If California Attorney General Kamala Harris is correct, and “the Golden State is on the cutting edge when it comes to protecting consumers and businesses from emerging cyber threats,” it would be a sad testimonial to the sorry state of digital security.
Private information of nearly half the state’s residents was exposed in 2013, a six-fold increase over the previous year, according to the state’s 2014 California Data Breach Report. That hyperventilating-worthy 18.5 million-person figure was distorted by two massive breaches.
But the 167 breaches by state agencies and companies in 2013 were 28% more than the previous year. The annual report only includes breaches involving at least 500 people. So the actual number of exposed people in the state could be much higher.
Although the introductory message from Harris defines a data breach as “any situation in which an individual or group steals sensitive, protected or confidential data,” the report repeatedly says the numbers include lost hardware. She blames hackers and thieves in Russia, China and Eastern Europe for much of the problem, but the report also sounds a familiar refrain—a lot of pain could be avoided if government and corporations encrypted files.
Especially in the health care sector. Fifty-three percent of all breaches were caused by hacking and malware, 26% from the loss of an unencrypted device, 18% from unintentional error and 4% from malevolent insiders. But 70% of the 2012-2013 breaches in health care were from lost or stolen hardware with unencrypted data.
Although hacking and malware caused 53% of all 2013 breaches, they were responsible for 93% of the 17 million compromised records. The LivingSocial and Target breaches accounted for most of those. Each exposed 7.5 million Californians (91 million total nationwide).
Almost half the breach incidents included compromised Social Security numbers. For years, the cards literally displayed the admonition, “For Social Security Purposes―Not for Identification.” But they have since become the de facto identification of Americans. Payment card data was the second-most-likely information compromised (38%), followed by medical data (19%), driver’s license numbers (8%), bank account numbers (5%) and other financial information (8%).
Although Social Security numbers were a factor in half the breach incidents, they weren’t part of too many stolen records because a few online hacks caused most of the damage. Payment card information dominated 2013 when measured by record (49%), followed by online account credentials (42%).
The retail sector was the hardest hit, no matter how you measure it (26% of breaches, 84% of records). It was followed by finance (20% of breaches, 1% of records), health care (17% of breaches, 6% of records), professional services (8% of breaches, 4% of records) and government (7% of breaches, less than 1% of records).
The damage from the loss of one’s personal data goes beyond a grieving sense of loss and personal violation. The report cites Javelin Strategy & Research’s figures on payment card data security that “36 percent of data breach victims suffered card fraud in 2013, up from 28 percent the previous year” nationwide.
The Attorney General listed 12 recommendations for government and corporations to more securely protect the critical personal information of millions. None of them are new and many are already acknowledged as necessary upgrades, like Recommendation 1, which points out, “A global standard for payment cards based on chip technology was established in 1994 and since then, more than 80 countries have moved to use chip cards, including countries in Europe and Asia, as well as Canada, Mexico and Brazil.”
Guess who hasn’t.
Recommendation 2 suggests encryption software that has been around for years should be used. No. 4 implores retailers to let people know promptly when their data has been compromised. No. 5 says when they do try to inform people, they should try harder by tracking down people whose mailing addresses are not initially apparent.
The report has similar suggestions for the health care sector, businesses and government. No one is expecting a decrease in data breaches in 2014.