Attorney General Bob Ferguson recently released his ninth annual data breach report, revealing a record-breaking surge in data breaches affecting Washingtonians. For the first time, the number of individual notices sent out exceeded the state’s population. Over 11.6 million data breach notices were issued this year — an increase of nearly seven million compared to last year’s total of 4.8 million and five million more than the previous high in 2021.
“The more people know about data breaches, the more they can protect themselves,” Ferguson said. “This report offers recommendations for responding to a growing problem and continues to be a resource for Washingtonians looking for ways to protect their personal information.”
The report attributes the dramatic rise in affected individuals partly to two major incidents: data breaches at Comcast and the Fred Hutchinson Cancer Center. Each of these “mega breaches” — defined as impacting over a million individuals — contributed to the unprecedented number. This marks the first time in state history that more than one mega breach occurred in a single year.
Cyberattacks, particularly ransomware attacks, were the most common cause of breaches, accounting for 78% of all incidents, up from 68% in 2023. Of those, ransomware alone represented 52% of cyberattacks and 41% of all reported breaches.
“Corporations collect and sell massive amounts of sensitive personal data,” Ferguson said. “The more that this data is shared and collected, the more vulnerable consumers are to data breaches and cybercrime.”
The report also noted a sharp increase in the number of large-scale breaches. This year, 279 breaches affecting at least 500 Washingtonians were reported, a significant rise from 178 breaches last year and the second-highest total on record. Only 2021 saw more, with 286 breaches reported. Smaller breaches impacting fewer than 500 individuals do not require notification to the Attorney General’s Office.
Social Security numbers remain a frequent target, with 194 breaches — approximately 69.5% of all reported incidents — resulting in the compromise of Social Security numbers. These numbers have been among the most frequently compromised types of personal data in every report since 2016.
Ferguson emphasized the growing risks posed by data collection.
“The more that this data is shared and collected, the more vulnerable consumers are to data breaches and cybercrime,” he said.
The Attorney General’s report serves as a public resource to help Washingtonians protect their personal information. It provides recommendations for individuals affected by breaches, tips for businesses experiencing cyberattacks, and strategies for reducing risks. Prepared without legislative mandate or funding, the report is based on breach notifications received between July 24, 2023, and July 23, 2024.
Ferguson’s ongoing efforts to strengthen data privacy protections have already led to legislative reforms. In 2019, his office successfully proposed updates to Washington’s data breach notification law, including an expanded definition of personal information, shorter notification timelines, and additional requirements for businesses to inform consumers about breaches.
In 2023, Ferguson partnered with Rep. Vandana Slatter, D-Bellevue, to pass the My Health My Data Act, which closed gaps in health data privacy protections and gave Washingtonians greater control over their personal health information. The law also protects out-of-state individuals accessing reproductive or gender-affirming care in Washington.
Ferguson’s 2024 report outlines further recommendations for policymakers to address the growing threat of data breaches. Key proposals include:
• Reducing the deadline for businesses to notify individuals of a breach from 30 days to three days;
• Requiring data breach notifications to be issued in multiple languages to ensure accessibility;
• Expanding the definition of “personal information” to include a full name paired with a redacted Social Security number or individual tax identification number;
• Mandating businesses to recognize and honor global opt-out requests, allowing consumers to avoid manually opting out of data-sharing on every website they visit;
• Increasing transparency among data brokers by requiring annual reporting, state licensing, and regulatory fees; and
• Collaborating with tribal governments to support their efforts in combating cyberattacks.
Ferguson emphasized the importance of both consumer awareness and proactive measures by policymakers.
“This report isn’t just about the numbers,” Ferguson said. “It’s about giving Washingtonians the tools to protect their data and urging lawmakers to act so we can reduce the risks for everyone.”
