U.S. companies and government agencies suffered a record 1,093 data breaches last year, a 40 percent increase from 2015, according to the Identity Theft Resource Center.

Headline-grabbing hacks, with victims ranging from Wendy’s to the Democratic National Committee, are increasing despite regulatory scrutiny and more aggressive cybersecurity spending. Worldwide spending on security-related hardware, software and services rose to $73.7 billion in 2016 from $68.2 billion a year earlier, according to researcher IDC. And that number is expected to approach $90 billion in 2018.

“We are extremely confident that breaches are undiscovered and underreported, and we don’t know the full scope,” Eva Casey Velasquez, chief executive of the Identity Theft Resource Center, said in an interview. “This isn’t the worst-case scenario we are looking at; this is the best-case scenario.”

Data breaches in 2016 exposed everything from Social Security numbers to user account login names and passwords. Attacks known as phishing, in which an employee is tricked into clicking on an e-mailed link to give hackers access to a corporate network, accounted for about 56 percent of all breaches last year, according to the center. That’s up from 38 percent in 2015. In many cases, employees received an e-mail purporting to be from their company’s chief executive or other high-level managers.

“When we look at these massive numbers of records and percentages, it’s very easy to forget that each of these data points is a person, and there’s someone behind this who is being very adversely affected,” Velasquez said.

Criminals can use stolen information such as Social Security numbers, addresses and names to file false tax returns, order credit cards and to siphon money out of consumers’ bank accounts.

Adam Levin, chairman of the security company CyberScout, which sponsored the report, said training employees about data privacy and security is essential. “A lot of companies don’t do it,” he said.

The Identity Theft Resource Center, which has been tracking breaches since 2005, compiles its reports using data listed on state regulators’ websites, as well as by filing Freedom of Information Act requests with various government agencies. Many data breaches still aren’t included in these numbers.