California Cybersecurity Breach Report 2025: $2.5B Losses, 96K Complaints

A factual analysis of cybercrime losses, healthcare breaches, technology-sector incidents, and the California regulatory environment.

Published by BlueRadius Cyber | May 2026 | All figures sourced and footnoted

Executive Summary

California is the #1 U.S. state by reported internet crime complaints and the #1 state by reported losses, according to the FBI Internet Crime Complaint Center (IC3) 2024 Annual Report. Californians filed 96,265 complaints in 2024, reporting $2.539 billion in losses, the largest dollar figure of any state in the country.[1][2] California residents 60 and older reported the highest losses within the state, exceeding $800 million in 2024 alone.[1] The same year delivered the largest healthcare data breach involving a California-headquartered insurer in recent memory: Blue Shield of California disclosed that protected health information of approximately 4.7 million members had been exposed to Google's advertising platform between April 2021 and January 2024.[3][4]

This report compiles publicly verifiable California-specific data on cybersecurity incidents, regulatory enforcement, and threat patterns from 2024 and early 2025. Every statistic is sourced and footnoted. The picture for California businesses, mid-market organizations in particular, is straightforward: the threat environment is the most active in the country, the regulatory environment is the most stringent in the country, and a meaningful change to breach notification timelines takes effect January 1, 2026.

Key Findings

• $2.539 billion in reported California losses from internet crime in 2024, the largest of any U.S. state.[1][2]
• 96,265 California complaints filed with FBI IC3 in 2024, also the highest of any state.[1][2]
• $800+ million in losses by California residents 60 and older, with this demographic also filing the most complaints within the state.[1]
• Top three California cybercrimes by complaint volume in 2024: cryptocurrency fraud, extortion, and phishing/spoofing.[1]
• 4.7 million Blue Shield of California members had protected health information exposed to Google's advertising platform between April 2021 and January 2024, discovered February 2025.[3][4][5]
• 110 million AT&T customers affected by the 2024 Snowflake-related breach that pulled call and text metadata from AT&T's cloud workspace.[6][7]
• $16.6 billion in U.S. cybercrime losses reported nationally in 2024, a 33% year-over-year increase, providing the national context.[2]
• California's data breach notification timeline tightens January 1, 2026, when businesses will be required to notify affected residents within 30 days and the Attorney General within 15 days of discovery.[8]

Bottom line: California businesses face the most active threat environment of any U.S. state, the most stringent privacy enforcement framework in the country, and a meaningful tightening of breach notification timelines on January 1, 2026. Mid-market organizations operating in or selling into California should treat the next 12 months as a forced upgrade cycle on their breach response, vendor risk, and identity protection programs.

The Headline Numbers: California in the FBI IC3 2024 Annual Report

The FBI Internet Crime Complaint Center (IC3) publishes annual data on reported internet crime by state. The 2024 report, released in April 2025, ranks California first in both complaint volume and dollar losses.[1][2]

National Context

Nationally, IC3 received 859,532 complaints in 2024 with reported losses exceeding $16.6 billion, a 33% increase over 2023.[2] More than 147,127 complaints were filed by people aged 60 and older nationally, with reported losses to that demographic reaching $4.8 billion, a 43% year-over-year increase.[1]

California Breakdown

California's share of the national picture is disproportionate to its population. The state accounted for roughly 11% of national complaints and 15% of national losses despite holding about 12% of the U.S. population. The top three reported cybercrime categories in California by complaint volume in 2024 were cryptocurrency fraud, extortion, and phishing/spoofing.[1]

California residents 60 and older reported the highest losses within the state, exceeding $800 million in 2024 alone, and they also filed the largest share of California complaints.[1] This pattern aligns with the national elder-targeting trend but at a meaningfully larger absolute scale given California's elderly population.

Healthcare: The Blue Shield of California Disclosure

The largest healthcare-related California incident publicly disclosed in 2024 and 2025 was the Blue Shield of California breach, which affected approximately 4.7 million members. Blue Shield disclosed that Google Analytics had been configured in a way that allowed certain member data, likely including protected health information, to be shared with Google's advertising platform (Google Ads) between April 2021 and January 2024. The misconfiguration was discovered on February 11, 2025, and the service connection was disconnected shortly thereafter.[3][4][5]

The Blue Shield incident is notable not because of a sophisticated external attack but because of a configuration management gap that persisted for nearly three years. For California healthcare organizations and any HIPAA-covered entity with substantial web analytics deployments, the lesson is direct: web analytics and advertising tag deployments inside protected-information surfaces require security review at deployment and ongoing configuration audit. See our healthcare cybersecurity services hub for the broader operational framework, and our HIPAA Breach Report 2026 for the national OCR enforcement context.

