Owner of Cup of Bliss Coffee Shop Charged in Shovel Attack
Gov. Wolf Says Pennsylvania Will Pickup the Postage Cost for Mail-In-Ballots

A Breakdown of Data Breaches by State

PAUL BISCHOFF

TECH WRITER, PRIVACY ADVOCATE AND VPN EXPERT

COMPARITECH

Data breaches are common in headlines these days, but they are not equally spread out in terms of location. Data breaches occur far more often in some US states than others, and the number of records lost or stolen varies as well.

US-state-data-breaches
Data breaches are common in headlines these days, but they are not equally spread out in terms of location. Data breaches occur far more often in some US states than others, and the number of records lost or stolen varies as well.

 

Puerto Rico is not included in this map.

Comparitech analyzed the number of data breaches from 2005 to present to find out which US states suffer the most. We looked at both the number of data breaches and the number of records exposed.

Here are our key findings:

  • California suffered the most data breaches and also had the most records exposed: 1,777 breaches since 2005, affecting nearly 5.6 billion records in total.
  • That’s over twice as many breaches as the runner up, New York (863), which is followed by Texas (819), Florida (638), and Illinois (533).
  • North Dakota, South Dakota, Wyoming, West Virginia, and Puerto Rico suffered the fewest data breaches, each of them having had 33 or under over the entire fourteen-and-a-half years.
  • Since 2005, 12,098 data breaches occurred across the US involving more than 11.1 billion records.
  • The current cost of each lost or stolen record is $150 on average (according to an IBM study), which amounts to more than $1.66 trillion lost since 2005.
  • 2017 set a record for the most US data breaches: 1,683 in total.
  • 2016 takes the top spot for number of records exposed: 4.6 billion.

The number of breaches is not always proportionate to the number of records exposed. In many cases, a single severe data breach accounts for the vast majority of records exposed in a state over the last decade.

Although we attribute breaches to the states where they occurred, the breached records often impact people in several or all US states.

Puerto Rico is not included in this map.

US States with the most data breaches

These are the US states that have suffered the highest number of data breaches and the highest number of records breached since 2005:

California

# of breaches: 1,777

# of records exposed: 5.6 billion

It’s perhaps no surprise that California, a huge state and home to more tech and internet companies than any other, suffers the most breaches. California simply has a lot of data to breach. That being said it does take consumer privacy in other ways very seriously.

If a data breach occurs in the US, there’s a very high chance that the breached company is based in California. If not, then it could well have happened in a company incorporated in our next state…

New York

# of breaches: 863

# of records exposed: 296 million

Similar to California, New York is home to a huge number of companies with big, valuable databases. The total number of records exposed, however, isn’t as high as for some states with a fraction of the number of breaches.

Texas

# of breaches: 819

# of records exposed: 295 million

Texas is the second-biggest state in the US by both area and population, and that comes with a large number of companies and their valuable data.

The majority of records exposed through data breaches in Texas came out of the Epsilon breach in 2011. The email marketing firm leaked 50 million to 250 million email addresses and names. It worked with several big-name US retailers and financial companies like Kroger, Walgreens, Marriott Rewards, Capital One, and Citibank.

Oregon

# of breaches: 182

# of records exposed: 1.38 billion

While Oregon has a relatively low number of data breaches compared to the states mentioned above, it does have the second-highest number of records affected. The vast majority of the 1.37 billion records leaked came from one source: River City Media. The company’s breach in 2017 exposed 1.34 billion email accounts, representing one of the largest data breaches of all time. River City Media collected information on millions of individuals without their consent as part of its spam operation, and then failed to protect that data. That information included email accounts, full names, IP addresses, and physical addresses.

Maryland

# of breaches: 285

# of records exposed: 388 million

Bethesda, Maryland is home to Marriott International, which in 2018 suffered one of the largest data breaches in history. Of the total 388 million records exposed in the state over the last 10 years, the Marriott breach accounts for 383 million of them.

