An analysis of data collected from California’s Department of Technology shows there have been 7,345 data breaches at state agencies or departments since 2007. From Jan. 1, 2013 through Nov. 7, 2013, the state of California notified, by policy, 23,379 individuals that their personal information may have been compromised in a cyber attack.
It is the reality of the digital age.
According to California Department of Technology’s Chief Security Officer Michele Robinson, in the ever-changing digitized cyber world, attacks and break-ins happen regularly. And government computers that store personal information of millions of California residents are vulnerable.
According to NBC Bay Area Investigative Unit’s analysis, cyber attacks on state computer systems average about four and a half a day. The data shows preliminarily that the state estimates the total cost of these incidents to be at least $3,864,543.48. The preliminary state data shows the cost to correct these data breaches to be at least $5,081,670.33.
The attacks occur at just about every state agency or department, from the DMV to Social Services, Unemployment Insurance Appeals Board to California’s Public Health Department, California’s Governor’s office to the Department of Alcoholic Beverage Control.
Officials admit that these attacks can put at risk some of residents’ most private information, from Social Security numbers and HIIPA information, to criminal records and tax data.
What the Investigative Unit found:
• Of the 7,357 computer attacks or hackings, 1,153 were “successful” exploit or attack, which means they breached security. (Although the state says it does not necessarily mean data was accessed or downloaded.)
• The average cost of one data breach is about $188
• The departments with the most data breaches: Social Services Department (934), Unemployment Insurance Appeals Board (671) and the DMV (592)
The data showed 689 instances of suspected criminal activity in breaches and broke down the events by type of attack. Those happening most frequently since 2009:
• Malware (751)
• Websites compromised (412)
• Key logger attacks (90)
• Phishing attacks (20)
“The malware we’re seeing is becoming more and more sophisticated,” Robinson said. “So it is becoming much more of a concern.”
Robinson oversees all security of California’s state government computers. She gave the Investigative Unit a rare tour of one of the state’s five massive data centers that stores all digital information maintained by the state.
“Information security is a worldwide problem and a concern. Especially for any computer user,” Robinson said. “One of those [attacks on state computers] is one too many and we’re going to continue to strive for zero. We’re under attack every second of every day.”
She said California uses the highest security to protect this data. We agreed not to report its exact location as well as other details about it in order to enhance security surrounding it.
“We’re pretty diligent as a government in protecting our citizens’ data,” Robinson said. “We take it very seriously.”
Robinson described the state’s security as a “layered approach” from implementing solutions, to physical security controls and technical controls to prevent successful hackings.
“I will be honest, it’s a challenge. But I think that we, as a state, do a very good job,” Robinson said.
California’s data breach notification law requires notification when computerized data gets compromised. Robinson said she set a policy requiring all individuals to be informed if their data is inadvertently disclosed.
So far this year, officials have notified 23,379 Californians that their data has been compromised.
Although Robinson told the Investigative Unit, large data breaches rarely occur, smaller attacks resulting in data losses of individuals or small groups still occur regularly.
“Every person matters and they need to start thinking about that one person,” Julie Myers, a Richmond resident struggling with the Unemployment Department’s website, told NBC Bay Area.
Myers, who just received her masters degree in Sports Management, has been unemployed since July. She was receiving her unemployment check until the state changed the computer system earlier this year to a new upgraded system. Now, she can’t renew her payments and isn’t receiving her checks and is one of many who complained.
She thinks her experience is indicative of a bigger problem for state computers.
“How many more problems are out there and how easy would it be for someone to get at that information?” Myers asked.
The Investigative Unit showed Myers the cyber breaches data.
“This is insane,” Myers said. “We expect corporate businesses to run at a high level and then this just shows me that our own state is in the dark ages when it comes to computer system.”
“To me, it’s scary how easy it would be for the new cyber-attacks to get in there,” she said.
“I think most people have no idea the scope of the problem,” Dave Garrett told the Investigative Unit. Garrett serves as Managing Director of the San Francisco office at Stroz Friedberg, an international computer security and cyber intelligence company with offices located around the world.
Garrett told the Investigative Unit that although the state reported 1,153 successful attacks or exploits, there could be many more that flew under the radar.
“There may have been a lot more that were actually successful that the state of California doesn’t know about yet,” Garrett said. “And that’s the big part of this problem.”
“The big part of this problem in many times is just detecting that the attack actually occurred,” he continued.
Garrett said limited resources inhibit state workers from most effectively fighting and preventing some of these attacks on the millions of data entries protected by the state. “Obviously good people trying their best,” he said. “They’re put in an untenable position to try to understand the problem.”
Ironically, state officials say that even in this time of computer sophistication, in truth, the biggest issue state departments and agencies have with data loss is not in the form of digital data compromise, but the loss of security of citizen’s information located on hard paper that gets mishandled.
“We have some large departments that handle over 30 million transactions a year,” Robinson said. “So when you look at the number of occurrences in that perspective, it’s really relatively low.”
Robinson says the majority of data breaches at state agencies right now involve simple mishandling of private information written or typed on paper.
“So what are we doing about that is really, again, increasing our training and awareness and education,” Robinson said, “All the way down to the front line people who work with customers directly and getting (those state employees) to understand the impact of a potential handling error.”
Even so, Stroz Friedberg's Dave Garrett says that the number of attacks and successful exploits of California state computer systems is cause for concern.
"I'm worried," said Garrett, "As a citizen, I'm worried about what's happening with my data."
Do you have a tip for the Investigative Unit? Email us: TheUnit@nbcbayarea.com