OLYMPIA, Wash. — Attorney General Bob Ferguson released his sixth annual Data Breach Report in November. In the last year, breached businesses and agencies sent 6.3 million notices to Washingtonians — by far the largest number of notifications sent to Washingtonians since the Attorney General’s Office began tracking this number. 2018 set the previous record of 3.5 million breach notices sent to Washingtonians.
The report finds that the number of data breaches reported to the Attorney General’s Office also skyrocketed to 280, blowing past the previous record of 78 and last year’s total of 60. In other words, this year’s total represents a 500 percent increase over last year.
Additionally, the report identifies a tremendous spike in cyberattacks and ransomware incidents. Ransomware — a type of cyberattack in which cybercriminals use malicious code to hold data hostage in hopes of receiving a ransom payment from the data holders — represents a growing and significant threat to consumers and businesses. The Attorney General’s Office recorded 150 ransomware incidents in 2021 — more than the previous five years combined.
“We publish this report because Washingtonians are best able to safeguard their data when they are aware of the threats — and the threats have never been greater,” Ferguson said.
The Attorney General’s Office receives no funding to publish this report. The Legislature does not direct the Office to publish the report. The Attorney General provides the report as a public service to provide Washingtonians with critical information to help them safeguard their data.
The report includes recommendations to policymakers and best practices for the public to protect their data and minimize risks.
The public can access the Attorney General’s database of breaches here.
Multiple data breach records set in 2021
2021 set a new record for the highest number of data breach notices sent to Washingtonians (6.3 million), data breaches reported (280), cyberattacks reported (245), and ransomware attacks reported (150).
State law requires organizations that experience a data breach to send notices to all consumers whose data was exposed, and report breaches impacting 500 or more Washingtonians to the Attorney General’s Office. Breached businesses and agencies sent 6.3 million of these notices to Washingtonians in 2021. Many Washingtonians likely received more than one notice.
Cyberattacks and ransomware attacks spiked in 2021
Cyberattacks caused 87.5% of all reported data breaches in 2021. In 2020, cyberattacks accounted for 63% of all reported breaches. Businesses reported 38 cyberattacks in 2020. Since the Attorney General’s Office started tracking and reporting on data breaches, 2017 set the previous record with 52 reported cyberattacks.
More than half – 150 of 245 of all cyberattacks reported in 2021 — involved ransomware. The report includes best practices for avoiding and mitigating ransomware attacks.
A new “mega breach”
The Attorney General’s Office recorded the first “mega breach” — a breach that affects 1 million people or more — since 2018. The cyberattack targeted Accellion, a company that provides file-sharing technology. This resulted in the exposure of files from the Washington State Auditor’s Office that contained the personal information of about 1.3 million Washingtonians.
Several factors contributed to increases in data breaches
Several factors likely contributed to this year’s significant increase in notices:
- Consumers storing more of their data online, as the COVID-19 pandemic continues to keep many people working from home;
- Targeting of large data processors like Blackbaud and Accellion, which contract with hundreds of organizations, making a single data breach much more impactful;
- A 200 percent increase in the number of breaches impacting more than 50,000 Washingtonians compared to 2020; and
- The 2019 legislative update to Washington’s requirements for notice which expanded the number of breaches covered by the law, and requires agencies and companies to provide earlier and more detailed notice to consumers.
During the COVID-19 pandemic, Washingtonians are increasingly relying on digital and online services that collect user data to conduct business, go to school, find entertainment and communicate with friends and family. This increase in online activity may create more opportunities for cybercriminals to steal personal information and underlines the importance of Washington’s data breach notification laws.
The 2021 report makes recommendations to policymakers on enhancing protection of personal data, including expanding the definition of personal information to include Individual Tax Identification Numbers as well as the last four digits of a Social Security number.
Ferguson’s push to better identify and limit data breaches
Attorney General Ferguson has repeatedly taken action to protect Washingtonians when companies fail to reasonably secure data or provide timely notice regarding breaches. Ferguson led a coalition of 30 state attorneys general investigating a data breach by Premera Blue Cross, the largest health insurance company in the Pacific Northwest. As a result of that investigation, the office announced in July 2019 that Premera would pay $10 million for failing to secure sensitive consumer data and for misleading consumers before and after a data breach affecting millions across the country.
Also in July 2019, the office announced that Equifax would pay more than half a billion dollars because of a 2017 data breach affecting nearly 150 million people nationwide.
Since 2014, Ferguson’s office has required several corporations with large data breaches that impacted Washingtonians’ privacy — Premera, Equifax, Uber and Target Corporation — to enter into legally enforceable agreements to improve their data security.
The data used in the report is acquired through a high-level review of breach notices submitted to the office. A list of all data breach notices that have been sent to the office since 2015 is publicly available at: https://www.atg.wa.gov/data-breach-notifications. Information for businesses on reporting data breaches is available at www.atg.wa.gov/identity-theft-and-privacy-guide-businesses.
Content Source: Office of the Washington State Attorney General