Digital Transactions Authoritative, insightful and timely information for payments professionals
2024 was the year of the mega-data breach, with six breaches accounting for 85%, or 1.4 billion, of the 1.7 billion breach notices sent to victims in 2024. That’s according to The Identity Theft Resources Center’s annual Data Breach report, released early Tuesday. At least 100 million breach notices were sent out after each mega-breach.
Overall, the total number of breaches in 2024 essentially remained flat from the prior year, totaling 3,158, a 1% decrease from the record 3,202 breaches tracked in 2023, according to the 19th edition of annual report.
The five largest breaches, based on the number of notices sent to victims, were against Ticketmaster Entertainment LLC (560 million notices), Advanced Auto Parts Inc. (380 million), Change Healthcare (190 million), data aggregator DemandScience by Pure Incubation (121.7 million), and AT&T Inc. (110 million).
The financial-services industry was the most-breached industry, with 737 reported breaches, followed by health care (536), professional services (345), manufacturing (317), and technology (162). From 2018 to 2024, health care was the industry most “attacked” by hackers, the IRTC says.
While cyberattacks remain the primary root cause of data breaches, 70% of breach notices did not include attack information, up from to 58% percent in 2023. It is the fifth consecutive year that the number of breach notices sent without listing attack information increased. “Before 2020, the number of deficient breach notices was at or near zero,” the report says.
Despite federal and state regulators establishing data-breach disclosure requirements, those documents are essentially a “patchwork quilt of state laws and federal regulations with wildly varying … requirements” that lead to “a significant amount of underreporting,” the report says.
To illustrate its point, the IRTC says that, on average, nine data breaches are reported in the United States daily, while 335 are reported daily in the European Union, which also requires data-breach notifications.
The good news is that 40% of states have adopted comprehensive privacy laws. And the IRTC expects to see more state privacy laws introduced and passed in the absence of a uniform federal privacy law.
Another potential bright spot is the increasing adoption of passkeys, which, unlike passwords, aren’t stored on centralized databases and are less vulnerable to large-scale data breaches. What makes passkeys more secure is that they are generated by a consumer’s device and used to log in to Web sites and apps without the need to enter a password.
By contrast, passwords are a user-created string of characters required to verify a consumer’s identity, which makes them more vulnerable to phishing and other types of cyberattacks.
“Today’s password practices require users to remember a credential and organizations to store them in databases that can be compromised. Passkeys, though, can’t be stolen, and users cannot self-compromise because they never know the access key,” IRTC president James E. Lee says in the report’s introduction.
Passkey technology is rapidly finding its way into the mainstream, with 94% of all devices now ready to use passkeys and technology companies such as Amazon.com and Microsoft Corp. offering access to passkeys to 100% of users, according to the FIDO Alliance, whose mission is to develop and promote authentication standards that help reduce the world’s over-reliance on passwords.
