OLYMPIA — The tally of data breaches reported by businesses, colleges, state agencies and private organizations in Washington climbed nearly 20 percent in 2019.
But the number of state residents potentially victimized by cybertheft of personal information was lower than the previous year, according to the state Attorney General’s report on data breaches released last month.
“This report highlights that data breaches remain a serious threat to our privacy,” Ferguson said in a press release.
Under state law, if a public or private entity suffers an unauthorized access of data, they must inform those whose personal information may have been compromised within 45 days. If more than 500 residents are affected, that entity must notify the attorney general’s office.
There were 60 such breaches between July 24, 2018 and July 23, 2019, according to the report. That’s up from 51 the year before.
Of those 60, 38 affected between 1,000 and 10,000 people and 13 impacted between 500 and 1,000 individuals. The single largest breach potentially impacted 50,000 residents.
Cyberattacks most often targeted Social Security numbers and financial account information. Medical information and driver’s license numbers were also sought in many of the breaches.
Overall, an estimated 390,000 people were impacted in 2019, a sharp decline from 2018 when breaches affected 3.4 million residents. However, 3.2 million were linked with the mega-breach of Equifax, the national credit reporting firm.
There were no such mega-breaches in the 2019 cycle. Setting aside the Equifax episode, the number of individuals impacted by small to medium-sized breaches more than doubled in 2019, going from 180,000 to 390,000.
In 2019, 38 of the breaches were reported from the business industry, a classification which covers retail, nonprofits, hospitality, manufacturing and 20 other types of corporate ventures. There were eight in health care, six in financial services, and four each from government agencies and educational institutions.
A copy of each breach notification can be found on the website for the Attorney General’s office.
Meanwhile, Washington is toughening its reporting rules under a new law crafted by Attorney General Bob Ferguson.
Starting March 1, 2020, the time allowed for notifying consumers and the Attorney General’s Office of a data breach will be trimmed from 45 to 30 days. Also, the types of personally identifiable information covered in notifications will be expanded to include information such as passport numbers, health insurance policy numbers, usernames and email addresses and biometrics such as fingerprints.