Top Data Breaches of December 2025
None
<p><span style="font-weight: 400;">December 2025 closed the year with several high-impact data breaches across retail, education, healthcare research, and telecom. These incidents were not driven by a single cause. Some stemmed from misconfigured systems, others from ransomware, and several from third-party access failures. What ties them together is the scale and sensitivity of the exposed data. Social Security numbers, financial records, and personal identifiers were involved across multiple cases.</span></p><p><span style="font-weight: 400;">This roundup breaks down the most significant data breaches reported in December 2025, explaining what happened, what data was exposed, how organisations responded, and the clear lessons security teams can take forward.</span></p><h2><b>1. Petco Confirms Security Lapse Exposing Sensitive Customer Data</b></h2><h3><b>Incident Overview:</b></h3><p><span style="font-weight: 400;">Petco announced a security lapse that resulted in a data breach. The company found that a setting within one of its software applications incorrectly allowed certain files to be accessible from the internet without proper restrictions, then it took action to fix the issue and remove exposed files. </span></p><h3><b>What Data Was Exposed:</b></h3><p><b></b><span style="font-weight: 400;">The company’s public notices (filed with state attorneys general) indicate that the exposed data included extremely sensitive personal details such as:</span></p><ul> <li style="font-weight: 400;" aria-level="1"><span style="font-weight: 400;">Customer full names</span></li> <li style="font-weight: 400;" aria-level="1"><span style="font-weight: 400;">Social Security numbers</span></li> <li style="font-weight: 400;" aria-level="1"><span style="font-weight: 400;">Driver’s license numbers</span></li> <li style="font-weight: 400;" aria-level="1"><span style="font-weight: 400;">Financial account numbers (including credit and debit card numbers)</span></li> <li style="font-weight: 400;" aria-level="1"><span style="font-weight: 400;">Dates of birth</span></li> </ul><h3><b>Number of Affected Individuals:</b></h3><p><span style="font-weight: 400;">Petco did not disclose the full total. Notices filed suggest at least 500 customers in California were impacted, along with additional affected individuals in Massachusetts, Montana, and Texas, but the full scope remains unspecified. </span></p><h3><b>Business Impact:</b></h3><p><span style="font-weight: 400;">The breach has significant implications for customer trust and company compliance, triggering mandatory notifications and possible legal scrutiny. Exposure of highly sensitive identifiers can lead to increased costs and heightened regulatory attention. </span></p><h3><b>Company Response:</b></h3><p><span style="font-weight: 400;">Once the issue was discovered, Petco corrected the application setting, removed public access to the files, and began notifying affected customers. The company offered free identity theft and credit monitoring services to impacted individuals in states where this is required. </span></p><h3><b>Key Lesson:</b></h3><p><b></b><span style="font-weight: 400;">Security misconfigurations can expose deeply personal data even without an external attack, showing the importance of proactive configuration checks, access controls, and ongoing audits to safeguard sensitive information. </span></p><p><b>Date of Breach: December 5, 2025</b><b><br> </b><b>Source: </b><a href="https://techcrunch.com/2025/12/05/petco-confirms-security-lapse-exposed-customers-personal-data/" rel="noopener"><b>TechCrunch</b></a></p><h2><b>2. University of Phoenix Data Breach Affects 3.5 Million Individuals</b></h2><h3><b>Incident Overview:</b></h3><p><span style="font-weight: 400;">The University of Phoenix disclosed a data breach after unauthorised access was identified within a system operated by a third-party service provider. The intrusion involved data linked to students, applicants, and employees. The university was alerted after the service provider detected suspicious activity affecting stored records.</span></p><h3><b>What Data Was Exposed:</b></h3><p><span style="font-weight: 400;">According to official disclosures, the accessed data may include full names, dates of birth, Social Security numbers, and internal identification information associated with academic or employment records. The university stated that passwords, payment card data, and banking details were not involved.</span></p><h3><b>Number of Affected Individuals:</b></h3><p><span style="font-weight: 400;">The breach impacted approximately </span><b>3.5 million individuals</b><span style="font-weight: 400;">. This includes current and former students, applicants, and staff members whose information was stored within the affected system.</span></p><h3><b>Business Impact:</b></h3><p><span style="font-weight: 400;">The incident led to significant operational strain across compliance, legal, and IT teams. It triggered large-scale notification requirements and attracted regulatory attention due to the volume and sensitivity of the exposed data. The exposure also raised concerns related to identity misuse risks for affected individuals.