Every year, the Identity Theft Resource Center (ITRC) publishes its Data Breach Report, and every year, the numbers seem to tell a familiar story: breaches are still rampant, personal data is still getting exposed, and security measures aren’t keeping up.
The statistics and trends revealed in the ITRC’s 2024’s Data Breach Report help us understand where we are, where things are headed, and—most importantly—what we can do about it.
If you don’t have time to read through the 39-paged report, don’t worry—we did it for you. Here’s what you need to know.
The Big Picture: 2024 Was a Year of Massive Exposure
If there’s one number you take away from the report, it’s 3,158.
3,158 data compromises were recorded in 2024, just 44 short of the all-time high set in 2023. While the total number of breaches did not increase, the number of victim notices skyrocketed by 312%—meaning the scale of each breach is growing.
In fact, six “mega-breaches” accounted for 85% of all victim notices in 2024.
The Biggest Data Breaches of 2024:
Ticketmaster – 560 million victim notices
Advance Auto Parts – 380 million victim notices
Change Healthcare – 190 million victim notices
DemandScience – 121 million victim notices
AT&T – 110 million victim notices
Although these massive incidents were the stars of the show last year, the reality is that thousands of smaller breaches are happening constantly, many of which go unnoticed by the public.
What’s Changing? Key Trends from the Report
1. Companies Won’t Tell Us How They Got Hacked
70% of cyberattack-related breach notices in 2024 failed to disclose how the attack happened—a significant jump from 58% in 2023. This lack of transparency makes it more difficult for other companies to learn and strengthen defenses.
2. Financial Services Overtakes Healthcare as the #1 Target
For the first time since 2018, the Financial Services sector suffered more breaches than Healthcare. Although this could indicate improvements in healthcare security, it is more likely that there’s been a shift in attacker focus. Banks, insurance providers, and payment processors hold valuable data and may be more vulnerable than the healthcare sector that has endured innumerable attacks in the past years.
3. Credential-Based Attacks Are Still the Top Problem
Four of the six biggest breaches in 2024 were caused by stolen credentials—something that could have been prevented through Multi-Factor Authentication (MFA) and passkeys. According to the report, 94% of all devices now support passkeys, but adoption is slow, and companies continue to rely on passwords that attackers can steal or guess.
4. AI is Helping Hackers—But Also Defenders
While no breaches were officially attributed to AI-powered attacks, it’s clear that AI is being used to enhance phishing, automate attacks, and find vulnerabilities faster than ever. At the same time, AI-powered security tools are improving at detecting threats, creating an ongoing arms race between attackers and defenders.
Historical Context: Breaches Are Bigger, But Are They Getting Worse?
For a more complete picture, here’s a table showing compromises and victim notices year-over-year:
Year | Total Breaches | Victim Notices (Rounded) |
2019 | 1,278 | 883M |
2020 | 1,107 | 303M |
2021 | 1,859 | 351M |
2022 | 1,798 | 425M |
2023 | 3,202 | 419M |
2024 | 3,158 | 1.7B |
While the number of breaches has leveled off, the impact of each breach has grown dramatically, largely due to the rise of mega-breaches.
What Needs to Change?
The 2024 ITRC report confirms what security professionals already know: breaches aren’t going away anytime soon. But that doesn’t mean we’re powerless. Here’s what needs to happen:
✅ Adopt Multi-Factor Authentication (MFA) and Passkeys – Most major breaches this year could have been prevented if companies enforced MFA and passkey authentication. If your organization still allows simple passwords, you’re leaving the door open for attackers.
✅ Increase Transparency Around Breach Causes – Companies should stop hiding attack details in breach notices. The more we know, the better we can defend.
✅ Embrace AI for Security Before Hackers Do – AI-powered attacks are coming, whether we like it or not. Organizations that invest in AI-driven security tools now will have a fighting chance against the next generation of cyber threats.
✅ Strengthen Access Control with Zero Trust – Attackers don’t break in—they log in. Organizations must implement Zero Trust principles to continuously verify users and limit access.
✅ Move Beyond VPNs for Secure Access – Many organizations still rely on outdated VPNs, which create broad access risks. A modern, policy-based access approach is necessary to limit exposure and reduce attack surfaces.
The Role of Zero Trust & Pomerium
2024’s breach trends reinforce the importance of Zero Trust security models—where access is continuously verified and tightly restricted based on identity, context, and policy.
Pomerium provides exactly that: a secure, identity-aware access solution that ensures users get access to only what they need—when they need it—without exposing systems to broad, unnecessary risk.
The one major takeaway from the 2024 ITRC Data Breach Report is that we don’t have a breach problem—we have an access problem. The best way to protect sensitive data is to control how it’s accessed in the first place.
The question isn’t whether or not your company will be targeted—it’s whether your security measures will be strong enough to stop the attack before it becomes another statistic.
Try Pomerium Today.
