California Attorney General Publishes 4-Year Data Breach Report

California Attorney General Kamala D. Harris has released a new data breach report on the security incidents reported to her office over the past four years. She criticizes organizations that have allowed the privacy of Californians to be violated.

She points out that in almost all cases the data breaches reported to her office since 2012 occurred as a result of tardiness in the application of patches to address known security vulnerabilities. She also said that in the majority of cases patches to address exploited vulnerabilities had been available for more than a year.

The Majority of Data Breaches Could Easily Have Been Prevented

Harris is under no illusions that the threat of attack from skilled cybercriminals and foreign-government backed hacking groups is greater than ever before and security risk cannot be reduced to zero. However, she points out that companies doing business in California must do more to protect the privacy of state residents.  She wrote, “It is clear that many organizations need to sharpen their security skills, trainings, practices, and procedures to properly protect consumers.”

By adopting industry best practices and applying basic cybersecurity measures the majority of data breaches can easily be prevented. She also points out that companies voluntarily choosing to store sensitive consumer data have a legal responsibility to implement security controls to ensure those data are secured and remain private.

Harris says that the data breach report is a starting point that should serve as a “call to action” for all companies doing business in the State of California to improve security controls to protect the privacy of state residents.

In the four years under study, the private and confidential data of almost 50 million Californians have been exposed or stolen by cybercriminals.

The data breach report covers the period from 2012 to the end of 2015. During that time, the California Attorney General’s office received 657 reports of data breaches that affected more than 500 individuals.

The data breach report shows that instead of improving the situation is getting worse. One in three Californians had their confidential data exposed in 2015 alone. Over 24 million records were exposed in 178 data breaches last year. In 2012, when the attorney general’s office introduced new state legislation requiring data breaches to be reported, 131 data breaches occurred exposing 2.6 million records.

Hacking and Malware Compromised the Most Records and Caused the Majority of Data Breaches

In the majority of cases, data breaches were the result of hacks, malware, and the actions of cybercriminals, although breaches also occurred as a result of lost and stolen devices, the actions of malicious insiders, and negligence.

Medical data were exposed in 19% of all reported data breaches, and 24 million Social Security numbers were exposed over the four-year period. Healthcare data breaches accounted for 16% of the total. 18% of data breaches affected companies operating in the financial sector, although it was the retail industry that was hardest hit, accounting for 25% of all data breaches and 42% of all exposed records.

The report points out that data breaches can affect organizations of all sizes. Hackers do not only go after the big players in each industry sector, Smaller organizations can just as easily be targeted. They are often attacked because they are the easiest targets, typically having less robust security controls. 15% of all data breaches over the four-year period were reported by small businesses.

The biggest threat to data security is hacking and malware. 365 of the 657 data breaches (54%) were the result of hacks and malware infections. It is these cyberattacks that tend to expose the most data. 90% of all records were exposed or stolen as a result of hacks and malware. 17% of data breaches in 2015 were the result of physical breaches such as lost and stolen devices, while errors caused around 17% of data breaches. Half of all government breaches were the result of human error.

The full data breach report, along with the California Attorney General’s recommendations to reduce risk can be found on this link.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.