skip to main content
caption: FILE: Attorney General Bob Ferguson speaks during a community rally in support of DACA recipients on Tuesday, September 5, 2017, at El Centro De La Raza in Seattle.
Enlarge Icon
FILE: Attorney General Bob Ferguson speaks during a community rally in support of DACA recipients on Tuesday, September 5, 2017, at El Centro De La Raza in Seattle.
Credit: KUOW Photo/Megan Farmer

Most Washingtonians experienced a data breach this year, new report finds

Data breaches have reached an all-time high for Washingtonians. About 6.3 million Washington state residents — that's most of them — received notices from breached businesses and agencies over the last year, according to a new report published by Attorney General Bob Ferguson’s office.

That's an approximately 80% increase from the previous record of 3.5 million data breach notifications in 2018. In 2020, roughly 1 million Washingtonians were caught in the middle of data breaches.

The new report also notes a significant uptick in cyber and ransomware attacks, which accounted for nearly 88% of all reported data breaches this year.

One such attack targeted the file sharing tech company Accellion, leading to the exposure of personal data kept by the Washington State Auditor’s Office last winter. The breach impacted approximately 1.3 million Washingtonians’ personal data, including their names, social security numbers, and banking account information.

In addition to the Accellion mega breach and a smaller scale breach of the software company Blackbaud, state officials have attributed the high number of data breaches this year to a general increase in them being reported. They've also cited a rise in digital information sharing during the pandemic, as more residents have relied on online services.

State law requires institutions that license or own digital or hard copy personal data to notify Washington state residents about security breaches affecting them. Those notifications must include the length of time a resident’s data was at risk, and must be sent within 30 days of a breach being discovered.

In light of the increased number of breaches, the Attorney General’s Office is recommending to the Legislature an expansion of the definition of “personal information” to include fully and partially redacted social security numbers, and individual tax identification numbers.