AG Report: Data Breaches Decline for Second Consecutive Year, Remain Historically High

waagdatabreach121323

OLYMPIA, WA – Washington State Attorney General Bob Ferguson released his eighth annual data breach report today that shows data breaches remain at historic levels. However, the number of breaches and Washingtonians affected has gone down over the past two years.

This year, four million data breach notices went out to Washingtonians, approaching last year’s total of 4.8 million. The all-time record of 6.5 million breach notifications was set in 2021. The four million breach notices sent to Washingtonians represent the third-highest total since the Attorney General’s Office began tracking data breaches annually.

From A.G.’s Office:

The number of data breaches impacting at least 500 Washingtonians was also lower than previous years. The Attorney General’s Office received 133 notifications of this type of breach in 2023, compared to 150 in 2022 and 285 in 2021. Breaches impacting fewer than 500 Washingtonians do not require notice to the Attorney General.

Washingtonians can access the Attorney General’s database of breaches here.

“Data breaches are a serious threat to our security and my office will use this report as a guide to better protect Washingtonians,” Ferguson said. “We will continue to be a watchdog that protects Washingtonians’ privacy.”Graph showing annual number of Washingtonians affected by data breaches since 2016

Corporations collect and sell massive amounts of sensitive personal data. The more that this data is shared and collected, the more vulnerable consumers are to data breaches and cybercrime.

The Attorney General’s Office receives no funding to publish this report. The Legislature does not direct the office to publish the report. The Attorney General provides the report as a public service to provide Washingtonians with critical information to help them safeguard their data. The report is based on data breach notifications received between July 24, 2022 and July 23, 2023 that affected more than 500 Washingtonians’ personal information.

Cyberattacks remained the chief type of attack, accounting for 81 of 133 data breaches, or 61% of all data breaches. That number also trended down over time — cyberattacks accounted for 86% of all attacks in 2021 and 67% in 2022. Ransomware attacks accounted for approximately two thirds of the cyberattacks. During ransomware attacks, an individual inserts malicious code into a network then encrypts its data, which renders it inaccessible to the breached organization. Hackers then seek payment to release the data back to the organization.

The report includes resources and best practices for businesses who experience cyberattacks and individuals affected by data breaches. It also provides tips to mitigate the risks of data breaches.

Recommendations for policymakers

In 2023, 86 breaches, representing approximately two-thirds (64.7%) of all breaches reported, resulted in the compromise of a Washingtonian’s Social Security Number. Social Security Numbers are the second most commonly compromised piece of personal information in seven of the last eight years.

In 2019, Ferguson proposed, and the Legislature passed, a bill strengthening Washington’s data breach notification law. This legislation significantly expanded the definition of personal information, required notices to consumers to include the period of time their data was at risk and reduced the deadline to provide notice to consumers to 30 days after the discovery of a breach. These changes went into effect on March 1, 2020.

This year, the Legislature also passed a law to close the gap on health data privacy protections, provide Washingtonians more control of their health data and protect those who come from out of state to access reproductive and gender-affirming care. Ferguson partnered with Rep. Vandana Slatter, D-Bellevue, on the bill — HB 1155.

The report includes recommendations to policymakers to protect their data and minimize risks. Those recommendations include:

  • Requiring businesses to recognize and honor opt-out preferences to give Washingtonians more control over how their data is collected and used.
  • Expanding language access requirements for data breach notifications.
  • Requiring more transparency from data brokers and data collectors so Washingtonians know more about businesses that store and sell personal data, how they operate and the consumer information these entities control.
  • Expanding the definition of personal information in state law to include Individual Tax Identification Numbers and a full name in combination with a redacted Social Security Number using only its last four digits.