AG report: Washington state data breaches have reached an all-time high

A new report from the Washington Attorney General’s Office found that there were more data breaches in the state this year than there are residents.

A data breach is defined as an unauthorized acquisition of data that compromises security or confidentiality of personal information held by a person, business or agency.

Compromised information can include an individual’s name in combination with their Social Security number, driver’s license, medical information, and account numbers or credit card numbers.

According to the latest report, there were almost 11.6 million data breach notices issued in a single year. The report, covers the period from July 2023 to July 2024.

Prior to this year, the previous record was 6.5 million notices in 2021.

The 11.6 million figure also represents a 156% increase over the 4.5 million notices sent in 2023.

The data shows that cyberattacks were the most common type of breaches, representing 78% of all reported breaches.

Any Washington entities impacted by a data breach are required by state law to notify the Attorney General’s Office if the breach impacts more than 500 Washingtonians.

This year, the AGO received 279 data breach notifications, which represents the second highest recorded amount since 2016. The record is 286 data breach notices in 2021.

Out of the 279 data breaches, 217 were caused by cyberattacks in 2024. The most common form of cyberattacks was ransomware, which represented 52% of the 217 cyberattacks.

This is the fourth consecutive year in which ransomware attacks were the most common type of cyber attack, according to the AGO.

“For the first time ever, the number of notifications sent to Washingtonians in a single year exceeded the state’s population,” Attorney General Bob Ferguson stated in the report released on Tuesday. “With nearly a decade of trend data available, it is undeniable that significant changes to policies and industry practices are needed to curtail the growing frequency and intensity of data breaches affecting Washingtonians.”

Ferguson’s office recommends the state make improvements to its data breach notification law by reducing the data breach notification deadline to three days and expanding the definition of personal information.

Other recommendations include giving Washington residents more control over how their data is collected and used, requiring transparency from data brokers and data collectors, and consulting with tribes on how best to support their efforts in combating cyberattacks.

The report looks at Colorado's data privacy law, which went into effect in July 2023, for examples of how to give Washingtonians more control over their data.

Colorado’s law includes a requirement that businesses covered by the law must treat consumer opt-out signals as a valid request to not share or sell their personal information.

The AGO claims that if Washington businesses were required to honor opt-out signals, residents would have more control over their data and potentially reduce the impact of future data breaches.