Skip navigation
industry news

California Breaches Increase 30 Percent in 2014; 84 Percent Retail

More than 18.5 million residents of California had their information compromised in 2013, a 640 percent increase from the previous year (2.5 million), according to California’s State Attorney General in the Bits Blog.

Data breaches in the state have increased 28 percent from 2013-12, which is worrisome as California has 38 million consumers and the eighth largest economy in the world, according to the California Data Breach Report (PDF) published in October 2014.

California Data Breach Types Fifty-three percent of the breaches were caused by malware and hacking, while another 26 percent were due to the loss of a computer or device. Hacking and malware accounts for 93 percent of the total records breached, with device loss only accounting for 1.15 million records.

Target and Livingsocial account for 7.5 million of those breached records. Target’s breach was caused by attackers that gained remote access to their systems when they stole the credentials of one of their HVAC contractors, giving them access to their internal billing and project management system, as Brian Krebs reports. Forty million payment card numbers were stolen, in addition to 70 million personal records.

Livingsocial notified more than 50 million customers of potentially breached records in 2013, advising users to change their passwords as an extra security precaution, even though the passwords were encrypted at the time of the breach.

However, if excluded, breaches from 2013 would still represent a 35 percent increase over 2013, from 2.5 to 3.5 million records.

California was the first state to mandate data breach reporting since 2003, and that may be why they have the data to create this report. According to the National Conference of State Legislature, 47 states have breach notification laws requiring both private companies and states to notify consumers if they’ve been breached.

Of course, each state has their own definition of what qualifies as a breach, and any exemptions to the law (e.g., breaches involving encrypted information). And then there are the states that will never release a report about data breaches, since they have absolutely no security breach laws. Those include Alabama, New Mexico and South Dakota.

The California report calls out the retail industry as the biggest target for hackers, representing 84 percent of total records breached, that is, 15.4 million records. The financial sector accounts for 20 percent of all breaches, while healthcare accounts for another 15 percent.

Some of the report’s key recommendations include:

  • Update point-of-sale terminals to chip-enabled
  • Implement encryption solutions to devalue payment card data
  • Encrypt data during from its point of capture until completion of transaction authorization
  • Implement tokenization to devalue payment card data (online/mobile transactions)
  • Respond promptly to data breaches and notify individuals in a timely manner
  • Improve notices about payment card data

The White House also imparted their own recommendations and mandates to retailers last Friday when they signed an executive order to improve the security of consumer transactions. They require agencies to use multiple factors of authentication whenever allowing citizens to access their personal data using a web application.

As part of their identity-proofing process, the White House is mandating that certain agencies submit plans to ensure two-factor solutions are in place 18 months after the order. While this isn’t reflected in state legislature, it’s promising that federal mandates are recognizing the importance of authentication security and its role in protecting consumers from stolen data and potential payment card fraud.

It’s not only a burden on consumers that must monitor their credit and payment accounts as well as switch to a new credit card, but it also costs banks and other financial institutions a lot of money and time to replace breached cards on behalf of retail organizations, as I wrote about in After a Data Breach: Who’s Liable?