</span></p><h3><b>Company Response:</b></h3><p><span style="font-weight: 400;">The University of Phoenix notified impacted individuals and offered credit monitoring and identity protection services. It also reviewed vendor access practices and assessed controls related to third-party data handling and oversight.</span></p><h3><b>Key Lesson:</b></h3><p><span style="font-weight: 400;">Third-party service providers often store large volumes of sensitive personal information. Without strict oversight and access controls, vendor-managed systems can become a major source of exposure for educational institutions.</span></p><p><b>Date of Breach: </b><b>December 22, 2025</b></p><p><strong>Source: <a href="https://www.bleepingcomputer.com/news/security/university-of-phoenix-data-breach-impacts-nearly-35-million-individuals/?&web_view=true" rel="noopener">BleepingComputer</a></strong></p><h2><b>3. Pharma firm Inotiv discloses data breach after ransomware attack</b></h2><h3><b>Incident Overview:</b></h3><p><span style="font-weight: 400;">In December 2025, Inotiv disclosed a data breach after confirming that a ransomware attack led to unauthorised access to internal systems. The disclosure followed a forensic review that determined personal information was accessed and taken during the incident.</span></p><h3><b>What Data Was Exposed:</b></h3><p><span style="font-weight: 400;">The exposed data included personal information such as full names, addresses, dates of birth, and Social Security numbers. Inotiv stated that no payment card details or banking information were involved.</span></p><h3><b>Number of Affected Individuals:</b></h3><p><span style="font-weight: 400;">Inotiv confirmed that </span><b>9,542 individuals</b><span style="font-weight: 400;"> were impacted by the breach and received formal notification letters in December 2025.</span></p><h3><b>Business Impact:</b></h3><p><span style="font-weight: 400;">The breach resulted in system disruption, mandatory disclosure requirements, and increased compliance and legal review. As a pharmaceutical research services provider, the incident also created operational strain while investigations and notifications were carried out.</span></p><h3><b>Company Response:</b></h3><p><span style="font-weight: 400;">Inotiv secured affected systems, engaged external cybersecurity specialists, and notified law enforcement authorities. The company also initiated direct communication with impacted individuals and offered identity monitoring services as part of its response actions.</span></p><h3><b>Key Lesson:</b></h3><p><span style="font-weight: 400;">Ransomware incidents in research-focused organisations can lead to direct exposure of personal records. Clear asset visibility, timely detection, and structured response actions help reduce data exposure and downstream risk.</span></p><p><b>Date of Breach: </b><b>December 5, 2025</b></p><p><b>Source: </b><a href="https://www.bleepingcomputer.com/news/security/pharma-firm-inotiv-discloses-data-breach-after-ransomware-attack/?&web_view=true" rel="noopener"><b>BleepingComputer</b></a></p><h2><b>4. Freedom Mobile Discloses Data Breach Exposing Customer Data</b></h2><h3><b> Incident Overview</b></h3><p><b>Freedom Mobile</b><span style="font-weight: 400;"> confirmed a data breach after detecting unauthorised access to one of its internal systems. The company stated that the activity was identified through internal monitoring and was linked to a third-party system used to support customer operations. Following confirmation, Freedom Mobile initiated containment measures and began notifying impacted customers.</span></p><h3><b>What Data Was Exposed</b></h3><p><span style="font-weight: 400;">According to the disclosure, the exposed information primarily included customer account details such as full names, phone numbers, email addresses, billing addresses, and account identifiers. Freedom Mobile stated that payment card numbers, banking details, and government-issued identification were not accessed as part of the incident.</span></p><h3><b>Number of Affected Individuals</b></h3><p><span style="font-weight: 400;">Freedom Mobile has not published an exact figure for the total number of impacted customers. However, the company acknowledged that a subset of its customer base was affected, and notifications were issued to all individuals whose information was confirmed to be involved.</span></p><h3><b>Business Impact</b></h3><p><span style="font-weight: 400;">The breach resulted in operational and reputational impact for Freedom Mobile. Customer support volumes increased following public disclosure, and internal teams were required to prioritise forensic analysis, regulatory reporting, and customer communication. The incident also drew attention from privacy regulators due to the exposure of personal customer data.</span></p><h3><b>Company Response</b></h3><p><span style="font-weight: 400;">Freedom Mobile stated that it immediately secured the affected system, restricted unauthorised access, and engaged external cybersecurity experts to investigate the incident. Impacted customers were notified and provided guidance on monitoring account activity. The company also confirmed that additional security controls were implemented to reduce the risk of similar incidents going forward.