Personal information about more than 18.5 million Californians was hacked last year and as many as one-third of those people will become victims of fraud, California Attorney General Kamala Harris said Tuesday in a new report on data breaches in the nation's biggest state.
Retailers, banks, health care providers and other organizations reported 167 different breaches in the state during 2013. That's six times more than the 2.5 million accounts hacked in 131 breaches in 2012, and represents nearly half of the state's 38 million residents. The alarming increase in malicious hacking and accidental leaks due to poor information security was mainly due to breaches at Target stores and Living Social, an online marketplace. Even without those two incidents, the number of customer accounts exposed by other hacks jumped 35 percent last year.
As many as one third of people whose information is exposed in a data breach will subsequently suffer some kind of fraud, Harris adds in the report, citing estimates by Javelin Strategy and Research, a California firm that tracks financial industry trends.
More than half of the breaches reported in California involved malicious attempts by hackers or cyber-criminals who were determined to steal customer data, according to the report, which said "trans-national criminal organizations" appear to be responsible in many cases.
"Increasingly, highly sophisticated criminal organizations and state-sponsored entities -- located as far away as Russia, China and Eastern Europe -- are responsible for breaches," Harris said. The report cites one federal prosecution of an overseas hacker group. It doesn't provide any new details on a multi-state investigation, announced earlier this year, in which officials from California and elsewhere said they were looking into Target Corp.'s response to its breach.
State law requires businesses to notify consumers when their data is exposed in a breach affecting more than 500 accounts. They also must file a report with Harris's office. While there is no similar requirement at the federal level, the figures from California may provide insight into broader trends nationwide.
Retailers were the largest category of businesses that were hacked, followed by financial institutions and then health care providers. Health care organizations were more likely to report the loss or theft of laptop computers or other electronic storage devices containing patient files. What was taken? Social security numbers were exposed in nearly half of the breaches; 38 percent of breaches involved account information for credit or debit cards.
Criminals can use both to commit financial fraud: The average amount of fraud linked to a stolen social security number is $2,330 and the average for a credit card is $1,251, according to estimates that the attorney general attributes to Javelin.
A new state law that goes into effect next year will require companies to offer at least one year of free theft-prevention assistance, such as credit monitoring, to consumers affected by data breaches. While many companies already do this, the report says that kind of help was only offered in half of the breaches reported over the last two years.
Harris is recommending additional changes, including legislation that sets stricter notification requirements and provides financial aid to help small businesses adopt data safeguards. She also urges companies to use stronger encryption and other protective methods, although she noted that a recent legislative effort to require encryption was unsuccessful.
Harris also is urging companies to notify consumers about data breaches more promptly and to make their notices easier to understand, with less legal jargon. She notes that the purpose of such notices "is undercut if the recipients cannot understand them."