Data breaches are common in headlines these days, but they are not equally spread out in terms of location. Data breaches occur far more often in some US states than others, and the number of records lost or stolen varies as well.
Puerto Rico is not included in this map.
Comparitech analyzed the number of data breaches from 2005 to present to find out which US states suffer the most. We looked at both the number of data breaches and the number of records exposed.
Here are our key findings:
- California suffered the most data breaches and also had the most records exposed: 1,777 breaches since 2005, affecting nearly 5.6 billion records in total.
- That’s over twice as many breaches as the runner up, New York (863), which is followed by Texas (819), Florida (638), and Illinois (533).
- North Dakota, South Dakota, Wyoming, West Virginia, and Puerto Rico suffered the fewest data breaches, each of them having had 33 or under over the entire fourteen-and-a-half years.
- Since 2005, 12,098 data breaches occurred across the US involving more than 11.1 billion records.
- The current cost of each lost or stolen record is $150 on average (according to an IBM study), which amounts to more than $1.66 trillion lost since 2005.
- 2017 set a record for the most US data breaches: 1,683 in total.
- 2016 takes the top spot for number of records exposed: 4.6 billion.
The number of breaches is not always proportionate to the number of records exposed. In many cases, a single severe data breach accounts for the vast majority of records exposed in a state over the last decade.
Although we attribute breaches to the states where they occurred, the breached records often impact people in several or all US states.
Puerto Rico is not included in this map.
US States with the most data breaches
These are the US states that have suffered the highest number of data breaches and the highest number of records breached since 2005:
California
# of breaches: 1,777
# of records exposed: 5.6 billion
It’s perhaps no surprise that California, a huge state and home to more tech and internet companies than any other, suffers the most breaches. California simply has a lot of data to breach. That being said it does take consumer privacy in other ways very seriously.
If a data breach occurs in the US, there’s a very high chance that the breached company is based in California. If not, then it could well have happened in a company incorporated in our next state…
New York
# of breaches: 863
# of records exposed: 296 million
Similar to California, New York is home to a huge number of companies with big, valuable databases. The total number of records exposed, however, isn’t as high as for some states with a fraction of the number of breaches.
Texas
# of breaches: 819
# of records exposed: 295 million
Texas is the second-biggest state in the US by both area and population, and that comes with a large number of companies and their valuable data.
The majority of records exposed through data breaches in Texas came out of the Epsilon breach in 2011. The email marketing firm leaked 50 million to 250 million email addresses and names. It worked with several big-name US retailers and financial companies like Kroger, Walgreens, Marriott Rewards, Capital One, and Citibank.
Oregon
# of breaches: 182
# of records exposed: 1.38 billion
While Oregon has a relatively low number of data breaches compared to the states mentioned above, it does have the second-highest number of records affected. The vast majority of the 1.37 billion records leaked came from one source: River City Media. The company’s breach in 2017 exposed 1.34 billion email accounts, representing one of the largest data breaches of all time. River City Media collected information on millions of individuals without their consent as part of its spam operation, and then failed to protect that data. That information included email accounts, full names, IP addresses, and physical addresses.
Maryland
# of breaches: 285
# of records exposed: 388 million
Bethesda, Maryland is home to Marriott International, which in 2018 suffered one of the largest data breaches in history. Of the total 388 million records exposed in the state over the last 10 years, the Marriott breach accounts for 383 million of them.
Florida
# of breaches: 638
# of records exposed: 356 million
Marketing Firm Exactis is responsible for the bulk of Florida’s exposed records. The company’s 2018 data breach of 340 million records included names, phone numbers, addresses, email addresses, interests, habits, ages, and genders of the majority of Americans. Much of that data was collected and held by Exactis without the victims’ knowledge.
Georgia
# of breaches: 365
# of records exposed: 355 million
Georgia is home to what is possibly the most infamous data breach in history: Equifax. In May 2017, the Atlanta-based credit bureau announced a data breach involving 145.5 million Americans’ names, Social Security numbers, birth dates, addresses, and more. That doesn’t even include the non-Americans involved. Despite the breach having occurred more than two years ago, the data has yet to surface, leading some to believe it was a nation-state attack.
