Six mega-breaches accounted for 85 percent of victim notices; four of the largest breaches were preventable
SAN DIEGO, Jan. 28, 2025 /PRNewswire-PRWeb/ -- Today, the Identity Theft Resource Center® (ITRC), a nationally recognized nonprofit organization established to support victims of identity crime, will release its 2024 Annual Data Breach Report, its 19th edition, at the Identity, Authentication and the Road Ahead Cybersecurity Policy Forum hosted by the Better Identity Coalition, the FIDO Alliance and the ITRC.
According to the 2024 Annual Data Breach Report, the number of U.S. data compromises in 2024 (3,158) decreased one (1) percent compared to 2023 (3,202), 44 events away from tying a record for the number of compromises tracked in a year.
Download the ITRC's 2024 Annual Data Breach Report
The number of data breach notices issued in the past year (1,728,519,397) increased 312 percent from 2023 (419,337,446). The increase was primarily due to six "mega-breaches" that resulted in at least 100 million breach notices being issued in each event. Mega-breach victim notices totaled more than 1.4 billion of the more than 1.7 billion victim notices issued in 2024. If the six mega-breaches are excluded, the ~266 million other victim notices issued last year decreased by 36 percent compared to 2023.
According to the 2024 Annual Data Breach Report, approximately 70 percent of cyberattack-related breach notices did not include attack information, compared to 58 percent in 2023. In 2019 and previous years, ~100 percent of breach notices included attack vector information.
In 2024, the Financial Services industry, led by Commercial Banks and Insurance, was the most breached industry, followed by Healthcare (the most attacked industry each year from 2018 until 2024), Professional Services, Manufacturing and Technology.
"Our 2024 Annual Data Breach Report reveals troubling trends," said Eva Velasquez, CEO of the Identity Theft Resource Center. "With a near-record number of compromises and over 1.7 billion victim notices, often tied to inadequate cyber practices, we are also seeing an increase in notices that provide limited actionable information for victims."
"On a positive note, 40 percent of states have enacted comprehensive privacy laws to better protect consumers," noted Velasquez. "Innovative technologies like passkeys offer promising solutions to prevent breaches caused by stolen and compromised passwords, which accounted for four of the six mega-breaches."
Trends Highlighted in the 2024 Annual Data Breach Report Include:
- Better cyber practices and requirements could have prevented at least 196 compromises and more than 1.2 billion victim notices. Attacks using stolen credentials against Ticketmaster, Advanced Auto Parts, AT&T, Change Healthcare and other organizations could have been blocked with the addition of multi-factor authentication (MFA) or passkeys.
- State and Federal disclosure requirements are having no significant impact on data breaches. New Securities and Exchange Commission breach disclosure rules resulted in a 60 percent increase in disclosures in 2024. However, less than ten (10) percent of the notices included details of the event.
- There were fewer Zero Day and Supply Chain attacks. However, they had more significant impacts. Supply Chain attacks directly impacted 134 organizations and indirectly impacted 657 entities, resulting in 203 million victim notices. At least 190 million notices were related to the Change Healthcare breach.
Other Findings in the 2024 Annual Data Breach Report Include:
- Publicly traded companies represented only seven (7) percent (221 companies) of all compromised organizations. However, they issued 76 percent of victim notices in 2024.
- Of the 133 cyberattacks against publicly traded companies resulting in a data breach notice, a stolen credential was the leading attack vector. Seventy-four (74) percent of the breach organizations did not list an attack vector in a breach notice.
Consumers and victims can receive free support and guidance from a knowledgeable live advisor by calling or texting 888.400.5530 or visiting the ITRC's website, idtheftcenter.org, to live chat.
About the Identity Theft Resource Center
Founded in 1999, the Identity Theft Resource Center® (ITRC) is a national nonprofit organization established to empower and guide consumers, victims, business and government to minimize risk and mitigate the impact of identity compromise and crime. Through public and private support, the ITRC provides no-cost victim assistance and consumer education through its website live chat, idtheftcenter.org, and toll-free phone number 888.400.5530. The ITRC also equips consumers and businesses with information about recent data breaches through its data breach tracking tool. The ITRC offers help to specific populations, including the deaf/hard of hearing and blind/low vision communities.
Media Contact
Identity Theft Resource Center
Alex Achten
Sr. Director of Communications & Media Relations
888.400.5530 Ext. 3611
[email protected]
Media Contact
Alex Achten, Identity Theft Resource Center, 888-400-5530 x 3611, [email protected], www.idtheftcenter.org
SOURCE Identity Theft Resource Center

Share this article