Data Breaches by Month: Why January, March & November Are the Most Dangerous Times to Be Online

March 9, 2026

8 Mins Read

The Seasonality of Data Breaches — and What It Means for You

Cybercriminals do not take vacations. But they do follow a calendar.

That might sound like an odd thing to say about people whose entire business model depends on stealth and surprise. But five years of breach data, cross-referenced across the Verizon Data Breach Investigations Report, the Identity Theft Resource Center’s annual filings, and IBM’s Security X-Force Threat Intelligence Index, reveals something most security guides never mention: data breaches are not randomly distributed across the year. They cluster. They spike. And the spikes line up, almost precisely, with the rhythms of ordinary human life.

Tax deadlines. Holiday shopping. Corporate budget cycles. Back-to-school season. The moments when people are most distracted, most rushed, and most likely to click without thinking are also the moments when attackers are most active.

Understanding the calendar of cybercrime does not require a security background. It just requires knowing where to look. Here is what the data shows, month by month.

The Annual Attack Cycle

Phase 1 · Harvest

COLLECT

Feb · Apr · May · Jun · Jul · Aug · Sep · Oct

The quiet months aren’t quiet for attackers. They’re building inventory.

Retail data from holiday breaches sold in bulk

Credentials harvested from phishing campaigns

Identity packages assembled from multiple leaks

Network interception on summer travel routes

Dark web listings prepared for peak-season buyers

→

Phase 2 · Prep

PREPARE

Dec · Jan (early)

Skeleton-crew windows used to test credentials and position for the strikes ahead.

Credential stuffing against banking portals

Identity packages sorted by SSN + income data

Fraudulent return templates prepared per jurisdiction

Phishing email campaigns drafted and tested

Mule accounts set up for refund routing

→

Phase 3 · Strike

STRIKE

Jan (late) · March · November

Three precision windows. Each tied to a moment when your guard is lowest.

January: Harvest post-holiday credential dumps

March: File fraudulent tax returns before you do

March: Intercept tax documents in transit

November: Deploy fake checkout flows on Black Friday

November: Harvest new card data for next year’s cycle

The moments when people are most distracted and most rushed are also the moments when attackers are most active.

Every Month of the Year, Ranked by Cyber Risk

JANUARY | RISK: HIGH

The New Year Hangover Attack Window

The first two weeks of January are what security researchers sometimes call the ‘hangover window.’ IT teams are returning from holiday leave, security patches scheduled before December 31 are often still pending, and employees are logging back in from home networks using devices that have not been updated in two weeks. Attackers know this.

Credential stuffing attacks, where hackers use username and password combinations leaked from holiday-season retail breaches, spike in the first ten days of January. The logic is simple: people shop with the same passwords they use for work email. December gives attackers the credentials. January is when they use them.

Verizon DBIR 2024: Credential-based attacks account for 31% of all breach initiation vectors. Post-holiday periods see a measurable uptick as stolen retail credentials are tested against corporate systems.

“The exploitation of zero-day vulnerabilities by ransomware actors remains a persistent threat to safeguarding enterprises,” said Chris Novak, Sr. Director of Cybersecurity Consulting, Verizon Business.

FEBRUARY | RISK: MEDIUM

Valentine’s Day Phishing Season

February is quieter than January for infrastructure attacks, but phishing campaigns peak around Valentine’s Day. Researchers at Cofense documented a 200% increase in romance-themed phishing emails in the two weeks surrounding February 14th, a figure consistent across 2022, 2023, and 2024.

The mechanics are straightforward. People expect promotional emails in February. They are emotionally primed to click. Fake delivery notifications (‘your gift is on its way’), fake e-card links, and fake charity donation receipts all carry the same payload: credential harvesters or malware droppers dressed in seasonal packaging.

Cofense Phishing Defense Center, 2024: Romance-themed phishing emails increase by approximately 200% in the two weeks around Valentine’s Day, with click-through rates 34% higher than baseline phishing campaigns.

