So far in 2021, 6.3 million notices of data breaches have been sent to Washingtonians — by far the largest number since Attorney General Bob Ferguson’s office began tracking this.

The number of data breaches reported to Ferguson’s office also skyrocketed to 280, blowing past the previous record of 78 and last year’s total of 60, according to the report.

The previous record for breach notices was set in 2018, with 3.5 million notices sent, the report says.

The report also identifies a tremendous spike in cyberattacks and a growing threat from ransomware incidents, a type of cyberattack that uses malicious code to hold data hostage in hopes of receiving a ransom payment. More than 150 ransomware incidents were recorded in 2021 — more than the previous five years combined, according to the report.

What to do

If you are hit by a data breach or ID theft :

While there is no foolproof way to ensure that your information is safe, there are some steps you can take to protect yourself from identity theft.

Call the companies where the fraud may have occurred.

Work with one of the credit bureaus (Experian, TransUnion and Equifax) to check your credit report for suspicious activity and to place a fraud alert or credit freeze on your credit report.

Report the identity theft to the FTC at

File a report with your local police department.

Send a copy of the police report to the three major credit bureaus.

Ask businesses to provide you with information about transactions made in your name. A template for a letter you can complete and send to businesses to request records is available on the Attorney General’s Office website at:

If you receive a breach notification or believe that you may be a victim of identity theft, please visit the Washington Attorney General’s website at for help.


“We publish this report because Washingtonians are best able to safeguard their data when they are aware of the threats — and the threats have never been greater,” Ferguson said.


The Attorney General’s Office said it receives no funding to publish the report but does it as a public service to provide Washingtonians with critical information to help them safeguard their data.

The report includes recommendations to policymakers, including expanding the definition of personal information to include individual tax identification numbers as well as the last four digits of a Social Security number.

According to the report, the COVID-19 pandemic exacerbated the threat because Washingtonians are increasingly relying on digital and online services that collect user data to conduct business, go to school, find entertainment and communicate with friends and family.

This increase in online activity may create more opportunities for cybercriminals to steal personal information, and it underlines the importance of Washington’s data breach notification laws.

Ferguson’s office said his yearslong push to require companies to report data breaches and to hold them accountable led to a 2019 investigation of a data breach at Premera Blue Cross and resulted in the company paying $10 million.

Also that year, his office announced that Equifax would pay more than half-a-billion dollars because of a 2017 data breach affecting nearly 150 million people nationwide.


Since 2014, Ferguson’s office has required several corporations with large data breaches that impacted Washingtonians’ privacy PremeraEquifaxUber and Target Corporation — to enter into legally enforceable agreements to improve their data security.

The public can access the attorney general’s database of breaches here.