A decade's collection of data breaches shows a bleak picture with billions of records exposed in this type of incidents and financial damages of more than $1.6 trillion.

Data collected from public sources reveal that since 2008 there were close to 9,700 breach events in the U.S., involving more than 10.7 billion records, with an average cost calculated in 2018 at $148 per record.

Open-source info outlines sad situation

The information relies only on details made public by state-based sources and in media reports. The figures are likely conservative as data breach disclosure laws differ from one state to another; in some cases, even notifying the individuals whose data was exposed is not a requirement.

"Disclosure of a breach of security to a customer shall not be required under this section if the business or public entity establishes that misuse of the information is not reasonably possible. Any determination shall be documented in writing and retained for five years." - New Jersey security breach disclosure act.

The details were compiled by researchers at Comparitech, who broke it down per state to determine the regions that were affected the most by data breach incidents. The data includes both a tally of the events and of the records exposed.

According to the report, California is the state with the most publicly documented breaches, and also one where consumer privacy is taken seriously. 1,493 incidents affected 5.59 billion personal records.

It is worth noting that the state law requires that a sample copy of a breach notice to be submitted to the Attorney General if more than 500 California residents are affected.

Taking second place is the state of New York. Comparitech found 729 data breach incidents that were publicly documented over the past decade. The records exposed this way amounted to 293 million.

Close behind is Texas, with 661 events and 288 million records exposed. Most of the personal information came from unauthorized access in 2011 of up to 250 million email addresses and names managed by marketing company Epsilon. The firm acknowledged the intrusion.

As one may observe, there isn't always a balance between the records exposed and the number of breaches. Data Comparitech collected for Oregon shows that the state suffered at least 157 data security incidents that exposed 1.37 billion records.

Most of the email info came from a faulty backup event in 2017 impacting a fake marketing company called River City Media (RVC). Researchers at MacKeeper said at the time that RVC was a spam factory "responsible for up to a billion daily email sends."

As we mentioned before, the figures presented in Comparitech's report are only a minimum. The researchers agree that the real numbers are higher as some breach reports do not disclose the number of records exposed; furthermore, the information "might be unknown or below the threshold imposed by the state," or new details may emerge at a later date.

For instance, it was revealed this week that a phishing attack in January at the Department of Human Services (DHS) in Oregon impacted data belonging to 645,000 individuals. Although the attack was reported in March, the complete number of people impacted could only be roughly estimated at that time.

Comparitech makes available in an online document a complete list with publicly reported data breaches they found for each state.