Introduction
In 2024 [1] [2] [3] [4] [5] [6] [7] [8], the Identity Theft Resource Center (ITRC) reported a slight decrease in data compromise incidents in the United States compared to the previous year. Despite this reduction, the number of breaches remains significantly high, with a notable increase from 2021. The report highlights the prevalence of mega breaches and the critical need for improved cybersecurity practices to mitigate such incidents.
Description
In 2024 [1] [2] [3] [4] [5] [6] [7] [8], the Identity Theft Resource Center (ITRC) tracked 3,158 data compromise incidents in the United States [2], reflecting a slight 1% decrease from the previous year’s record of 3,202 breaches [8]. This figure is just 44 incidents short of the all-time high recorded in 2023 and marked a significant 70% increase from 2021, with over 1.7 billion notifications sent to potentially affected individuals [7]. Notably, six major data breaches accounted for a substantial portion of these notifications, with at least 100 million notices issued following each of these mega breaches [8], collectively impacting over 1.4 billion individuals. The largest incidents included breaches at Ticketmaster (560 million records) [6], Advance Auto Parts (380 million) [6] [8], Change Healthcare (190 million) [8], DemandScience (121.7 million) [6], and AT&T (110 million) [6] [8].
A significant portion of these breaches, 85% [6], originated from large-scale incidents involving over 100 million records [6], which accounted for more than 1.4 billion of the total notifications [1] [5]. Excluding the mega breaches [4] [6], approximately 266 million other victim notifications were issued [1], reflecting a 36% decrease compared to 2023 [1]. The financial services sector experienced the highest number of compromises at 737 [6], surpassing the healthcare industry [6], which had 536 compromises [6]. Other affected sectors included professional services (345), manufacturing (317) [8], and technology (162) [8].
Cyber-attacks were responsible for 80% of the compromises and 93% of breach notifications [4] [6], while the remaining incidents were attributed to system and human error [4], supply chain attacks [4] [6], and physical attacks [4] [6]. Notably, 70% of breach notices in 2024 did not specify the nature of the attack [8], an increase from 58% in 2023 [8]. This marks the fifth consecutive year of rising notices lacking attack information [8], highlighting inconsistencies in data-breach disclosure requirements across federal and state regulations [8], which contribute to significant underreporting. The rise in data breaches is partly attributed to the fact that stolen personal information can facilitate further attacks on other organizations [7].
The CEO of the Identity Theft Resource Center emphasized that the high number of compromises and victim notifications is often linked to insufficient cybersecurity practices [5]. Many of the mega breaches were associated with stolen and compromised passwords [6], underscoring the potential for prevention through multi-factor authentication (MFA) [6]. Change Healthcare [6] [7] [8], a subsidiary of United Health [7], acknowledged during a congressional hearing in May 2024 that four of the significant breaches could have been prevented through the implementation of MFA. Improved cybersecurity measures could have potentially prevented at least 196 breaches and over 1.2 billion victim notifications [5] [6], highlighting the need for enhanced cyber hygiene and actionable information for victims. On average, nine data breaches are reported daily in the United States [8], compared to 335 in the European Union [8], which mandates data-breach notifications [8]. Despite the increasing number of breaches [7], many companies face minimal consequences [7], as only about 7% of breaches involve publicly traded companies [7], which are subject to stricter penalties [7]. Currently, there is no national law mandating actions for organizations that experience data compromises [7], underscoring a lack of uniform privacy standards [7].
Conclusion
The persistent high number of data breaches in the United States underscores the urgent need for enhanced cybersecurity measures and regulatory reforms. Implementing multi-factor authentication and improving cyber hygiene could significantly reduce the number of incidents and victim notifications. As data breaches continue to rise, establishing uniform privacy standards and stricter penalties for non-compliance will be crucial in mitigating future risks and protecting individuals’ personal information.
References
[1] https://ediscoverytoday.com/2025/01/28/near-record-number-of-compromises-reports-itrc-cybersecurity-trends/
[2] https://cybermaterial.com/us-sees-nearly-record-data-breaches-in-2024/
[3] https://wgme.com/news/i-team/data-breaches-continued-to-surge-in-2024-new-report-shows
[4] https://ciso2ciso.com/mega-data-breaches-push-us-victim-count-to-1-7-billion-source-www-infosecurity-magazine-com/
[5] https://finance.yahoo.com/news/identity-theft-centers-2024-annual-124800400.html
[6] https://www.infosecurity-magazine.com/news/mega-data-breaches-us-victim-17/
[7] https://www.yahoo.com/news/why-companies-aren-t-held-191045978.html
[8] https://www.digitaltransactions.net/how-mega-data-breaches-dominated-in-2024/
