Other LanguagesData breach notices sent to Washingtonians over past year exceed state’s population
OLYMPIA — Attorney General Bob Ferguson released his ninth annual data breach report today that shows data breaches reached an all-time high since his office started tracking them nearly a decade ago.
This year, just over 11.6 million data breach notices went out to Washingtonians — five million more than the previous all-time high in 2021. The number is up significantly compared to last year’s total of 4.8 million. It is the first time ever that the number of individual notices sent exceeds the state’s population.
The number of data breaches impacting at least 500 Washingtonians was also up to 279 this year, the second highest recorded since 2016 and significantly more than the 178 reported last year. The only year with more was 2021, when the Attorney General’s Office received 286 notices. Breaches impacting fewer than 500 Washingtonians do not require notice to the Attorney General.
Washingtonians can access the Attorney General’s database of breaches here.
“The more people know about data breaches, the more they can protect themselves,” Ferguson said. “This report offers recommendations for responding to a growing problem and continues to be a resource for Washingtonians looking for ways to protect their personal information.”
A data breach is an unauthorized acquisition of data that compromises security, confidentiality or integrity of personal information maintained by an individual, business or agency. Corporations collect and sell massive amounts of sensitive personal data. The more that this data is shared and collected, the more vulnerable consumers are to data breaches and cybercrime.
In the past year, cyberattacks, particularly ransomware attacks, remained the most common type of breaches, representing 78% of all reported breaches. That is up from 68% in 2023. Ransomware attacks accounted for more than half (52%) of all cyberattacks and more than a third (41%) of the total breaches. During ransomware attacks, an individual inserts malicious code into a network, then encrypts its data, which renders it inaccessible to the breached organization. Hackers seek payment to release the data back to the organization.
The significant increase in the number of Washingtonians affected by data breaches over the past year is in part due to two mega breaches at Comcast and Fred Hutchinson Cancer Center. It was the first time more than one mega breach — a data breach that affects more than a million Washingtonians — was reported in a single year.
The report also found that 194 breaches — just over two-thirds (69.5%) of all breaches — caused a Washingtonian’s Social Security number to be compromised. Social Security numbers have been among the top three most compromised pieces of personal information in every report since 2016.
The report includes resources and best practices for businesses who experience cyberattacks and individuals affected by data breaches. It also provides tips to mitigate the risks of data breaches.
The Attorney General’s Office receives no funding to publish this report. The Legislature does not direct the office to publish the report. The Attorney General provides the report as a public service to provide Washingtonians with critical information to help them safeguard their data. The report is based on data breach notifications received between July 24, 2023 and July 23, 2024 that affected more than 500 Washingtonians’ personal information.
Recommendations to policymakers and past reforms
In 2019, Ferguson successfully proposed legislation strengthening Washington’s data breach notification law. This legislation significantly expanded the definition of personal information, required notices to consumers to include the period of time their data was at risk, and shortened the timeline to provide notice to consumers to 30 days after the discovery of a breach. These changes went into effect on March 1, 2020.
In 2023, Ferguson partnered with Rep. Vandana Slatter, D-Bellevue to successfully propose the My Health My Data Act. House Bill 1155 closed the gap on health data privacy protections, provided Washingtonians more control of their health data and protected those who come from out of state to access reproductive and gender-affirming care.
The 2024 data breach report includes recommendations to policymakers to protect Washingtonians’ data and minimize risks. Those recommendations include:
- Reducing the deadline to provide notice of a data breach to three days;
- Creating requirements for sending data breach notifications in languages other than English;
- Expanding the definition of “personal information” to include an individual’s full name in combination with a redacted Social Security number and individual tax identification numbers;
- Requiring businesses to recognize and honor opt-out preference signals, also known as “global opt-out” or single opt-out requests, that help consumers avoid the burden of manually opting out of data sharing on every site they visit;
- Requiring transparency from data brokers and collectors through annual reporting, state licensing and regulatory fees; and
- Consulting with tribes on how best to support their efforts in combatting cyberattacks.
For more information about data breaches, past reports and protecting your private data, visit the Attorney General’s Data Breach Resource Center: atg.wa.gov/data-breach-resource-center.
-30-
Washington’s Attorney General serves the people and the state of Washington. As the state’s largest law firm, the Attorney General’s Office provides legal representation to every state agency, board, and commission in Washington. Additionally, the Office serves the people directly by enforcing consumer protection, civil rights, and environmental protection laws. The Office also prosecutes elder abuse, Medicaid fraud, and handles sexually violent predator cases in 38 of Washington’s 39 counties. Visit www.atg.wa.gov to learn more.
Media Contact:
Brionna Aho, Communications Director, (360) 753-2727; Brionna.aho@atg.wa.gov
General contacts: Click here