Data breaches are common in headlines these days, but they are not equally spread out in terms of location. Data breaches occur far more often in some US states than others, and the number of records lost or stolen varies as well.
Comparitech analyzed data on the last 10 years worth of data breaches to find which US states suffer the most. We looked at both the number of data breaches and the number of records exposed.
Here are our key findings:
- California suffered the most data breaches and also had the most records exposed: 1,493 breaches since 2008, affecting nearly 5.6 billion records in total.
- That’s twice as many breaches as the runner up, New York, followed by Texas, Florida, and Georgia.
- South Dakota, North Dakota, Wyoming, West Virginia, and Hawaii suffered the fewest data breaches, each of them having had under 30 in total over the entire decade.
- Since 2008, 9,696 data breaches occurred across the US involving more than 10.7 billion records.
- The cost of each lost or stolen record is an average of $148, which amounts to more than $1.6 trillion lost since 2008.
- 2017 set a record for the most US data breaches: 1,683 in total.
- 2016 takes the top spot for number of records exposed: 4.6 billion.
The number of breaches is not always proportionate to the number of records exposed. In many cases, a single severe data breach accounts for the vast majority of records exposed in a state over the last decade.
US States with the most data breaches
These are the US states that have suffered the highest number of data breaches and the highest number of records breached since 2008:
# of breaches: 1,493
# of records exposed: 5.59 billion
It’s perhaps no surprise that California, a huge state and home to more tech and internet companies than any other, suffers the most breaches. California simply has a lot of data to breach. That being said it does take consumer privacy in other ways very seriously.
If a data breach occurs in the US, there’s a very high chance that the breached company is based in California. If not, then it could well have happened in a company incorporated in our next state…
# of breaches: 729
# of records exposed: 293 million
Similar to California, New York is home to a huge number of companies with big, valuable databases. The total number of records exposed, however, isn’t as high as for some states with a fraction of the number of breaches.
# of breaches: 661
# of records exposed: 288 million
Texas is the second biggest state in the US by both area and population, and that comes with a large number of companies and their valuable data.
The majority of records exposed through data breaches in Texas came out of the Epsilon breach in 2011. The email marketing firm leaked 50 million to 250 million email addresses and names. It worked with several big-name US retailers and financial companies like Kroger, Walgreens, Marriott Rewards, Capital One, and Citibank.
# of breaches: 152
# of records exposed: 1.37 billion
Oregon has a relatively high number of data breaches, but the vast majority of the 1.37 billion records leaked came from one source: River City Media. The company’s breach in 2017 exposed 1.34 billion email accounts, representing one of the largest data breaches of all time. River City Media collected information on millions of individuals without their consent as part of its spam operation, and then failed to protect that data. That information included email accounts, full names, IP addresses, and physical addresses.
# of breaches: 236
# of records exposed: 388 million
Bethesda, Maryland is home to Marriott International, which in 2018 suffered one of the largest data breaches in history. Of the total 388 million records exposed in the state over the last 10 years, the Marriott breach accounts for 383 million of them.
# of breaches: 523
# of records exposed: 353 million
Marketing Firm Exactis is responsible for the bulk of Florida’s exposed records. The company’s 2018 data breach of 340 million records included names, phone numbers, addresses, email addresses, interests, habits, ages, and genders of the majority of Americans. Much of that data was collected and held by Exactis without the victims’ knowledge.
# of breaches: 300
# of records exposed: 351 million
Georgia is home to what is possibly the most infamous data breach in history: Equifax. In May 2017, the Atlanta-based credit bureau announced a data breach involving 145.5 million Americans’ names, Social Security numbers, birth dates, addresses, and more. That doesn’t even include the non-Americans involved. Despite the breach having occurred more than two years ago, the data has yet to surface, leading some to believe it was a nation-state attack.
Data breaches by US state
|State||Total # of Data Breaches||Total # of Records Affected|
|District of Columbia||162||147,766,862|
Privacy Rights Clearinghouse and Identity Theft Resource Center collate information for data breaches across the US. We used these as our primary sources, while double-checking the information and removing any duplicates.
Where possible, the figures for the breaches have been assigned to the state where records were exposed. However, in some cases, the figures will be allocated to the state in which the company involved operates its headquarters; this is due to several states often being affected and a breakdown of figures per state being unavailable.
If the data breach was US-wide, it falls under “US” as it cannot be pinpointed to a state.
Even when we know where data breaches occur, the people whose data was exposed could be from anywhere.
In some instances, the breach occurred in a prior year but wasn’t brought to the attention of the authorities until much later.
Not every breach report lists the number of records exposed. It might be unknown or below the threshold imposed by the state.
The cost of a record is set according to the annual Cost of a Data Breach study dating back to 2014. There was no clear trend in cost per record between 2014 and 2018, so we used the 2014 report’s figure for years prior.
Data breaches by US state figures can be found in this spreadsheet.