</span></p><h3><b>Key Lesson</b></h3><p><span style="font-weight: 400;">This breach highlights the risk introduced by third-party systems handling customer information. Strong vendor oversight, continuous monitoring, and strict access controls remain critical for protecting customer data and limiting the impact of unauthorised access.</span></p><p><b>Date of Breach: December 3, 2025</b></p><p><b>Source: </b><a href="https://www.bleepingcomputer.com/news/security/freedom-mobile-discloses-data-breach-exposing-customer-data/?&web_view=true" rel="noopener"><b>BleepingComputer</b></a></p><h2><b>5. SoundCloud Member Data Breach and VPN Disruption</b></h2><h3><b>Incident Overview</b></h3><p><span style="font-weight: 400;">SoundCloud confirmed unauthorized access to internal systems that resulted in member data being taken. The incident also caused disruption to internal VPN access, prompting an immediate security response and system review. The breach was publicly confirmed in December 2025.</span></p><h3><b>What Data Was Exposed</b></h3><p><span style="font-weight: 400;">SoundCloud stated that member data linked to internal systems was accessed. While full details were not publicly itemized, the data was associated with user accounts rather than core streaming content.</span></p><h3><b>Number of Affected Individuals</b></h3><p><span style="font-weight: 400;">The company did not release an exact figure at the time of disclosure.</span></p><h3><b>Business Impact</b></h3><p><span style="font-weight: 400;">The breach disrupted internal access systems and raised trust concerns among users. Operational teams were required to rotate credentials and re-establish secure access.</span></p><h3><b>Company Response</b></h3><p><span style="font-weight: 400;">SoundCloud restricted access, reviewed authentication controls, and initiated internal audits. Impacted users were notified as required.</span></p><h3><b>Key Lesson</b></h3><p><span style="font-weight: 400;">Identity and remote access systems remain high-value targets. Weak controls or compromised credentials can expose user data even when production services remain stable.</span></p><p><b>Date of Breach: December 15, 2025</b></p><p><b>Source: </b><a href="https://www.bleepingcomputer.com/news/security/soundcloud-confirms-breach-after-member-data-stolen-vpn-access-disrupted/?&web_view=true" rel="noopener"><b>Bleeping Computer</b></a></p><h2><b>6. Data Breach at 700Credit Exposes Data of 5.6 Million Individuals</b></h2><h3><b>Incident Overview</b></h3><p><span style="font-weight: 400;">700Credit, a U.S.-based provider of credit reporting and compliance tools for auto dealerships and lenders, disclosed a data breach that exposed sensitive personal information. The company confirmed that an unauthorised party gained access to certain internal systems that stored consumer data used for credit checks and risk assessments.</span><span style="font-weight: 400;"><br> </span><span style="font-weight: 400;"> The breach came to light after abnormal activity was detected within the environment, prompting an internal investigation and external forensic review.</span></p><h3><b>What Data Was Exposed</b></h3><p><span style="font-weight: 400;">Based on regulatory filings and public disclosures, the compromised data includes a mix of high-risk personal and financial information, such as:</span></p><ul> <li style="font-weight: 400;" aria-level="1"><span style="font-weight: 400;">Full names</span></li> <li style="font-weight: 400;" aria-level="1"><span style="font-weight: 400;">Social Security numbers</span></li> <li style="font-weight: 400;" aria-level="1"><span style="font-weight: 400;">Dates of birth</span></li> <li style="font-weight: 400;" aria-level="1"><span style="font-weight: 400;">Driver’s license numbers</span></li> <li style="font-weight: 400;" aria-level="1"><span style="font-weight: 400;">Credit-related records used by lenders and auto dealers</span></li> </ul><p><span style="font-weight: 400;">This type of data is commonly used in credit eligibility checks, which increases the risk of identity fraud if misused.</span></p><h3><b>Number of Affected Individuals</b></h3><p><span style="font-weight: 400;">700Credit confirmed that </span><b>at least 5.6 million individuals</b><span style="font-weight: 400;"> were impacted by the breach.</span><span style="font-weight: 400;"><br> </span><span style="font-weight: 400;"> The affected population includes consumers whose data was processed through dealerships, financial institutions, and lending partners that rely on 700Credit’s services.</span></p><h3><b> Business Impact</b></h3><p><span style="font-weight: 400;">The breach carries serious consequences across multiple fronts:</span></p><ul> <li style="font-weight: 400;" aria-level="1"><span style="font-weight: 400;">Regulatory scrutiny due to the scale and sensitivity of exposed information</span></li> <li style="font-weight: 400;" aria-level="1"><span style="font-weight: 400;">Mandatory breach notifications across multiple U.S. states</span></li> <li style="font-weight: 400;" aria-level="1"><span style="font-weight: 400;">Increased legal and compliance costs</span></li> <li style="font-weight: 400;" aria-level="1"><span style="font-weight: 400;">Reputational damage among lenders, auto dealers, and financial partners</span></li> </ul><p><span style="font-weight: 400;">For businesses that rely on third-party credit data providers, this incident also raises concerns about vendor risk and downstream exposure.