< Blogs

Home > Featured Blogs > Lessons Learned From 2025: Breaches Are Borderless And Regulators Are Watching

Lessons Learned From 2025: Breaches Are Borderless And Regulators Are Watching

Sandy Carielli, VP, Principal Analyst

Enza Iannopollo, VP, Principal Analyst

Danielle Chittem, Senior Research Associate

Mar 10 2026

2025 was another year defined by massive data breaches and privacy fines, with over 10.6 billion records exposed and nearly $2.8 billion in penalties among the year’s most notable incidents. In our newest report, Lessons Learned From The World’s Biggest Data Breaches And Privacy Abuses, 2025, we analyzed the top 35 breaches and the trends for privacy violations and fines to uncover top trends from 2025 and what lessons security professionals must learn from them.

No One Is Safe

In 2025, no single industry dominated the top breaches. While public sector and healthcare breaches still led the way, other industries were not far behind. Six of the top ten breaches took place in APAC, with 6.7 billion records being compromised in China alone. When analyzing the top privacy violations, we found that privacy regulators issued almost $2.8 billion in fines. The highest fine of 2025, a $1.375 billion settlement with Google in Texas, was levied for tracking and collecting customer data without their knowledge.

A few key lessons to learn from these breaches and fine include:

Your response defines your reputation. It turns out that the old adage “actions speak louder than words” is actually true. While an apology after a breach is a good start, it means little if you don’t follow it up with meaningful action. Forrester’s Global Government, Society, And Trust Survey, 2025 shows that 30% of US consumers would stop doing business permanently with a company that lost their data. Rebuilding trust after a major breach requires transparent communication AND concrete actions that show your commitment to security and accountability.

Ready or not, AI oversight is here. In 2025, data privacy authorities fined firms for AI-based monitoring, automated decision-making, and for failing to document high-risk processing. This shows that DPAs don’t need AI-specific laws to enforce related privacy violations. To stay ahead, organizations must understand which regulations apply to their current AI usage and launch AI compliance programs.

These are just a few of the lessons uncovered in our analysis of 2025’s top breaches and fines. Read the full report, Lessons Learned From The World’s Biggest Data Breaches And Privacy Abuses, 2025, and join us for our upcoming webinar on April 30, to dive deeper into our recommendations that you can use to stay ahead of evolving threats.

Get The Insights At Work Newsletter

Country*

Yes, I’d like to receive Forrester’s Insights At Work newsletter and receive occasional survey invitations and marketing communications.

Thanks for signing up.

Stay tuned for updates from the Forrester blogs.

Get The Insights At Work Newsletter

Country*

Yes, I’d like to receive Forrester’s Insights At Work newsletter and receive occasional survey invitations and marketing communications.

Thanks for signing up.

Stay tuned for updates from the Forrester blogs.

Categories

Get The Insights At Work Newsletter

Thanks for signing up.

Now On Demand: 2026 Tech And Security Predictions

Missed it live? Watch our on-demand webinar to explore our 2026 predictions. Learn what tech and security leaders must do to lead with trust and value.

Regulators Are Moving On SBOMs — But Is Your Compliance Program Keeping Pace?

2026 Really Is This Risky: Our Top Recommendations For CISOs

Get The Insights At Work Newsletter

Thanks for signing up.