
Beyond the Mystery: How Better Data Controls Could Address ITRC’s 69% Unknown Breach Problem
The most disturbing finding in the Identity Theft Resource Center’s (ITRC) 2025 reports isn’t the 1,732 data breaches affecting 165,745,452 individuals in just six months. It’s that 69% of these breaches—1,191 incidents—came with no explanation of how attackers gained access.
This isn’t just a statistics problem. It’s a fundamental crisis in organizational security: most breached companies literally cannot tell regulators, customers, or even themselves how their defenses failed. In an era of strict data protection regulations and sophisticated threats, this blindness represents both a compliance nightmare and a security disaster.
The 69% Mystery: What We Don’t Know Can Hurt Us
The ITRC’s H1 2025 Data Breach Report documents an uncomfortable truth about modern cybersecurity: we’re fighting an enemy we can’t see. When 69% of breach notifications lack attack vector details, it means organizations are missing the basic visibility needed to understand their own security incidents.
This isn’t necessarily about incompetence or negligence. Modern IT environments are complex, with data flowing through multiple systems, vendors, and communication channels. Without comprehensive monitoring and audit trails at every potential entry point, breaches can occur through gaps organizations didn’t even know existed.
The implications are severe. How can you prevent the next breach when you don’t know how the last one happened? How can you assure regulators you’ve addressed vulnerabilities when you can’t identify them? How can you improve defenses when you’re essentially fighting in the dark?
What We Do Know: Patterns from the Identified 31%
While most breaches remain unexplained, the 31% with identified attack vectors reveal concerning patterns. According to the ITRC’s 2025 Trends in Identity Report:
- 43% of identity compromises resulted from victims sharing PII in scams
- Impersonation scams increased 148% year-over-year
- 53% of identity misuse involves account takeovers
- Supply chain attacks affected 690 entities through just 79 initial breaches
These known attack vectors share common characteristics: they exploit communication channels, take advantage of trust relationships, and often involve data moving between organizations or individuals. The PowerSchool breach exemplifies this, with 71,900,000 victims affected through a single compromised system.
The account takeover epidemic shows specific patterns, with checking accounts representing 22% of takeovers, social media 19%, and credit cards 17%. Personal tech accounts saw a staggering 754% increase. These statistics from the known breaches likely represent patterns within the unknown 69% as well.
Key Takeaways
-
The 69% Unknown Represents a Fundamental Visibility Crisis
The ITRC reports reveal that 1,191 out of 1,732 breach notifications couldn’t identify attack vectors, indicating organizations lack basic monitoring and audit capabilities. This blindness prevents effective incident response, regulatory compliance, and future breach prevention.
-
Known Attack Patterns Point to Communication and Trust Exploitation
Among the 31% of identified breaches, 43% involved victims sharing PII in scams and impersonation attacks increased 148%, suggesting criminals target data exchange points. While we can’t assume the unknown 69% follow similar patterns, these known vectors highlight the importance of securing all communication channels.
-
Supply Chain Attacks Demonstrate the Cascading Impact of Visibility Gaps
With 79 supply chain breaches affecting 690 entities and 78.3 million individuals, the ITRC data shows how limited visibility into vendor relationships creates exponential risk. Organizations must extend their monitoring and control capabilities beyond their immediate boundaries to include third-party data exchanges.
-
Comprehensive Data Controls Offer Both Prevention and Detection
Modern platforms that provide complete audit trails, real-time monitoring, and behavioral analytics address both security and compliance needs. By implementing these controls, organizations can move from reactive breach response to proactive threat detection and regulatory readiness.
-
The Path from Mystery to Mastery Requires Fundamental Changes
Solving the 69% unknown problem isn’t about adding more security tools but creating unified visibility across all data movements. Organizations must assume breaches will occur and build their controls accordingly, prioritizing forensic capabilities and comprehensive monitoring alongside traditional prevention measures.