Other healthcare incidents affecting California residents during the reporting window included a separate Blue Shield-related incident affecting approximately one million members via a ransomware attack on software solutions provider Connexure (formerly Young Consulting), attributed to the BlackSuit ransomware group.[5] The Change Healthcare breach disclosed in 2024 affected an estimated 193 million people nationally and included a substantial number of California residents, although the operator is not California-headquartered.[9]

Technology Sector and Third-Party Risk: The AT&T / Snowflake Incident

The AT&T data breach disclosed in July 2024 illustrates the third-party risk pattern that affects nearly every California business operating in cloud environments. Hackers downloaded records from AT&T's workspace on Snowflake, a third-party cloud data platform, between April 14 and April 25, 2024. The stolen data covered call and text metadata for approximately 109 to 110 million AT&T wireless customers, including the bulk of California-based AT&T subscribers, for a six-month window from May 1 to October 31, 2022, plus a small number of January 2023 records.[6][7]

AT&T paid a reported $370,000 ransom in an attempt to have the stolen data deleted. The Mandiant investigation noted that the broader Snowflake compromise affected over 160 customer environments.[6][7] AT&T disclosed the incident publicly via SEC 8-K filing on July 12, 2024, after two delays granted by the Department of Justice for national-interest reasons.[6]

The takeaway for California businesses is structural: third-party cloud platforms hold an increasing share of regulated and sensitive data, and the supply-chain compromise pattern that hit Snowflake customers in 2024 is now the default attack model for vendor-rich environments. Vendor risk programs, identity-first detection in cloud platforms, and contracted incident response are the structural responses. See our managed cybersecurity services hub for the detection and response architecture, and our vCISO and MSSP integration guide for the executive layer that owns vendor risk strategy.

Elderly Californians as the Primary Victim Demographic

The elderly-targeting pattern is the most pronounced concentration in the California IC3 data. Residents 60 and older accounted for over $800 million of California's $2.539 billion total in 2024 losses, roughly 31% of the state total despite representing approximately 15% of California's population.[1] The same demographic filed the largest share of California complaints in 2024.[1]

Common attack vectors against elderly Californians include cryptocurrency investment fraud, tech support scams, romance scams, and government impersonation. The cryptocurrency category, in particular, drove the year-over-year loss increase, accounting for a disproportionate share of high-dollar individual losses across the elderly cohort nationally.[2]

For California organizations whose customer base skews older (healthcare systems, financial services, insurance carriers, retirement communities, banking platforms), the implication is that account takeover and social engineering targeting customers represent an outsized share of practical fraud risk, separate from the direct technical breach risk to the organization itself.

California's Regulatory Environment: CCPA, CPRA, and Enforcement

California operates the most stringent state-level privacy and breach notification framework in the U.S. The core statutes are the California Consumer Privacy Act (CCPA, 2018) as amended by the California Privacy Rights Act (CPRA, effective January 1, 2023), the California Customer Records Act (Cal. Civ. Code section 1798.82) requiring breach notification, and the Confidentiality of Medical Information Act (CMIA) for healthcare-specific protections.[8][10]

The California Attorney General's office and the California Privacy Protection Agency (CPPA) jointly enforce the CCPA/CPRA framework, with the CPPA carrying primary regulatory authority since 2023. Enforcement settlements with companies including Blackbaud and Adventist Health Hanford have established baseline expectations for breach response programs under California law.[11]

For healthcare entities, California Department of Public Health notification is required within 15 days of breach discovery, on top of HIPAA federal notification timelines.[10] Breaches affecting 500 or more California residents require a copy of the notification to be submitted to the California Attorney General, which maintains a public, searchable breach notification database.[10]

What Changes January 1, 2026: 30-Day Notification, 15-Day AG Notification

California's breach notification timeline tightens materially on January 1, 2026. Under amendments to Cal. Civ. Code section 1798.82, businesses and state and local agencies must:[8]

• Notify affected California residents within 30 days of discovering the breach (down from the prior open-ended "expedient" standard).
• Notify the California Attorney General within 15 days of discovery for any breach requiring resident notification.

The practical implication for mid-market California businesses is that the existing incident response runbook (legal review, forensic investigation, scope determination, notification drafting, multi-jurisdiction notification coordination) must compress to fit a 30-day window from discovery, with regulator notification at the 15-day mark. Organizations whose current runbooks assume 60 to 90 days to investigation completion will not meet the new statutory window without pre-positioned incident response capability.

See our regulatory compliance services for the program work that produces audit-defensible incident response timelines, and our threat operations for the rapid-response engagement model that supports the new 30-day window.

What This Means for California Businesses in 2026

Three operational implications drop out of the data:

1. Identity-first detection is no longer optional

The Snowflake / AT&T pattern, the Blue Shield Google Analytics misconfiguration, the cryptocurrency fraud targeting elderly Californians, and the broader phishing / extortion top-three cybercrime mix all share a common root: identity and credential abuse rather than endpoint malware. California organizations whose security stack still treats endpoint-based detection as the primary control surface are misaligned with the actual threat model. Identity provider monitoring (Entra ID, Okta, Google Workspace), OAuth grant audit, and conditional access enforcement are now baseline.

