Data breaches are common in headlines these days, but they are not equally spread out in terms of location. Data breaches occur far more often in some US states than others, and the number of records lost or stolen varies as well.

Comparitech analyzed data on the last 10 years worth of data breaches to find which US states suffer the most. We looked at both the number of data breaches and the number of records exposed.

Here are our key findings:

  • California suffered the most data breaches and also had the most records exposed: 1,493 breaches since 2008, affecting nearly 5.6 billion records in total.
  • That’s twice as many breaches as the runner up, New York, followed by Texas, Florida, and Georgia.
  • South Dakota, North Dakota, Wyoming, West Virginia, and Hawaii suffered the fewest data breaches, each of them having had under 30 in total over the entire decade.
  • Since 2008, 9,696 data breaches occurred across the US involving more than 10.7 billion records.
  • The cost of each lost or stolen record is an average of $148, which amounts to more than $1.6 trillion lost since 2008.
  • 2017 set a record for the most US data breaches: 1,683 in total.
  • 2016 takes the top spot for number of records exposed: 4.6 billion.

The number of breaches is not always proportionate to the number of records exposed. In many cases, a single severe data breach accounts for the vast majority of records exposed in a state over the last decade.

US States with the most data breaches

These are the US states that have suffered the highest number of data breaches and the highest number of records breached since 2008:

California

# of breaches: 1,493

# of records exposed: 5.59 billion

It’s perhaps no surprise that California, a huge state and home to more tech and internet companies than any other, suffers the most breaches. California simply has a lot of data to breach. That being said it does take consumer privacy in other ways very seriously.

If a data breach occurs in the US, there’s a very high chance that the breached company is based in California. If not, then it could well have happened in a company incorporated in our next state…

New York

# of breaches: 729

# of records exposed: 293 million

Similar to California, New York is home to a huge number of companies with big, valuable databases. The total number of records exposed, however, isn’t as high as for some states with a fraction of the number of breaches.

Texas

# of breaches: 661

# of records exposed: 288 million

Texas is the second biggest state in the US by both area and population, and that comes with a large number of companies and their valuable data.

The majority of records exposed through data breaches in Texas came out of the Epsilon breach in 2011. The email marketing firm leaked 50 million to 250 million email addresses and names. It worked with several big-name US retailers and financial companies like Kroger, Walgreens, Marriott Rewards, Capital One, and Citibank.

Oregon

# of breaches: 152

# of records exposed: 1.37 billion

Oregon has a relatively high number of data breaches, but the vast majority of the 1.37 billion records leaked came from one source: River City Media. The company’s breach in 2017 exposed 1.34 billion email accounts, representing one of the largest data breaches of all time. River City Media collected information on millions of individuals without their consent as part of its spam operation, and then failed to protect that data. That information included email accounts, full names, IP addresses, and physical addresses.

Maryland

# of breaches: 236

# of records exposed: 388 million

Bethesda, Maryland is home to Marriott International, which in 2018 suffered one of the largest data breaches in history. Of the total 388 million records exposed in the state over the last 10 years, the Marriott breach accounts for 383 million of them.

Florida

# of breaches: 523

# of records exposed: 353 million

Marketing Firm Exactis is responsible for the bulk of Florida’s exposed records. The company’s 2018 data breach of 340 million records included names, phone numbers, addresses, email addresses, interests, habits, ages, and genders of the majority of Americans. Much of that data was collected and held by Exactis without the victims’ knowledge.

Georgia

# of breaches: 300

# of records exposed: 351 million

Georgia is home to what is possibly the most infamous data breach in history: Equifax. In May 2017, the Atlanta-based credit bureau announced a data breach involving 145.5 million Americans’ names, Social Security numbers, birth dates, addresses, and more. That doesn’t even include the non-Americans involved. Despite the breach having occurred more than two years ago, the data has yet to surface, leading some to believe it was a nation-state attack.

Data breaches by US state

StateTotal # of Data BreachesTotal # of Records Affected
Alabama1083,295,620
Alaska36793,743
Arizona14410,591,168
Arkansas571,405,442
California1,4935,594,622,963
Colorado1905,386,350
Connecticut1566,532,223
Delaware30383,420
District of Columbia162147,766,862
Florida523353,410,851
Georgia300350,628,949
Hawaii25285,390
Idaho39937,664
Illinois43215,575,367
Indiana209109,697,872
Iowa862,018,174
Kansas665,910,618
Kentucky1193,454,476
Louisiana66474,468
Maine554,309,383
Maryland236388,031,135
Massachusetts3626,184,127
Michigan1741,989,422
Minnesota19544,635,744
Mississippi33363,765
Missouri1623,834,923
Montana561,465,662
Nebraska48910,659
Nevada6724,522,806
New Hampshire87551,844
New Jersey225137,224,151
New Mexico49265,598
New York729293,126,396
North Carolina22712,512,541
North Dakota17422,198
Ohio2653,373,214
Oklahoma656,998,638
Oregon1521,374,735,326
Pennsylvania33317,041,047
Puerto Rico353,255,042
Rhode Island61196,119
South Carolina807,582,297
South Dakota1542,859
Tennessee1848,397,195
Texas661288,476,590
Utah994,035,795
Vermont65144,737
Virginia286207,803,558
Washington24280,810,321
West Virginia20105,605
Wisconsin1321,416,762
Wyoming1874,910
US201,194,146,780
Totals:9,69610,732,158,769

Methodology

Privacy Rights Clearinghouse and Identity Theft Resource Center collate information for data breaches across the US. We used these as our primary sources, while double-checking the information and removing any duplicates.

Where possible, the figures for the breaches have been assigned to the state where records were exposed. However, in some cases, the figures will be allocated to the state in which the company involved operates its headquarters; this is due to several states often being affected and a breakdown of figures per state being unavailable.

If the data breach was US-wide, it falls under “US” as it cannot be pinpointed to a state.

Even when we know where data breaches occur, the people whose data was exposed could be from anywhere.

In some instances, the breach occurred in a prior year but wasn’t brought to the attention of the authorities until much later.

Not every breach report lists the number of records exposed. It might be unknown or below the threshold imposed by the state.

The cost of a record is set according to the annual Cost of a Data Breach study dating back to 2014. There was no clear trend in cost per record between 2014 and 2018, so we used the 2014 report’s figure for years prior.

Our data:

Data breaches by US state figures can be found in this spreadsheet.

Sources: