At least 2.5 million Californians were victims of 131 data security breaches in 2012 that compromised their personal information, about half of which could have been prevented, according to a report (pdf) by state Attorney General Kamala Harris.
The state report is based on information provided by businesses and government agencies, which has been legally required since 2012 to alert the attorney general’s office when more than 500 Californians are affected by security breaches. Customers have been receiving alerts, by law, since 2003 whenever there is a breach.
Although warning letters were routinely sent out to individuals whose personal data was compromised, many of them may have been unaware of what had happened because the average reading level of the notices was “14th grade.”
In other words, those without a college education probably couldn’t understand what they were reading. The attorney general recommended the notices be dumbed down and mentioned that the average American reads at an 8th -grade level.
Around 26% of security lapses were in the retail industry, followed by the combined finance and insurance industries at 23%. Other affected sectors included health care (15%), government (8%), education (8%) and professional services (5%).
More than half of the breaches were on purpose. Unauthorized insiders and nosy outsiders accounted for 55% of the incidents, while the other 45% could be traced to internal security lapses, like lost laptops and misdirected emails.
The attorney general estimated that 1.4 million people could have escaped harm if sensitive data had been encrypted, a basic security measure available to the public and private sectors. That sensitive data included Social Security numbers in 56% of the incidents. Some breaches involved more than one type of data. Credit or debit card information was exposed 40% of the time, followed by health information (17%), bank account info (8%) and driver’s license numbers (8%).
The average breach involved 22,500 individuals, but that number was affected by five breaches of 100,000 or more individuals each. The median size was 2,500. The largest hacker incident was a reported intrusion at Valve Corporation, an online game software company that exposed 509,000 individuals. But the California Department of Social Services topped that when it lost a computer storage device that held sensitive information on 845,000 parents, children and caregivers in March 2012.
Currently, notification of breaches does not need to be sent out if all that was compromised were online credentials, like user names and passwords. Nowadays, that could be the most critical information a person has on file. The state Senate unanimously passed legislation in May that would cover that information, along with email addresses and security questions. The Assembly Judiciary Committee approved it June 18.