OLYMPIA — Washington State Attorney General Bob Ferguson released his sixth annual Data Breach Report last week.
According to the report, breached businesses and agencies sent 6.3 million notices to Washingtonians last year — by far the largest number of notifications sent to Washingtonians since the Attorney General’s Office began tracking this number. The previous record of 3.5 million breach notices sent to Washingtonians in 2018.
The report finds that the number of data breaches reported to the Attorney General’s Office also skyrocketed to 280, blowing past the previous record of 78 and last year’s total of 60.
Additionally, the report identifies a tremendous spike in cyberattacks and ransomware incidents. Ransomware — a type of cyberattack in which cybercriminals use malicious code to hold data hostage in hopes of receiving a ransom payment from the data holders — represents a growing and significant threat to consumers and businesses. The Attorney General’s Office recorded 150 ransomware incidents in 2021 — more than the previous five years combined.
“We publish this report because Washingtonians are best able to safeguard their data when they are aware of the threats — and the threats have never been greater,” Ferguson said.
State law requires organizations that experience a data breach to send notices to all consumers whose data was exposed, and report breaches impacting 500 or more Washingtonians to the Attorney General’s Office. Breached businesses and agencies sent 6.3 million of these notices to Washingtonians in 2021. Many Washingtonians likely received more than one notice.
Cyberattacks and ransomware attacks spiked in 2021
Cyberattacks caused 87.5% of all reported data breaches in 2021. In 2020, cyberattacks accounted for 63% of all reported breaches. Businesses reported 38 cyberattacks in 2020. Since the Attorney General’s Office started tracking and reporting on data breaches, 2017 set the previous record with 52 reported cyberattacks.
More than half – 150 of 245 of all cyberattacks reported in 2021 — involved ransomware.
A new “mega breach”
The Attorney General’s Office recorded the first “mega breach” — a breach that affects 1 million people or more — since 2018. The cyberattack targeted Accellion, a company that provides file-sharing technology. This resulted in the exposure of files from the Washington State Auditor’s Office that contained the personal information of about 1.3 million Washingtonians.
According to the Attorney General’s Office (AGO), several factors likely contributed to this year’s significant increase in notices:
• Consumers storing more of their data online, as the COVID-19 pandemic continues to keep many people working from home;
• Targeting of large data processors like Blackbaud and Accellion, which contract with hundreds of organizations, making a single data breach much more impactful;
• A 200 percent increase in the number of breaches impacting more than 50,000 Washingtonians compared to 2020; and
• The 2019 legislative update to Washington’s requirements for notice which expanded the number of breaches covered by the law, and requires agencies and companies to provide earlier and more detailed notice to consumers.
According to the AGO, during the COVID-19 pandemic Washingtonians are increasingly relying on digital and online services that collect user data to conduct business, go to school, find entertainment and communicate with friends and family. This increase in online activity may create more opportunities for cybercriminals to steal personal information and underlines the importance of Washington’s data breach notification laws.
The 2021 report makes recommendations to policymakers on enhancing protection of personal data, including expanding the definition of personal information to include Individual Tax Identification Numbers as well as the last four digits of a Social Security number.
A list of all data breach notices that have been sent to the office since 2015 is publicly available at: https://www.atg.wa.gov/data-breach-notifications. Information for businesses on reporting data breaches is available at www.atg.wa.gov/identity-theft-and-privacy-guide-businesses.