2. Vendor risk programs need teeth

Both the Blue Shield and AT&T incidents trace to vendor or third-party configuration failures rather than internal compromise. Vendor risk programs that consist of one-time security questionnaires at onboarding miss the ongoing configuration drift that produced the Blue Shield exposure. California organizations should treat vendor risk as a continuous monitoring program, not a procurement checklist.

3. Incident response capability has to fit a 30-day window starting January 1, 2026

The new notification timeline forces capability that many mid-market California organizations do not currently have: pre-positioned incident response retainers, named legal counsel familiar with California breach law, communication templates ready for the 30-day window, and forensic investigation capacity that completes scoping within the first two weeks. Building this in advance is materially cheaper than scrambling during the first incident under the new rules.

Frequently Asked Questions

What is the total California cybercrime loss for 2024?

$2.539 billion in reported losses, the highest of any U.S. state, according to the FBI Internet Crime Complaint Center 2024 Annual Report.[1][2]

How many cybercrime complaints were filed in California in 2024?

96,265 complaints, also the highest of any U.S. state, per the FBI IC3 2024 Annual Report.[1]

What were the top three cybercrime types in California in 2024?

By complaint volume: cryptocurrency fraud, extortion, and phishing/spoofing.[1]

What was the largest California healthcare breach disclosed in 2024 to 2025?

Blue Shield of California disclosed in early 2025 that approximately 4.7 million members had protected health information exposed to Google's advertising platform between April 2021 and January 2024, due to a Google Analytics configuration that allowed PHI to flow into Google Ads. The service was disconnected after discovery in February 2025.[3][4][5]

When does the California breach notification timeline change?

January 1, 2026. Businesses must notify affected California residents within 30 days of discovery and notify the California Attorney General within 15 days of discovery.[8]

What should California mid-market businesses do now?

Three structural actions: deploy identity-first detection across cloud and SaaS environments, treat vendor risk as continuous monitoring rather than procurement onboarding, and build pre-positioned incident response capability that fits the 30-day window taking effect January 1, 2026. The fastest way to scope these gaps against your environment is a structured assessment: request a free cybersecurity assessment.

How does California compare to other states?

California ranked #1 nationally in 2024 by both complaint volume and reported losses, with $2.539 billion in losses versus $1.35 billion for the second-highest state group. See our companion analysis, the Texas Cybersecurity Breach Report 2025, for the Texas comparison.[1][2]

Local Practice Coverage in California

BlueRadius Cyber serves California organizations through dedicated local practices in three California metros:

• Bay Area cybersecurity services: San Francisco, Peninsula, Silicon Valley, East Bay, North Bay coverage for SaaS, AI/ML, biotech, fintech, and cleantech
• Silicon Valley cybersecurity services: South Bay focus covering semiconductor, AI/ML, and growth-stage technology companies
• San Diego cybersecurity services: defense, biotech, life sciences, and medical device coverage

Statewide capabilities cover vCISO leadership, 24/7 managed security operations, regulatory compliance programs (CCPA/CPRA, HIPAA, SOC 2, ISO 27001, PCI DSS), penetration testing, AI governance, and incident response, with engagement models tailored to California businesses preparing for the January 1, 2026 notification changes.

Sources

1. FBI Los Angeles Field Office, "Californians Report Over $2.5 Billion in Losses According to IC3 Annual Report," 2025. fbi.gov
2. FBI Internet Crime Complaint Center, "2024 Internet Crime Report," April 2025. ic3.gov
3. Infosecurity Magazine, "Blue Shield of California Data Breach Affects 4.7 Million Members," 2025. infosecurity-magazine.com
4. BleepingComputer, "Blue Shield of California leaked health data of 4.7 million members to Google," 2025. bleepingcomputer.com
5. SecurityWeek, "Blue Shield of California Data Breach Impacts 4.7 Million People," 2025. securityweek.com
6. Wikipedia (citing primary SEC filings and FBI / DOJ statements), "Snowflake data breach," 2024-2025. en.wikipedia.org
7. Eftsure, "AT&T Data Breach impacts 110 million customers," 2024. eftsure.com
8. HIPAA Journal, "California Sets 30-Day Breach Reporting Deadline," 2025. hipaajournal.com
9. HIPAA Journal, "Cybercrime Losses Increased by 33% in 2024 to $16.6bn," 2025. hipaajournal.com
10. California Office of the Attorney General, "Data Security Breach Reporting." oag.ca.gov
11. Data Protection Report (Norton Rose Fulbright), "California Attorney General and data security, access and retention," August 2024. dataprotectionreport.com

All figures and named incidents in this report are drawn from publicly available primary sources or established secondary reporting. Where industry surveys or vendor reports are cited, the publisher is identified explicitly. This report does not reproduce or aggregate raw breach notification submissions from the California Attorney General's portal; readers seeking specific breach-level disclosures should consult the California AG Data Security Breach List directly.