State | Total # of Data Breaches | Total # of Records Affected |
---|---|---|
Alabama | 127 | 5,759,952 |
Alaska | 42 | 2,255,560 |
Arizona | 181 | 10,905,610 |
Arkansas | 74 | 1,568,464 |
California | 1,777 | 5,604,164,335 |
Colorado | 244 | 7,372,814 |
Connecticut | 191 | 7,511,586 |
Delaware | 50 | 636,171 |
District of Columbia | 189 | 148,382,228 |
Florida | 638 | 355,660,019 |
Georgia | 365 | 355,331,875 |
Hawaii | 33 | 682,982 |
Idaho | 50 | 1,286,990 |
Illinois | 533 | 21,582,351 |
Indiana | 269 | 110,351,941 |
Iowa | 114 | 2,484,067 |
Kansas | 81 | 6,387,245 |
Kentucky | 136 | 3,623,799 |
Louisiana | 83 | 749,802 |
Maine | 69 | 4,378,565 |
Maryland | 285 | 388,461,514 |
Massachusetts | 431 | 7,302,719 |
Michigan | 226 | 10,851,171 |
Minnesota | 246 | 45,470,352 |
Mississippi | 41 | 370,565 |
Missouri | 202 | 4,589,556 |
Montana | 72 | 1,637,832 |
Nebraska | 65 | 1,507,583 |
Nevada | 92 | 25,752,176 |
New Hampshire | 104 | 598,140 |
New Jersey | 269 | 150,028,157 |
New Mexico | 68 | 519,795 |
New York | 863 | 295,801,833 |
North Carolina | 290 | 27,406,656 |
North Dakota | 19 | 440,698 |
Ohio | 361 | 6,278,403 |
Oklahoma | 75 | 7,347,113 |
Oregon | 182 | 1,380,348,717 |
Pennsylvania | 438 | 17,614,927 |
Puerto Rico | 33 | 1,685,456 |
Rhode Island | 67 | 206,955 |
South Carolina | 102 | 7,656,310 |
South Dakota | 21 | 45,179 |
Tennessee | 223 | 9,612,731 |
Texas | 819 | 294,847,285 |
Utah | 117 | 4,546,054 |
Vermont | 82 | 245,441 |
Virginia | 359 | 311,628,882 |
Washington | 299 | 81,289,253 |
West Virginia | 30 | 108,432 |
Wisconsin | 163 | 8,173,146 |
Wyoming | 22 | 103,063 |
US | 186 | 1,358,221,906 |
Methodology
Privacy Rights Clearinghouse and Identity Theft Resource Center collate information for data breaches across the US. We used these as our primary sources, while double-checking the information and removing any duplicates.
Where possible, the figures for the breaches have been assigned to the state where records were exposed. However, in some cases, the figures will be allocated to the state in which the company involved operates its headquarters; this is due to several states often being affected and a breakdown of figures per state being unavailable.
If the data breach was US-wide, it falls under “US” as it cannot be pinpointed to a state.
Even when we know where data breaches occur, the people whose data was exposed could be from anywhere.
In some instances, the breach occurred in a prior year but wasn’t brought to the attention of the authorities until much later.
Not every breach report lists the number of records exposed. It might be unknown or below the threshold imposed by the state.
The cost of a record for all of the years up to 2018 is set according to the annual Cost of a Data Breach study dating back to 2014 – $148. There was no clear trend in cost per record between 2014 and 2018, so we used the 2014 report’s figure for years prior. For 2019/20 figures, we used IBM’s updated Cost of a Data Breach study which put the cost per record at $150.
Our data:
Data breaches by US state figures can be found in this spreadsheet.
Sources:
- https://www.idtheftcenter.org/data-breaches/
- https://www.privacyrights.org/data-breaches
- https://oag.ca.gov/privacy/databreach/list?field_sb24_org_name_value=&field_sb24_breach_date_value%5Bmin%5D&field_sb24_breach_date_value%5Bmax%5D&order=created&sort=asc
- https://attorneygeneral.delaware.gov/fraud/cpu/securitybreachnotification/database/
- https://cca.hawaii.gov/
- https://www.in.gov/attorneygeneral/2874.htm
- https://www.iowaattorneygeneral.gov/for-consumers/security-breach-notifications/
- https://www.maine.gov/ag/consumer/identity_theft/index.shtml
- http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx
- https://www.mass.gov/lists/data-breach-notification-reports
- https://www.doj.nh.gov/consumer/security-breaches/a.htm
- https://dojmt.gov/consumer/data-breaches-businesses/
- https://www.cyber.nj.gov/data-breach-alerts
- https://iapp.org/media/pdf/resource_center/North_Carolina_State_Data_Breaches.pdf
- https://iapp.org/media/pdf/resource_center/North_Dakota_Data_Breaches_2018.pdf
- https://justice.oregon.gov/consumer/DataBreach/
- http://consumer.sc.gov/identity-theft-unit/security-breaches
- https://ago.vermont.gov/data-security-breaches/
- https://iapp.org/media/pdf/resource_center/Virginia_Data_Breaches_2018.pdf
- https://www.atg.wa.gov/data-breach-notifications
- https://datcp.wi.gov/Pages/Programs_Services/DataBreaches.aspx