Public sector data breaches exposed some 28 million identities in 2015, but hackers were responsible for only one-third of those compromises, according to new research.

Instead, negligence was behind nearly two-thirds of the exposed identities through government agencies, the Symantec 2016 Internet Security Threat Report concluded.

In total, the report suggests 21 million identities were compromised accidentally, compared to 6 million by hackers. In other words, officials at the local, state and federal government levels were sometimes the public’s own worst enemy when it came to data breaches in 2015.

But they were hardly alone in the worst year yet for global data breaches.

According to Symantec, more than half a billion personal records were stolen, lost or compromised in 2015, including 191 million records from a single incident: a U.S. voter database that mysteriously appeared online late in the year. As with many high-profile data breaches, the fallout may take years to assess.

In all, the report called 2015 a “record-breaking year” for zero-day vulnerabilities, with some 54 of the flaws -- used to describe never-before-seen vulnerabilities -- being discovered. That's a 125 percent increase over 2014’s total. In addition, 430 million new malware variants were discovered in 2015 alone, according to the report.

“Cybercrime is more than ever a growing and lucrative business with its own market dynamics, its large and small professionals, and its infrastructures and marketplaces,” the report states. “Just as in legitimate markets, the evolution of attack tactics shows a trend toward higher returns. Cybercriminals continuously strive to achieve greater profits at lesser cost or effort, and they are very agile to exploit whatever the evolution of technology may bring.”

Driven by the growing potential to profit, criminals are mimicking nation-state attackers, according to Kevin Haley, director of Symantec’s security response.

“Advanced criminal attack groups now echo the skill sets of nation-state attackers,” Haley said in a statement. “They have extensive resources and a highly skilled technical staff that operate with such efficiency that they maintain normal business hours and even take the weekends and holidays off. We are even seeing low-level criminal attackers create call center operations to increase the impact of their scams.”

Expect the threat landscape to get worse before it gets better in both the private and public sectors.

The connectivity inherent in the Internet of Things and “low awareness and poor (cyber) hygiene of many individuals and organizations” will combine to “create a fertile ground for this trend to continue and intensify,” the report states.