For years, cyber pundits tracking data breaches have gauged system cyber risk by a familiar signal: number of consumers impacted. By that measure, 2025 shared good news with fewer mega breaches and fewer victims. But taking that approach to assessing systemic exposure can miss a fast-developing risk trend.
Those who know cyber risk understand there's no such thing as a small breach to the people and businesses impacted by these events. Even as mega breaches declined in 2025, the multifaceted damage from past incidents continues to ripple outward. Each mega breach exposed vast troves of personally identifiable information (PII). Criminals — from organized fraud rings to independent threat actors — continue to circulate that data across their ecosystems, using it to power ongoing and sometimes long-tail scams against exposed individuals and companies.
Against this backdrop, victims of micro breaches who've already experienced a breach in the past could face new, outsized harm. The trend is creating a growing stream of smaller, more targeted incidents designed to extract larger volumes of highly sensitive and current personal data.
The point is fewer large events may not be an indicator of reduced risk. In fact, more damaging consequences may be in store for millions of consumers — as well as businesses that hold, process and protect that data and the cyber insurers that cover them.
Higher-quality data leads to more effective fraud
The numbers underscore the persistent impact on consumers. Even as large-scale incidents decreased in 2025, nearly 30% of U.S. consumers reported losing money to identity theft in the second half of the year (August to December 2025), according to data from TransUnion's H1 2026 Update: Top Fraud Trends. Another 27% lost money from an account takeover incident and 16% in a phishing, smishing or vishing attack.
During the same period, nearly 40% of U.S. consumers said they were targeted by a fraudulent message online, over the phone or in an email or text message. The true number is likely higher as many people don't realize the "wrong recipient" messages they've ignored or deleted may actually be scam attempts.
Each successful scam can translate into claims, reputational damage and increased scrutiny for the
Analysts believe the increasing penetration of fraud and scam events is a direct reflection of the shift in breach dynamics: Even as 2025's incidents affected fewer people overall, they exposed far more sensitive PII, giving criminals higher-quality data to work with.
Take Social Security numbers (SSNs), for instance. In 2025, 78% of breaches exposed SSNs, according to TransUnion data. That's an all-time high and a nearly 10% increase year over year. Whereas in past years, date of birth, address and healthcare credentials were most often exposed, now it's driver's license, bank account number and state or federal IDs.
With this high-powered PII, criminals are better equipped to execute Gen AI-powered phishing and impersonation attacks rather than attempting to bypass
This shift increases the likelihood of consumer harm, as well as the complexity of resulting claims for insured organizations.
Third-party breaches can only intensify the risk to consumers. The volume of breaches originating at a vendor began to grow in 2021, and these incidents consistently show a higher likelihood of exposing a larger set of credential types than primary breaches. More than 8 in 10 incidents originating at a company's vendor now involve SSNs, up from 74% in 2024.
Because these vendors often serve multiple organizations, a single incident can create correlated losses across an insurer's portfolio.
Micro breaches demand a full-spectrum rethink
The entire insurance ecosystem should be on notice: The absence of mega breaches does not indicate declining exposure.
High-frequency, credential-dense "micro" breaches are quietly increasing the scope and velocity of consumer risk while also moving business risk toward third-party vendors and data-rich professional services sectors like legal and accounting firms.
In other words, rising consumer exposure is becoming a direct driver of insured risk and portfolio-level aggregation concerns.
The implications extend beyond underwriting alone. As breach payloads grow more complex, insurers should consider how they assess, price and respond to risk across five critical areas.
Credential density risk: Assess not just how much data an insured holds but which combinations of credentials are stored and processed together. Does the organization aggregate SSN, date of birth, driver's license and financial account information in the same systems? Credential concentration increases potential downstream fraud and claims severity.
Vendor dependency risk: Evaluate how much sensitive identity data on the insured a vendor can access and whether those vendors service multiple insureds within the carrier's portfolio. Third-party environments often contain more robust identity datasets and can introduce cascading portfolio risk.
Systemic identity risk and downstream fraud exposure: Factor in how exposed credential combinations may accelerate account takeover threats, deepfake and other impersonation possibilities, and synthetic identity fraud risk. Current policies may underestimate severity when breaches involve multiple authentication elements.
Cyber insurance gap: Consider whether it makes sense to expand breach response models beyond one-time notifications and temporary remedies to account for persistent downstream risk. As micro breaches produce more targeted, reusable data, employees and customers are more likely to become repeat targets for social engineering and impersonation scams — which traditional services like limited-time credit monitoring aren't designed to fully address.
Post-incident liability and exposure: Work with legal experts to assess how liability may be affected when exposed PII was already circulating prior to a breach. Emerging AI-driven tools can scan dark web marketplaces and criminal forums to determine whether alleged compromised data was previously available, helping insurers refine claims exposure and, in some cases, reduce or eliminate insured liability.
Helping insureds reduce consumer fraud risk
Now is also a good time for insurers to support policyholders in strengthening consumer education and fraud readiness. That's because people who recognize scam patterns are less likely to lose money, even when targeted. Reducing consumer susceptibility to fraud is a direct lever for reducing claims at the business level.
As media coverage continues to highlight the consequences of deepfake impersonations, social engineering scams and other fraud schemes, insurers have an opportunity to equip policyholders with the tools and content needed to respond. This could include co-developing first-party educational materials or facilitating partnerships with cybercrime experts to make warning signs more visible and actionable for customers.
Insurers can also extend this support through shared services or embedded resources. For example, providing access to 24/7 fraud support capabilities allows insureds to offer their customers a trusted, empathetic place to turn when they suspect suspicious activity or have already been impacted. These services can help validate threats, guide next steps and, if needed, initiate reporting and resolution.
In doing so, insurers help policyholders reduce fraud exposure at the source while also improving customer outcomes and containing loss.
Earn trust by staying ahead
The most dangerous breaches are no longer the biggest. That ship has sailed. Today, the most dangerous breaches can be the ones empowering attackers to assemble near-complete identity profiles that point them in the direction of the most vulnerable.
For insurers, the implication is clear: Underwriting, risk models and policyholder support must evolve to reflect how identity data is used in modern fraud. That's what it will take to earn trust in a market where consumers are more alert to scams and fraudsters are more capable than ever.
