On January 28, 2025, the Identity Theft Resource Center (ITRC) unveiled its 2024 Annual Data Breach Report at the Identity, Authentication, and the Road Ahead Cybersecurity Policy Forum, a collaboration hosted by the Better Identity Coalition and the FIDO Alliance.
According to the report, the U.S. experienced 3,158 data compromises in 2024, a slight 1 percent dip from the previous year’s count of 3,202. However, this figure places 2024 just 44 incidents shy of the all-time record for data breaches recorded in a single year.
One of the most alarming takeaways from the report is the staggering increase in breach notifications, which soared to 1,350,835,988 in 2024. This marks a dramatic 211 percent rise from 2023’s 419,337,446 notifications. The surge can largely be attributed to five significant “mega-breaches,” which collectively accounted for at least 100 million notifications each, resulting in more than 1 billion notifications from these events alone. Notably, when these mega-breaches are excluded from the statistics, the remaining victim notifications for 2024 dropped to approximately 224 million, reflecting a decline of 47 percent compared to the previous year.
By the Numbers
By the Numbers
By the Numbers
“Our 2024 Annual Data Breach Report reveals troubling trends,” said Eva Velasquez, CEO of the Identity Theft Resource Center. “With a near-record number of compromises and over 1.3 billion victim notices, often tied to inadequate cyber practices, we are also seeing an increase in notices that provide limited actionable information for victims.”
Career Journey
Career Journey
The report further indicated that about 70 percent of cyberattack-related breach notices failed to disclose specifics about the attacks themselves, a significant increase from 58 percent in 2023. This lack of transparency stands in stark contrast to earlier years, when nearly all breach notices contained attack vector information.
In terms of which sectors were most affected, the Financial Services industry, led by Commercial Banks and Insurance, emerged as the primary target of cybercriminals. The Healthcare sector, which had previously been the most attacked every year from 2018 to 2023, now ranks second, followed by Professional Services, Manufacturing, and Technology sectors.
Encouragingly, Velasquez highlighted some positive developments: “On a positive note, 40 percent of states have enacted comprehensive privacy laws to better protect consumers,” she noted. “Innovative technologies like passkeys offer promising solutions to prevent breaches caused by stolen and compromised passwords, which accounted for four of the five mega-breaches.”
The report identified that improved cybersecurity practices could have prevented at least 196 compromises and more than 860 million victim notifications. High-profile attacks involving stolen credentials against companies such as Ticketmaster, AT&T, and Change Healthcare could potentially have been mitigated through implementing multi-factor authentication (MFA) or passkey systems.
As for regulatory measures, the ITRC noted that neither state nor federal disclosure requirements appear to be making a significant dent in the rate of data breaches. Although new Securities and Exchange Commission breach disclosure rules were implemented, their efficacy remains in question.
“Although changes in laws are encouraging, we must see practical changes in how organizations prevent breaches and report incidents. Breaches that remain largely undisclosed only exacerbate consumer vulnerabilities,” Velasquez emphasized.
The 2024 Annual Data Breach Report paints a stark picture of the current cybersecurity landscape, with an urgent need for more robust preventive measures. As companies navigate the ever-evolving digital landscape, awareness of vulnerabilities and increased transparency in breach reporting will be crucial in protecting consumers from identity crimes.
