The number of data breaches reported to Ferguson's office also skyrocketed to 280, blowing past the previous record of 78 and last year's total of 60, according to the report.
The previous record for breach notices was set in 2018, with 3.5 million notices sent, the report says.
The report also identifies a tremendous spike in cyber attacks and a growing threat from ransomware incidents, a type of cyber attack that uses malicious code to hold data hostage in hopes of receiving a ransom payment. More than 150 ransomware incidents were recorded in 2021 — more than the previous five years combined, according to the report.
"We publish this report because Washingtonians are best able to safeguard their data when they are aware of the threats — and the threats have never been greater," Ferguson said.
The Attorney General's Office said it receives no funding to publish the report but does it as a public service to provide Washingtonians with critical information to help them safeguard their data.
The report includes recommendations to policymakers, including expanding the definition of personal information to include individual tax identification numbers as well as the last four digits of a Social Security number.
According to the report, the COVID-19 pandemic exacerbated the threat because Washingtonians are increasingly relying on digital and online services that collect user data to conduct business, go to school, find entertainment and communicate with friends and family.
This increase in online activity may create more opportunities for cyber criminals to steal personal information, and it underlines the importance of Washington's data breach notification laws.
Ferguson's office said his yearslong push to require companies to report data breaches and to hold them accountable led to a 2019 investigation of a data breach at Premera Blue Cross and resulted in the company paying $10 million.
Also that year, his office announced that Equifax would pay more than half-a-billion dollars because of a 2017 data breach affecting nearly 150 million people nationwide.
Since 2014, Ferguson's office has required several corporations with large data breaches that impacted Washingtonians' privacy — Premera, Equifax, Uber and Target Corporation — to enter into legally enforceable agreements to improve their data security.
©2021 The Seattle Times, Distributed by Tribune Content Agency, LLC.