The Visibility Gap: Why Organizations Can’t See Their Own Breaches
The 69% mystery points to fundamental gaps in how organizations monitor and control their data:
Fragmented Systems: Data moves through email, file transfers, cloud storage, APIs, and countless other channels. Most organizations lack unified visibility across these disparate systems. Each might have some logging, but without centralized monitoring, attacks that cross systems become invisible.
Third-Party Blind Spots: The 79 supply chain breaches affecting 690 entities highlight how data shared with vendors enters a visibility void. Once data leaves your direct control, tracking becomes nearly impossible with traditional tools. The PowerSchool incident shows how one vendor’s vulnerability can cascade across entire ecosystems.
Insufficient Logging: Many systems provide basic access logs but lack the detailed audit trails needed for forensic investigation. Knowing someone accessed a file is different from knowing what they did with it, where they sent it, or whether the behavior matched normal patterns.
Reactive vs. Proactive Monitoring: Organizations often discover breaches through external notifications rather than internal detection, suggesting monitoring focuses on known threats rather than anomaly detection. By the time external indicators appear, the breach timeline may be lost in expired logs.
Building Visibility Through Better Data Controls
Addressing the 69% unknown requires comprehensive data controls that provide visibility throughout the data lifecycle. This isn’t about implementing a single solution but creating an ecosystem of controls that work together:
Unified Audit Trails: Every data access, movement, and modification must be logged in a centralized, tamper-proof system. Modern platforms create immutable records that can reconstruct exact breach timelines, capturing not just who accessed what, but complete context including time, location, device, and specific actions taken.
Real-Time Monitoring: Static logs aren’t enough. Organizations need active monitoring that can identify anomalous behavior as it happens, not months later during a forensic investigation. This means analyzing patterns, comparing against baselines, and triggering alerts on suspicious activity.
End-to-End Tracking: Data controls must follow information from creation through deletion, including when shared externally. This means implementing technologies that maintain visibility even after data leaves your immediate environment—crucial given the supply chain attack patterns.
Behavioral Analytics: With AI-powered attacks becoming sophisticated, controls must identify unusual patterns that might indicate compromise, even from legitimate credentials. This transforms security from reactive to proactive threat identification.
Role of Secure Data Exchange
While secure data exchange isn’t a silver bullet for all breaches, modern platforms like Kiteworks Private Data Network address many visibility gaps identified in the ITRC reports:
Complete Audit Trails: Every file access, download, and share is logged with user, time, location, and action details. This eliminates the “unknown” factor for data moving through these channels. Unlike traditional systems, these logs capture the full context needed for forensic investigation.
Supply Chain Visibility: When the ITRC reports 79 supply chain attacks cascading to 690 entities, it highlights the need for controlled vendor communications. Secure exchange platforms maintain visibility and control even after sharing, enabling instant revocation if compromise is detected and providing audit trails across organizational boundaries.
Anomaly Detection: By establishing baseline behavior for data access, these platforms can flag unusual activities that might indicate compromise—whether from external attackers or insider threats. This proactive detection addresses a key weakness in traditional security.
Compliance Documentation: With regulations requiring specific breach disclosures, comprehensive audit trails ensure organizations can meet notification requirements and demonstrate due diligence. This automatic documentation reduces investigation time and regulatory penalties.
Compliance Imperative
The ITRC’s findings have serious regulatory implications. GDPR requires breach notification within 72 hours with specific details about the nature of the breach. CCPA mandates disclosure of categories of information involved. HIPAA requires documentation of how protected health information was compromised.
When 69% of organizations can’t provide these details, they face:
- Increased regulatory scrutiny and investigations
- Higher fines for inadequate breach notifications
- Extended investigation periods lasting months instead of weeks
- Reputational damage from perceived incompetence
- Potential litigation from affected individuals
The inability to explain breaches becomes evidence of inadequate security controls in litigation. Plaintiff attorneys argue that not knowing equals not caring—a powerful narrative that resonates with juries and regulators alike.
