Banks Remain Most Breached Sector as Attacks Hit Record

The 2025 Identity Theft Resource Center report confirms that banks remain the most targeted industry, with 739 reported compromises—an incremental rise over 2024 and the second year the sector tops the breach leaderboard. While overall U.S. data‑loss incidents set a new record, the concentration of attacks within financial services underscores the sector’s high‑value data and regulatory exposure. Analysts attribute this persistence to legacy systems, aggressive digitization, and the growing reliance on third‑party service providers, which expand the attack surface beyond traditional firewalls.

Physical card skimming, once thought obsolete after chip‑and‑PIN adoption, has re‑emerged as “Skimming 2.0.” Bluetooth‑enabled overlay devices can be slipped onto point‑of‑sale terminals, evading visual inspection and capturing encrypted data. Reported incidents jumped from four in 2024 to thirty‑four in 2025, translating into roughly $1 billion in direct losses and potentially far higher undisclosed fraud. Law‑enforcement interceptions prevented $400 million of fraud, yet the low incident count masks a broader risk: any merchant that processes swipe transactions now faces a credible, technology‑driven threat vector.

Supply‑chain vulnerabilities compound the problem, with third‑party breaches now accounting for roughly 30 % of all incidents and professional‑services firms experiencing a 39 % annual increase. The concentration of critical technology in just 150 vendors that support 90 % of Fortune 500 products creates systemic choke points, prompting the OCC to demand tighter concentration‑risk oversight. Meanwhile, breach‑notice transparency has collapsed from near‑full disclosure in 2020 to only 30 % of filings revealing root causes, hampering banks’ ability to conduct effective due‑diligence. Strengthening information‑sharing frameworks such as FS‑ISAC and mandating granular reporting are emerging as essential mitigations.