Major data breaches exposed millions last year

The number of notices sent to people whose data was exposed or stolen in a data breach, leak or exposure quadrupled in 2024, according to data from the Identity Theft Resource Center released today.

Why it matters: Most of these exposures came from incidents at a small number of companies that started from basic cybersecurity issues, such as not turning on multifactor authentication or misconfiguring a third-party vendor's tool.

By the numbers: More than 1.7 billion notices were sent to people in 2024 that their data had been exposed in an incident, according to the report.

• Yet the total number of data compromises remained about flat year over year, with the center tracking 3,158 incidents last year.
• "It's impossible to know how many individuals are actually represented in that billion-plus notice count — but back-of-the-envelope math tells us that's an average of six alerts for every adult in the country," James E. Lee, the center's president, writes in the report.

Zoom in: Breaches at Ticketmaster, Advance Auto Parts and UnitedHealth's Change Healthcare impacted the most people, according to the report.

• 560 million people had their data stolen from the Ticketmaster breach alone, which was part of a run of incidents where hackers exploited Snowflake customers who didn't have multifactor authentication turned on.
• A ransomware attack on Change Healthcare, which affected 190 million people, started after hackers found one server that also didn't have multifactor authentication.

The bottom line: Hackers still don't have to do much to make off with a plethora of sensitive U.S. data.