The data breach of DSW Shoe Warehouse in 2005 became the first to compromise more than 1MM records — 1.4MM credit card numbers and names on those accounts. That year also marked the first data breach of a college, George Mason University, in which the names, pictures, and Social Security numbers of 32K students and staff were compromised. The boom also accelerated in 2005 with the data breach of payment card processor CardSystems Solutions, when 40MM credit card accounts were exposed by hackers. The largest breach to date came in 2013, when 3B Yahoo email user accounts were exposed.Unfortunately, last year set another record. The number of data breaches in the US in 2025 reached a new high. Interestingly, though, the number of victims declined as cyberattacks continue to evolve. Instead of massive “mega-breaches,” where criminals steal millions of records at once, attackers are increasingly targeting smaller systems that contain highly valuable data, such as payment credentials or business email accounts. As part of this, small- and medium-sized businesses (SMBs) were also attacked more frequently. US Data Breaches in 2025The number of data breaches in the US jumped 79% over the last five years to a record 3,322 data compromises in 2025, according to the Identity Theft Resource Center (ITRC). The financial services industry continued to have the highest number of breaches — 1,739 compromises, up from 733 in 2024, though down slightly from its peak in 2023.While the number of breaches rose, the number of individual victim notices fell by 79%, from 1.36B in 2024 to 278.8MM in 2025 as hackers focus on fewer, but higher-value targets.“The trajectory of data compromises in the US in the past five years shows the cybercrime and risk landscape has transitioned from mass identity theft — the accumulation of data — to pervasive identity fraud and scams, where stolen credentials are weaponized with precision,” ITRC wrote.Phishing, smishing, and business email compromises continued to be the top methods of breaches, while ransomware attacks dropped. Last year, physical card skimming made a comeback.Rising Cyberattacks on SMBs by the NumbersAccording to an accompanying ITRC report, SMBs are under near-constant cyberattack. Because of the uptick in incidents and the associated cost, many SMB cyber victims are now passing cyber incident costs through to customers, creating both higher direct and indirect risk for CFIs that serve SMBs, especially those providing credit and treasury services to them. Key SMB findings relevant to CFIs:
- Among businesses with fewer than 500 employees, 81% had suffered a security or data breach in the past 12 months. Most of these businesses experienced multiple attacks, with threat actors deploying increasingly sophisticated methods.
- AI-powered attacks were cited as a root cause in 41% of incidents, nearly equal to traditional external hackers (43%) and malicious insiders (42%).
- Nearly two-thirds of breached SMBs reported total financial impact above $250K. More than one-third faced costs above $500K, while the share above $500K rose YoY from 2024.
- To recover, 46.8% used cash reserves, 46.3% used cyber insurance (down sharply from 55.9%), 34.9% used existing lines of credit, and 38.3% raised prices (“cyber tax”).
- Leadership confidence collapsed: those feeling “very prepared” dropped from 56.5% to 38.4% YoY, even as AI threats are influencing security plans for 80% of leaders.
- Basic controls are lagging: internal multi-factor authentication adoption fell from 33.6% to 27.2%, despite strong evidence that multi-factor authentication (MFA) is one of the highest-ROI controls.
“The rising cost of cybersecurity and the financial damage from data breaches are creating a hidden ‘cyber tax’ that is being passed directly to consumers — the very people who are also directly impacted by the loss of their personal information (and financial resources) to identity criminals,” ITRC wrote. “This shadow tax creates a drag on the US economy, fuels inflation, and places a disproportionate burden on the small businesses that generate jobs and sustain communities.”How CFIs Can HelpThere are many different approaches CFIs can take to guide SMBs toward stronger data security, ranging from education-based resources to referral networks. Here are a few options for you to consider:
- Integrate cyber-resilience into SMB credit and relationship reviews. CFIs can add basic cyber-hygiene questions to underwriting and their annual reviews, including the SMB’s use of MFA, backup strategy, incident response plan, and the status of their cyber insurance. CFIs can use this as a basis for risk-based pricing or structure, such as offering better terms for SMBs meeting a minimum control baseline.
- Design SMB-focused products and services around cyber events. CFIs can offer standby “incident response” credit lines, with clear triggers and documentation expectations. They can also offer their SMB customers bundled services or referral networks for cyber insurance, incident response firms, and training partners.
- Build a joint education and fraud-prevention program for SMBs. CFIs can offer regular briefings and webinars on AI-driven scams, payment verification practices, and dual-control setups, tied to their online banking platform. They can also provide simple checklists aligned to NIST/CISA small-business guidance, framed as “how to stay bankable” in an AI-driven threat environment.
As the threat of security breaches at SMBs continues to grow, CFIs can help them reduce the risk of loss through a variety of measures, including providing educational resources, performing annual cyber-hygiene check-ins with SMBs, and establishing referral networks for finding trustworthy providers of cybersecurity-related services.
