Research and Statistics

Data breaches dropped in 2018, but more personal information was exposed


The number of data breaches dropped 24 percent in 2018, but the number of sensitive records involved in those breaches more than doubled, for a whopping 126 percent increase.

The editorial content below is based solely on the objective assessment of our writers and is not driven by advertising dollars. However, we may receive compensation when you click on links to products from our partners. Learn more about our advertising policy.

The content on this page is accurate as of the posting date; however, some of the offers mentioned may have expired. Please see the bank’s website for the most current version of card offers; and please review our list of best credit cards, or use our CardMatch™ tool to find cards matched to your needs.

In 2017, the number of U.S. data breaches rose to an all-time high of more than 1,600 incidents. So 2018’s count of almost a quarter fewer breaches would seem to be good news.

But where the latest reading turns ominous is in the count of exposed consumer records containing sensitive personal information. While the tally of breaches dropped 24 percent in 2018, the number of sensitive records involved in those breaches more than doubled, for a whopping 126 percent increase.

The data come from the nonprofit Identity Theft Resource Center, which publishes its “End-of-Year Data Breach Report” every January.

See related: Marriott data breach exposes 500 million guests’ information

In 2017, 1,632 breaches compromised 197.6 million consumer records with sensitive personal information, for an average of about 121,000 records per breach. Compare that with 2018’s wildly more prolific breaches, in which just 1,244 incidents exposed 446.5 million sensitive records.

That drives the new average up to almost 359,000 records per breach.

The ITRC also found an additional 1.68 billion non-sensitive records were exposed in 2018. While email-related credentials are not classified as sensitive personally identifiable information, many consumers re-use the same username, email and password combinations, so exposures even of this less sensitive data still pose a serious vulnerability threat.

The ITRC has been tracking publicly reported data breaches and the number of exposed records containing personally identifiable information since 2005, confirming the data by the breached entities themselves, various media sources and notification lists from government agencies. Its 2018 year-end report was released Jan. 28.


What’s up next?

In Research and Statistics

1099-C surprise: Canceled debt often taxable as income

Many consumers aren’t aware that forgiven credit card debt may be taxable income, and it shows up on an IRS 1099-C form

Published: February 4, 2019

See more stories
Credit Card Rate Report Updated: July 10th, 2019
Cash Back

Questions or comments?

Contact us

Editorial corrections policies

Learn more

Join the Discussion

We encourage an active and insightful conversation among our users. Please help us keep our community civil and respectful. For your safety, do not disclose confidential or personal information such as bank account numbers or social security numbers. Anything you post may be disclosed, published, transmitted or reused.

The editorial content on is not sponsored by any bank or credit card issuer. The journalists in the editorial department are separate from the company’s business operations. The comments posted below are not provided, reviewed or approved by any company mentioned in our editorial content. Additionally, any companies mentioned in the content do not assume responsibility to ensure that all posts and/or questions are answered.