Washington State

Office of the Attorney General

Attorney General

Bob Ferguson

The charts on this page contain the most up-to-date information our office has on data breaches affecting Washingtonians. This data comes from the notifications we receive from affected entities and is updated daily. Some charts have interactive elements, including filters and yearly breakdowns – you can hover your mouse over these charts for more details.

Cause of Breaches

Data breaches fall into three broad categories:

  1. Cyberattack: A third party deliberately attempts to access secured data, such as information stored on a server, using cyber technology. The attack can use a skimmer, spyware, phishing email, ransomware or similar means of accessing secure data remotely.
  2. Theft or mistake: The mistaken loss of information, such as a clerical error that sent W-2 information to an unintended recipient, or the inadvertent theft of information, such as stealing a laptop that happened to contain patient medical records.
  3. Unauthorized access: An unauthorized person purposefully accesses secure data through means such as an unsecured network or sifting through sensitive documents left out on a desk.

Cyberattacks

Cyberattacks can occur in a number of ways. Some of the most common methods include:

  • Malware: The installation of malicious code onto a website, server or network in order to disrupt the system or covertly obtain access to the data held within.
  • Ransomware: A unique type of malware that holds data hostage while seeking a ransom payment from the breached entity. Typically, cybercriminals insert malicious code that encrypts data into an entity’s network, thus locking the entity out of their own data.
  • Phishing: The practice of sending a fraudulent communication, often via e-mail, that appears to be from a financial institution, government, employer or other entity in order to fool the recipient into providing their information, or to download malware through an attachment or included link.
  • Skimmers: A malicious card reader attached to payment terminals, such as those at an ATM or gas station, which collects data on cards inserted into the terminal. Often cybercriminals will use the skimmer in conjunction with a device to record PIN information, such as a fake PIN pad or hidden camera.

Washington Residents Affected

The AGO’s estimates for the total number of affected Washington residents comes from the notices of breached organizations. By law, breached organizations must report to the Attorney General the total number of data breach notices it has sent to Washington residents.

To reiterate, the above totals are a sum of all the data breach notices sent to Washingtonians and may not reflect the exact number of individual Washingtonians impacted by data breaches in a given year. This is because an individual Washingtonian can be impacted by multiple breaches (causing an over count), or the breached entity might not have the ability to identify all of the affected individuals (causing an under count).

However, because this is the best method we have of estimating the breadth of impact to Washingtonians, we refer to it as the “Number of Washingtonians Affected.”

Types of Personal information Compromised

Washington law requires notification to the AGO when a data breach includes personal information (PI). Washington defines PI as:

  • An individual’s first name or first initial and last name in combination with any of the following:
  • Social Security number;
  • Driver’s license number or Washington identification card number;
  • Account number or credit or debit card number, in combination with any required security code, access code or password that would permit access to their account, or any other numbers or information that can be used to access a person’s financial account;
  • Student, military, or passport identification numbers;
  • Health insurance policy or identification numbers;
  • Full date of birth;
  • Private keys for electronic signature;
  • Medical information, including medical history, mental or physical condition, diagnoses, or treatment; or
  • Biometric data.

  • An individual’s username or email address in combination with a password or security questions and answers that would permit access to an online account.

Additionally, any of the above elements, not in combination with first name or initial and last name, are considered personal information if the affected data was not encrypted or redacted and its acquisition would enable a person to commit identity theft against the consumer.

Industries Affected by Data Breaches

In addition to tracking the types of data targeted by breaches, our office also tracks trends in the types of industries that are affected by data breaches. Traditionally, businesses are the most targeted organizations. However, since 2020, the number of breaches targeting the government and health care sectors has steadily increased.

Data Breach Lifecycles

The resolution of a breach involves two steps:

  1. Identification of the breach;
  2. Subsequent containment of the breach.

“Identification” represents the number of days that pass between the start of the breach and its discovery by the affected organization.

“Containment” represents the number of days that pass between discovering the breach and restoring the integrity of the data system.

The sum of these two measurements represents the “life cycle” of a breach.

Breaches with long life cycles are of particular concern because they extend the amount of time consumers are exposed to risk.