14 DAY TRIAL // An annual report on cyber incidents affecting the residents of California has been compiled by the Office of the Attorney General for 2013, revealing a more than 600% increase in the number of exposed records; the raw data translates into 167 data loss events and about 18.5 million records at risk.
The document takes into consideration all the events that resulted in the loss or exposure of personal information of more than 500 Californians and does not discriminate between business sectors.
Two incidents make the 2013 statistics go through the roof
Responsible for the spike in the amount of victims are two incidents that occurred in 2013, namely the intrusion at LivingSocial, which, overall, leaked details of 50 million individuals, and the attack on Target announced in December, which lost card data info on about 40 million customers.
Together, these two impacted about 15 million Californians, according to the report from the Attorney General’s Office.
By comparison, the number of breaches reported in 2012 was 28% lower, amounting to 131 incidents, and the total of records potentially fallen into the hands of unauthorized persons was 2.6 million.
More than half of customer data loss incidents in California in 2013 were on account of malware infections or hacking, theft of physical devices (computer systems, storage units) containing personal client records coming in second with 26%, while errors and misuse of technology accounted for the least amount of incidents, 18% and 4%, respectively.
SSNs and payment card data most coveted by cybercriminals
According to the report, although 53% of the incidents were due to infiltration of malicious software and hacking of the computer system infrastructure, these incidents accounted for the largest amount (93%) of the compromised personal records.
In these cases, it is safe to assume that at least some of this information was sold on underground forums and that it was used for malicious activities leading to financial losses for the victims.
As far as the data type exposed is concerned, social security numbers were at the top followed closely by payment card details. These are the most valuable to cybercriminals, who can use them for identity theft and subsequently obtaining financial gains.
As it was to be expected, the retail sector was the most affected by data breach incidents, as crooks tried to exfiltrate card information from payment processing systems.
Bill to make entities pay for exposing sensitive customer details
Lately, such incidents have become common, Kmart, Dairy Queen, Supervalu and Home Depot being the most prominent victims this year, hundreds of stores and tens of millions of customers being affected across the US.
California Attorney General Kamala Harris says that an assembly bill (AB 1710) has been enacted, requiring that the source of a breach involving customer personal information to provide complimentary identity theft and mitigation services to the affected individuals for a period of at least one year; affected individuals should also be informed of the incident within 15 days of the discovery. The bill is set to take effect in California starting January 2015.
Recommendations from the Attorney General for retailers to prevent such events include using strong encryption (very useful in other sectors, too) for the stored data, as well as switching to chip-enabled payment processing systems.