MARCH | RISK: CRITICAL

Tax Season Opens. So Do the Floodgates.

March is the single highest-risk month of the year for individual consumers, and it is not particularly close. The opening of tax season in the United States, and the equivalent filing periods across the UK, Canada, and Australia, creates a perfect environment for attackers. People are actively seeking, sending, and opening documents containing their most sensitive financial data: Social Security numbers, bank account details, employer information, prior year returns.

The IRS reported over 294,138 identity theft tax fraud cases in 2023 alone, with the majority of fraudulent returns filed in March and early April, before legitimate taxpayers file. Attackers who have harvested identity data throughout the year deploy it in March, when the window for fraudulent refund claims is widest. The ITRC’s 2024 report flagged financial services as the second most breached sector, with March consistently among the peak months for account takeover attempts.

IRS Identity Theft Statistics, 2023: 294,000+ identity theft tax fraud cases reported. ITRC 2024: Financial services account for 744 documented breaches annually, with Q1 representing the highest quarterly concentration.

APRIL & MAY | RISK: MEDIUM

The Quiet Before the Summer Storm

April and May represent a relative lull, what IBM’s X-Force team has described as a ‘tactical reset’ period. Attack volumes dip as tax-season campaigns wind down and summer-oriented scams have not yet ramped up. This is, historically, the best two-month window for organizations to conduct security audits, push deferred patches, and run staff phishing simulations.

That said, ‘relative lull’ is doing a lot of work in that sentence. The ITRC still documented over 400 breach incidents across April and May 2023 combined. The lull is real. It is just not a holiday.

IBM X-Force Threat Intelligence Index 2024: Q2 consistently shows the lowest quarterly breach initiation rates, approximately 18% below Q4 peaks. Security teams are advised to use this window for proactive hardening.

JUNE & JULY | RISK: HIGH

Summer Travel Season: Public WiFi’s Worst Months

The summer months do not spike in breach volume the way January or November do. What they spike in is network-level interception, the kind that happens when millions of people connect to airport, hotel, and holiday resort WiFi without a second thought. Kaspersky’s threat intelligence data shows WiFi-based attack attempts increase by 37% in June and July compared to the annual average.

Business travel compounds the exposure. Remote workers checking corporate email from hotel lobbies, freelancers working from co-working spaces in cities they have never visited, tourists managing banking apps on networks they cannot vet. The attacks are opportunistic rather than coordinated, but the harvest is real. A 2023 Symantec study found that 1 in 4 public WiFi hotspots at major global airports had no encryption whatsoever.

AUGUST & SEPTEMBER | RISK: MEDIUM

Back to School, Back to Phishing

August and September mark the return of a reliable seasonal campaign: education-sector phishing. Universities and schools are onboarding thousands of new students simultaneously, all of whom are receiving legitimate emails from IT departments asking them to set up accounts, reset passwords, and verify enrollment. Attackers send identical-looking emails. The click rates are, by any measure, alarming.

The education sector was the most breached sector in the United States in 2023 according to the ITRC, ahead of healthcare, ahead of financial services. Much of that breach activity concentrates in August and September. Students and faculty are not uniquely careless. They are simply being targeted at the one moment when receiving a password-reset email from an unfamiliar sender seems completely normal.

ITRC 2024 Annual Report: Education ranked as the most frequently breached sector in the US in 2023, with 809 incidents. Q3 represents the peak quarter for education-sector attacks.

OCTOBER | RISK: HIGH

Cybersecurity Awareness Month — and Attackers Are Aware

October is officially Cybersecurity Awareness Month, which means organizations run training campaigns, employees complete phishing simulations, and security teams publish blog posts like this one. It also means attackers ramp up, not down. The increased volume of security-themed communications in October creates ideal cover for social engineering attacks, because users are primed to receive security warnings and are more likely to click on one that looks official.