Modern data controls that provide comprehensive visibility aren’t just about security—they’re about compliance survival. Organizations with proper audit trails can respond to regulatory inquiries in days rather than months, demonstrate appropriate technical measures, and show clear remediation steps based on identified vulnerabilities.
From Mystery to Mastery
The path from the current 69% unknown to comprehensive breach visibility requires acknowledging that traditional security approaches have failed. Organizations built their defenses assuming they could see attacks coming. The ITRC data proves otherwise.
The solution requires rethinking data security from the ground up:
- Assume breaches will happen and build visibility accordingly
- Implement controls that provide forensic capabilities, not just prevention
- Treat every data exchange as a potential vulnerability requiring monitoring
- Create unified visibility across all data movements and access points
This transformation demands more than technology—it requires organizational commitment to visibility. Security teams must collaborate with IT, compliance, and business units to map data flows and implement comprehensive monitoring. Leadership must understand that not knowing how breaches occur is no longer acceptable in today’s regulatory environment.
Conclusion: The Known Path Forward
While 69% of breaches remain unexplained, the solution path is clear. Organizations must implement comprehensive data controls that provide visibility throughout the data lifecycle. This includes modern secure exchange platforms, unified monitoring systems, and a culture that prioritizes visibility alongside prevention.
The ITRC’s 2025 reports serve as a wake-up call: we can’t secure what we can’t see. By addressing the visibility crisis through better data controls, organizations can move from reactive breach notifications full of unknowns to proactive security with complete situational awareness.
The question isn’t whether your organization is among the 69% who can’t explain their breaches—statistically, you probably are. The question is whether you’ll implement the controls needed to join the 31% who can see, understand, and ultimately prevent their security incidents.
The mystery of the unknown 69% doesn’t have to remain unsolved. The tools and technologies exist to bring light to these dark corners of organizational security. What’s needed now is the will to implement them before becoming another statistic in next year’s report.
Frequently Asked Questions
According to the ITRC’s H1 2025 Data Breach Report, 1,191 out of 1,732 breach notifications lacked attack vector details, indicating organizations lack comprehensive logging, monitoring, and audit trails across their IT environments. This visibility gap often results from fragmented systems, insufficient data controls, and limited tracking of information once it’s shared externally.
Among identified breaches, the ITRC found 43% involved victims sharing PII in scams, impersonation attacks increased 148%, and 53% of identity misuse involved account takeovers. Additionally, 79 supply chain attacks cascaded to affect 690 entities, suggesting that communication channels and third-party relationships represent significant vulnerabilities.
The ITRC documented 79 supply chain attacks affecting 690 entities and 78,320,240 individuals, with incidents like PowerSchool impacting 71.9 million people through a single breach. These cascading failures often occur because organizations lose visibility and control over data once it’s shared with vendors, making it impossible to detect or prevent downstream compromises.
Modern data control platforms provide comprehensive audit trails, real-time monitoring, and behavioral analytics that can identify anomalous access patterns. Solutions like secure data exchange platforms with zero-knowledge encryption offer complete visibility into file access and sharing, while SIEM integration helps correlate events across multiple systems to identify attack patterns.
Organizations unable to identify attack vectors face serious regulatory consequences under GDPR (72-hour notification with specific details), CCPA (disclosure requirements), and HIPAA (documentation mandates). The ITRC’s finding that 69% lack this information suggests widespread compliance failures that could result in increased fines, extended investigations, and reputational damage.
Additional Resources
- Blog Post Zero Trust Architecture: Never Trust, Always Verify
- Video How Kiteworks Helps Advance the NSA’s Zero Trust at the Data Layer Model
- Blog Post What It Means to Extend Zero Trust to the Content Layer
- Blog Post Building Trust in Generative AI with a Zero Trust Approach
- Video Kiteworks + Forcepoint: Demonstrating Compliance and Zero Trust at the Content Layer