The number of Washington residents affected by data breaches reached an all-time high, according to an annual report issued this week by the state Attorney General’s Office.
The number of individual data breaches affecting 500 or more Washingtonians reached 279 between July 24, 2023 and July 23, 2024, resulting in 11.6 million data breach notices being sent to the state’s residents. This is the first time that the number of notices exceeded the state’s population of almost eight million, according to an attorney general’s office news release.
The 2024 numbers increased from the 178 breaches reported in 2023, which required 4.5 million notices sent to Washingtonians. The previous all-time breach record was in 2021, when 286 data breaches were reported, with 6.5 million notices.
The significant increase in the number of Washington residents affected in this year’s report is due in part to two mega-breaches at Comcast and Fred Hutchinson Cancer Center, which each affected more than a million Washington residents.
“These statistics underscore our state’s critical needful comprehensive data privacy regulation. We live in an internet-driven economy that relies on mass collection and retention of our perusal data,” said Attorney General Bob Ferguson in the report. Ferguson’s office has produced the report every year since 2016.
Cyberattacks (deliberate hacking) caused 78% of the breaches in the 2024 report, compared to 67% in 2022 and 64% in 2022, according to the report. A handful were caused by mistakes or inadvertent thefts. The rest were unauthorized people accessing paper copies or obtaining data without hacking. Ransomware attacks accounted for 113 of the 217 breaches, the report said.
The report’s recommendations to legislators include:
- Reducing the data breach notification deadline to three days and classifying Individual Tax Identification Numbers as “personal information” that could lead to other data being stolen.
- Requiring businesses to give Washingtonians more control over how their data is collected and used.
- Improving transparency from data brokers and data collectors.
- Consulting Indigenous nations on how best to support their efforts in combating cyberattacks.