In Massachusetts, companies are legally required to report data breaches affecting residents' private data to the Office of Consumer Affairs and Business Regulation (OCABR). The data on this page summarizes those reports. The data begins in 2007, when the law went into effect.
In addition to the summary table, you can download reports for each year in which data is broken out by company and what kind of data was affected.
If you're interested in the details of a particular data breach notification, you can request a copy of the notification via a public records request.
| Year | # of Breach Notifications | # of MA Residents Affected |
|---|---|---|
| 2007 (Nov-Dec) | 32 | 17,503 |
| 2008 | 428 | 692,736 |
| 2009 | 441 | 357,900 |
| 2010 | 474 | 1,018,497 |
| 2011 | 624 | 1,167,160 |
| 2012 | 1,130 | 325,867 |
| 2013 | 1,947 | 1,193,970 |
| 2014 | 1,659 | 360,793 |
| 2015 | 1,837 | 1,345,430 |
| 2016 | 2,002 | 195,052 |
| 2017 | 1,889 | 3,377,646 |
| 2018 | 1,835 | 442,941 |
| 2019 | 1,909 | 609,006 |
| 2020 | 2,188 | 1,087,591 |
| 2021 | 2,488 | 1,861,422 |
Disclosure: The number of residents affected may go up as companies determine the total number of impacted residents.
You may also submit a public record request for data breach notifications to the Office of the Attorney General.