Identity Theft Resource Center’s 2024 Annual Data Breach Report Reveals Near-Record Number of Compromises and Victim Notices

Date: 01/28/2025

Home Help Center Identity Theft Resource Center’s 2024 Annual Data Breach Report Reveals Near-Record Number of Compromises and Victim Notices

Five mega-breaches accounted for 83 percent of victim notices; four of the largest breaches were preventable

SAN DIEGO, January 28, 2025 – Today, the Identity Theft Resource Center® (ITRC), a nationally recognized nonprofit organization established to support victims of identity crime, will release its 2024 Annual Data Breach Report, its 19^th edition, at the Identity, Authentication and the Road Ahead Cybersecurity Policy Forum hosted by the Better Identity Coalition, the FIDO Alliance and the ITRC.

According to the 2024 Annual Data Breach Report, the number of U.S. data compromises in 2024 (3,158) decreased one (1) percent compared to 2023 (3,202), 44 events away from tying a record for the number of compromises tracked in a year.

Download the ITRC’s 2024 Annual Data Breach Report

The number of data breach notices issued in the past year (1,350,835,988) increased 211 percent from 2023 (419,337,446). The increase was primarily due to five “mega-breaches” that resulted in at least 100 million breach notices being issued in each event. Mega-breach victim notices totaled more than one (1) billion of the more than 1.3 billion victim notices issued in 2024. If the five mega-breaches are excluded, the ~224 million other victim notices issued in 2024 decreased by 47 percent compared to 2023.

According to the 2024 Annual Data Breach Report, approximately 70 percent of cyberattack-related breach notices did not include attack information, compared to 58 percent in 2023. In 2019 and previous years, ~100 percent of breach notices included attack vector information.

In 2024, the Financial Services industry, led by Commercial Banks and Insurance, was the most breached industry, followed by Healthcare (the most attacked industry each year from 2018 until 2024), Professional Services, Manufacturing and Technology.

“Our 2024 Annual Data Breach Report reveals troubling trends,” said Eva Velasquez, CEO of the Identity Theft Resource Center. “With a near-record number of compromises and over 1.3 billion victim notices, often tied to inadequate cyber practices, we are also seeing an increase in notices that provide limited actionable information for victims.”

“On a positive note, 40 percent of states have enacted comprehensive privacy laws to better protect consumers,” noted Velasquez. “Innovative technologies like passkeys offer promising solutions to prevent breaches caused by stolen and compromised passwords, which accounted for four of the five mega-breaches.”

Trends Highlighted in the 2024 Annual Data Breach Report Include:

Better cyber practices and requirements could have prevented at least 196 compromises and more than 860 million victim notices. Attacks using stolen credentials against Ticketmaster, AT&T, Change Healthcare and other organizations could have been blocked with the addition of multi-factor authentication (MFA) or passkeys.
State and Federal disclosure requirements are having no significant impact on data breaches. New Securities and Exchange Commission breach disclosure rules resulted in a 60 percent increase in disclosures in 2024. However, less than ten (10) percent of the notices included details of the event.
There were fewer Zero Day and Supply Chain attacks. However, they had more significant impacts. Supply Chain attacks directly impacted 134 organizations and indirectly impacted 657 entities, resulting in 203 million victim notices. At least 190 million notices were related to the Change Healthcare breach.

Other Findings in the 2024 Annual Data Breach Report Include:

Publicly traded companies represented only seven (7) percent (221 companies) of all compromised organizations. However, they issued 72 percent of victim notices in 2024.
Of the 133 cyberattacks against publicly traded companies resulting in a data breach notice, a stolen credential was the leading attack vector. Seventy-four (74) percent of the breach organizations did not list an attack vector in a breach notice.

Consumers and victims can receive free support and guidance from a knowledgeable live advisor by calling or texting 888.400.5530 or visiting the ITRC’s website, idtheftcenter.org, to live chat.

About the Identity Theft Resource Center

Founded in 1999, the Identity Theft Resource Center® (ITRC) is a national nonprofit organization established to empower and guide consumers, victims, business and government to minimize risk and mitigate the impact of identity compromise and crime. Through public and private support, the ITRC provides no-cost victim assistance and consumer education through its website live chat, idtheftcenter.org, and toll-free phone number 888.400.5530. The ITRC also equips consumers and businesses with information about recent data breaches through its data breach tracking tool. The ITRC offers help to specific populations, including the deaf/hard of hearing and blind/low vision communities. 

Media Contact        

Identity Theft Resource Center        
Alex Achten        
Sr. Director of Communications & Media Relations        
888.400.5530 Ext. 3611        
[email protected]

This news release was published on 1/28/25 and was updated on 2/4/25

How much information are you putting out there? It’s probably too much. To help you stop sharing Too Much Information, sign up for the In the Loop.

Prevent Identity Theft

Recover My Identity

Protect My Business

Breach Alert

Additional Support