By all accounts, 2016 was a banner year for data breaches. According to a stunning  new report by the Risk Based Security group, just three breaches alone accounted for more than 2.2 billion records being exposed. Yahoo revealed in 2016 that it had been the target of multiple breaches spanning several years, with the total number of records compromised potentially approaching 1 billion.

Despite numerous headlines publicizing record-breaking breaches over the past several years, companies still struggle to keep up with the number of potential threats to their computer systems. From police departments to hospitals to the IRS, it seems every organization is a target; companies, non-profits, and government alike all suffered from breaches. Common causes of breaches include data mistakenly sent via email, data accidentally posted to a publicly available website, insider threats (including employees stealing company data), and phishing. Exposed data runs the gamut from financial records to health records to social security numbers.

With a high potential payoff and relatively low risk, criminals have little reason not to try to breach systems. In the IRS breach in 2015, criminals were able to get enough information from previous breaches sold on the dark web to be able to access tax records for hundreds of thousands of taxpayers. Armed with this information, they were able to file fraudulent tax returns. All told, criminals got away with an estimated $62 million out of this scheme. So far, no one has been publicly indicted for this fraud.

Of course, not every breach has a criminal mastermind behind it. According to the Identity Theft Resource Center, almost 1.5 million records were exposed because of employee error or negligence. An innocuous misdirected email can turn into a corporate nightmare if the email contains sensitive information, such as in the case of one Massachusetts hospital.

Let’s hope 2017 has fewer breaches in store.