Florida

# of breaches: 638

# of records exposed: 356 million

Marketing Firm Exactis is responsible for the bulk of Florida’s exposed records. The company’s 2018 data breach of 340 million records included names, phone numbers, addresses, email addresses, interests, habits, ages, and genders of the majority of Americans. Much of that data was collected and held by Exactis without the victims’ knowledge.

Georgia

# of breaches: 365

# of records exposed: 355 million

Georgia is home to what is possibly the most infamous data breach in history: Equifax. In May 2017, the Atlanta-based credit bureau announced a data breach involving 145.5 million Americans’ names, Social Security numbers, birth dates, addresses, and more. That doesn’t even include the non-Americans involved. Despite the breach having occurred more than two years ago, the data has yet to surface, leading some to believe it was a nation-state attack.

State Total # of Data Breaches Total # of Records Affected
Alabama 127 5,759,952
Alaska 42 2,255,560
Arizona 181 10,905,610
Arkansas 74 1,568,464
California 1,777 5,604,164,335
Colorado 244 7,372,814
Connecticut 191 7,511,586
Delaware 50 636,171
District of Columbia 189 148,382,228
Florida 638 355,660,019
Georgia 365 355,331,875
Hawaii 33 682,982
Idaho 50 1,286,990
Illinois 533 21,582,351
Indiana 269 110,351,941
Iowa 114 2,484,067
Kansas 81 6,387,245
Kentucky 136 3,623,799
Louisiana 83 749,802
Maine 69 4,378,565
Maryland 285 388,461,514
Massachusetts 431 7,302,719
Michigan 226 10,851,171
Minnesota 246 45,470,352
Mississippi 41 370,565
Missouri 202 4,589,556
Montana 72 1,637,832
Nebraska 65 1,507,583
Nevada 92 25,752,176
New Hampshire 104 598,140
New Jersey 269 150,028,157
New Mexico 68 519,795
New York 863 295,801,833
North Carolina 290 27,406,656
North Dakota 19 440,698
Ohio 361 6,278,403
Oklahoma 75 7,347,113
Oregon 182 1,380,348,717
Pennsylvania 438 17,614,927
Puerto Rico 33 1,685,456
Rhode Island 67 206,955
South Carolina 102 7,656,310
South Dakota 21 45,179
Tennessee 223 9,612,731
Texas 819 294,847,285
Utah 117 4,546,054
Vermont 82 245,441
Virginia 359 311,628,882
Washington 299 81,289,253
West Virginia 30 108,432
Wisconsin 163 8,173,146
Wyoming 22 103,063
US 186 1,358,221,906

Methodology

Privacy Rights Clearinghouse and Identity Theft Resource Center collate information for data breaches across the US. We used these as our primary sources, while double-checking the information and removing any duplicates.

Where possible, the figures for the breaches have been assigned to the state where records were exposed. However, in some cases, the figures will be allocated to the state in which the company involved operates its headquarters; this is due to several states often being affected and a breakdown of figures per state being unavailable.

If the data breach was US-wide, it falls under “US” as it cannot be pinpointed to a state.

Even when we know where data breaches occur, the people whose data was exposed could be from anywhere.

In some instances, the breach occurred in a prior year but wasn’t brought to the attention of the authorities until much later.

Not every breach report lists the number of records exposed. It might be unknown or below the threshold imposed by the state.

The cost of a record for all of the years up to 2018 is set according to the annual Cost of a Data Breach study dating back to 2014 – $148. There was no clear trend in cost per record between 2014 and 2018, so we used the 2014 report’s figure for years prior. For 2019/20 figures, we used IBM’s updated Cost of a Data Breach study which put the cost per record at $150.

Our data:

Data breaches by US state figures can be found in this spreadsheet.

Author

Paul Bischoff is the editor of Comparitech and a consumer privacy expert. He's been writing about the tech industry since 2012 for publications like Tech in Asia, Mashable, and various startup blogs. He's also been cited as an expert by the New York Times, BBC, The Guardian, Engadget, Wired, Gizmodo, Forbes, and many more. At Comparitech, he covers topics like cybersecurity, digital privacy, VPNs, encryption, net neutrality, censorship, and identity theft. You can find him on Twitter at @pabischoff.

Comments