock you out of your computer files, systems, or networks, and demand a ransom for their return. These attacks can disrupt operations for businesses, schools, hospitals, and government agencies, and often involve the theft of sensitive data in addition to system lockouts.

Follow these tips to protect yourself and your organization from ransomware:

• Regularly train employees and users to recognize phishing attempts and other suspicious activity.
• Keep operating systems, software, and security tools up to date to address known vulnerabilities.
• Back up important data frequently and store backups securely so systems can be restored without paying a ransom.
• Develop and routinely update an incident response plan that outlines how to contain an attack and notify affected individuals if necessary.
• Limit user access privileges to reduce the likelihood that ransomware can spread across an entire network.

DATA SHARING

23andMe Lawsuit

In 2025, Jeff Jackson filed a lawsuit in bankruptcy court against 23andMe to protect North Carolinians' sensitive genetic information from being sold without their knowledge or consent. After filing for bankruptcy, 23andMe moved to sell the genetic data of more than 15 million customers nationwide to the highest bidder. NCDOJ had previously been investigating 23andMe following its 2023 data breach, which potentially exposed the genetic data of millions of people. As part of that investigation, Attorney General Jackson secured a consent order appointing a consumer privacy ombudsman to advocate for customers' privacy and security interests throughout the sale process.

ARTIFICIAL INTELLIGENCE

As artificial intelligence continues to evolve and become more widely used, more people and businesses are inputting personal and financial information into this technology. While AI can be used for innovation and efficiency, it can also be misused by scammers seeking to commit fraud and steal your information. In 2025, Attorney General Jeff Jackson formed a bipartisan, nationwide AI task force alongside Utah Attorney General Derek Brown. The attorneys general have collaborated with leading AI developers, including OpenAI and Microsoft, to address the fast-evolving AI landscape. The task force is focused on identifying emerging risks, promoting responsible innovation, and developing safeguards to better protect consumers and their personal information from AI-enabled misuse.

CONCLUSION

The North Carolina Department of Justice remains committed to keeping North Carolinians informed about emerging scams and fraud schemes. By tracking data breach trends and holding companies accountable for safeguarding sensitive information, the NCDOJ works to protect personal data and strengthen consumer privacy protections statewide. Learn more about protecting your information and reporting concerns at https://www.ncdoj.gov/internet-safety.