October is also the beginning of the holiday retail build-up. E-commerce platforms begin their pre-Black Friday promotional pushes. Consumers start making purchases across a wider range of retailers than usual, many of whom have weaker security postures than the platforms shoppers use year-round. Each new retailer account is a new attack surface.

IBM X-Force 2024: Social engineering attacks, including pretexting and phishing — increase in Q4, with October marking the beginning of the holiday-season spike. Retail sector breach incidents rise 22% in Q4 versus Q2 average.

NOVEMBER | RISK: CRITICAL

Black Friday, Cyber Monday, and the Busiest Month in Cybercrime

November is, by most metrics, the most dangerous month of the year for consumers. Black Friday and Cyber Monday generate more online transactions in a 96-hour window than most months produce in total. In 2023, Adobe Analytics recorded $9.8 billion in US online spending on Black Friday alone — a 7.5% increase over 2022. Every one of those transactions is a data point. Many of them travel across networks that offer no protection.

Phishing campaigns themed around shipping notifications, discount codes, and order confirmations reach annual peaks in November. Researchers at Proofpoint documented a 92% increase in retail-themed phishing emails in November 2023 versus the October baseline. Fake tracking links, spoofed retailer confirmation emails, and fraudulent gift card offers all carry credential harvesters or payment skimmers. The volume is high enough that even security-conscious users can struggle to distinguish legitimate communications from malicious ones.

Proofpoint Threat Report 2023: Retail-themed phishing emails increase 92% in November versus October baseline. Adobe Analytics: $9.8B in US Black Friday online spending in 2023. FBI IC3 2023: Online shopping fraud complaints spike 41% in November-December versus annual average.

DECEMBER | RISK: HIGH

The Skeleton Crew Vulnerability

December’s threat profile is different from November’s. The volume of consumer-facing attacks begins to ease as the shopping season peaks and then fades. What rises in December is corporate infrastructure attacks — and the reason is simple: the security team is on holiday leave. Reduced staffing, delayed incident response, and patching schedules pushed to January create windows that sophisticated attackers specifically wait for.

The SolarWinds breach, first detected in December 2020, is the canonical example. Attackers had been present in affected networks for months, but December — with its reduced monitoring and slower response times — is when the activity was most consequential. The Cybersecurity and Infrastructure Security Agency (CISA) has specifically flagged the December holiday period as a heightened risk window for critical infrastructure attacks in three consecutive annual advisories.

CISA Advisory 2023: Three consecutive annual warnings flagging the December holiday period as a heightened risk window for critical infrastructure attacks due to reduced staffing. Verizon DBIR 2024: Mean time to breach detection increases 19% in December versus the annual average.

What This Calendar Means for You

The seasonality of cybercrime is not a reason to panic in November and relax in April. Breaches happen every month, and the relative safety of May is still not safe. What the calendar reveals is something more useful: the specific moments when your normal behavior — checking your bank account at an airport, clicking a shipping notification, filing your taxes online — becomes significantly higher risk than it would be at other times of year.

Awareness of that calendar is the first layer of defense. The second layer is making sure that the connection you are using to conduct sensitive activities — particularly on networks you do not control — is not broadcasting your data to anyone nearby who knows how to listen.

The calendar of cybercrime is not random. It follows the rhythms of ordinary life — tax deadlines, holiday shopping, summer travel. Knowing the pattern is the first step to staying ahead of it.

The attackers have always known what time of year it is. Now you do too.

Sources: Verizon Data Breach Investigations Report (2022–2024); IBM X-Force Threat Intelligence Index (2023–2024); Identity Theft Resource Center Annual Data Breach Reports (2022–2024); IRS Identity Theft Statistics (2023); Proofpoint Threat Report (2023); Cofense Phishing Defense Center Annual Report (2024); Kaspersky Security Bulletin (2024); Symantec Network Security Study (2023); CISA Annual Advisories (2021–2023); Adobe Analytics Holiday Shopping Data (2023); FBI Internet Crime Complaint Center (IC3) Annual Report (2023).