</span></p><h3><b>Company Response</b></h3><p><span style="font-weight: 400;">700Credit stated that it took immediate steps to secure its systems once the issue was identified. Actions reported include:</span></p><ul> <li style="font-weight: 400;" aria-level="1"><span style="font-weight: 400;">Restricting unauthorised access</span></li> <li style="font-weight: 400;" aria-level="1"><span style="font-weight: 400;">Engaging cybersecurity and forensic experts</span></li> <li style="font-weight: 400;" aria-level="1"><span style="font-weight: 400;">Notifying affected individuals and regulators</span></li> <li style="font-weight: 400;" aria-level="1"><span style="font-weight: 400;">Offering credit monitoring and identity protection services to impacted users</span></li> </ul><p><span style="font-weight: 400;">The company has also indicated that it is reviewing internal controls and access management practices.</span></p><h3><b>Key Lesson</b></h3><p><span style="font-weight: 400;">This breach highlights a recurring issue across financial data ecosystems. Organisations handling credit and identity data must maintain strict visibility over who can access sensitive systems, how that access is monitored, and how third-party platforms are governed. A single lapse at a service provider can expose millions of individuals and create cascading risk for every partner connected to that platform.</span></p><p><b>Date of Breach: December 12, 2025</b></p><p><b>Source: </b><a href="https://techcrunch.com/2025/12/12/data-breach-at-credit-check-giant-700credit-affects-at-least-5-6-million/?web_view=true" rel="noopener"><b>TechCrunch</b></a></p><h2><b>Conclusion:</b></h2><p><span style="font-weight: 400;">The data breaches reported in December 2025 point to a clear issue. Exposure did not come from advanced tactics alone. It came from misconfigured applications, weak third-party controls, and limited visibility into where sensitive data actually lived. Once access was gained, organisations were forced into reactive mode, dealing with notifications, legal pressure, and customer trust damage.</span></p><p><span style="font-weight: 400;">This is exactly where </span><a href="https://strobes.co/in/"><b>Strobes Security</b></a><span style="font-weight: 400;"> changes the outcome. Strobes helps you continuously track assets, identify exposure early, prioritise what truly matters, and validate risk before it turns into an incident. Instead of reacting after data is exposed, teams gain clarity on misconfigurations, vendor risks, and attack paths while there is still time to act.</span></p><p><b>Explore how Strobes Security helps teams identify, prioritise, and reduce real exposure.</b><b><br> </b><b><a href="https://strobes.co/contact-us/"> Book a platform walkthrough</a> and see how continuous exposure management works.</b></p><p>The post <a rel="nofollow" href="https://strobes.co/blog/top-data-breaches-of-december-2025/">Top Data Breaches of December 2025</a> appeared first on <a rel="nofollow" href="https://strobes.co/">Strobes Security</a>.</p><div class="spu-placeholder" style="display:none"></div><div class="addtoany_share_save_container addtoany_content addtoany_content_bottom"><div class="a2a_kit a2a_kit_size_20 addtoany_list" data-a2a-url="https://securityboulevard.com/2025/12/top-data-breaches-of-december-2025/" data-a2a-title="Top Data Breaches of December 2025"><a class="a2a_button_twitter" href="https://www.addtoany.com/add_to/twitter?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F12%2Ftop-data-breaches-of-december-2025%2F&linkname=Top%20Data%20Breaches%20of%20December%202025" title="Twitter" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_linkedin" href="https://www.addtoany.com/add_to/linkedin?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F12%2Ftop-data-breaches-of-december-2025%2F&linkname=Top%20Data%20Breaches%20of%20December%202025" title="LinkedIn" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_facebook" href="https://www.addtoany.com/add_to/facebook?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F12%2Ftop-data-breaches-of-december-2025%2F&linkname=Top%20Data%20Breaches%20of%20December%202025" title="Facebook" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_reddit" href="https://www.addtoany.com/add_to/reddit?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F12%2Ftop-data-breaches-of-december-2025%2F&linkname=Top%20Data%20Breaches%20of%20December%202025" title="Reddit" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_email" href="https://www.addtoany.com/add_to/email?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F12%2Ftop-data-breaches-of-december-2025%2F&linkname=Top%20Data%20Breaches%20of%20December%202025" title="Email" rel="nofollow noopener" target="_blank"></a><a class="a2a_dd addtoany_share_save addtoany_share" href="https://www.addtoany.com/share"></a></div></div><p class="syndicated-attribution">*** This is a Security Bloggers Network syndicated blog from <a href="https://strobes.co">Strobes Security</a> authored by <a href="https://securityboulevard.com/author/0/" title="Read other posts by Likhil Chekuri">Likhil Chekuri</a>. Read the original post at: <a href="https://strobes.co/blog/top-data-breaches-of-december-2025/">https://strobes.co/blog/top-data-breaches-of-december-2025/</a> </p>