Crime & Justice

Data breaches affected 21.3M Californians in last 2 years; state to focus on cybersecurity

Cybercriminals allegedly hacked into databases for prepaid debit cards and used the compromised data to steal from ATMs around the world.
Cybercriminals allegedly hacked into databases for prepaid debit cards and used the compromised data to steal from ATMs around the world.
Damien Meyer/AFP/Getty Images

Listen to story

Download this story 0.0MB

New numbers show that data theft is on the rise is California. We've heard about problems at big companies like Target and Nieman Marcus, but it's actually small businesses that are most vulnerable

There were 170 data breaches reported to the California Attorney General's Office last year — a 30 percent increase since 2012. California businesses and government agencies have experienced 300 separate data breaches exposing the personal information of more than 20 million customer accounts during the past two years, leading state Attorney General Kamala Harris on Thursday to elevate cybersecurity as a key focus of the state's top crime-fighting agency.
Harris said the California Department of Justice will begin playing a more active role in advising employers about cybersecurity, while her office will be taking the lead on a previously announced state-level investigation into some of the most significant nationwide data breaches.

RELATED: Target says security breach could impact up to 110 million customers

Clifford Neuman, director of the USC Center for Computer Systems Security, tells KPCC that you can blame the increase in data breaches on our increased reliance on inter-connectivity.

"Whereas as we used to protect systems by isolating, the fact we're requiring more and more points of access to get into these systems, that makes it much harder to secure access into these systems," Neuman said.

In 2012, 81 percent of all cyber-attacks were aimed at businesses with fewer than 2,500 employees. They tend to not think they're a target and lack the resources of big businesses.

Which is why the attorney general just issued a set of recommendations for small- and medium-sized companies.

Her first piece of advice? Assume you are a target and come up with a plan in case of attack.

But that requires buy-in from everyone, says Neuman, especially the bosses.

"A lot of this is going to involve education and awareness and getting [them to] understand not just in the IT department, but also decision makers," Neuman said.

The new recommendations emphasize encrypting all the data you have on your systems. Also important: making sure you don't provide any one employee with access to all the data.

Among entities reporting breaches in 2012 were American Express Travel Related Services Co., Kaiser Permanente and several state government agencies, including the departments of Public Health and Social Services.

Electronic data breaches compromised the Social Security numbers, credit card and bank account information, and other sensitive data on 21.3 million customer accounts during the two-year period. The actual number of victims is unknown because many people could have had multiple accounts exposed.

"California is at the center of the digital revolution that is changing the world," Harris said in an introductory letter for a new cybersecurity business guide her department released Thursday. "Unfortunately, cybercrime, data breaches, theft of proprietary information, hacking and malware incidents are now routine."

Harris' office also disclosed that California is leading a multistate investigation into the massive holiday season consumer data theft at discount retailer Target Corp. and luxury retailer Neiman Marcus, breaches that left tens of millions of customers at risk. More than 7 million Californians were affected by the Target breach alone, Special Assistant Attorney General for Law and Technology Jeff Rabkin said.

The U.S. Justice Department is taking the lead in trying to identify the culprits, who are suspected to be based overseas, while the multistate investigation focuses on whether the retailers share blame because they lacked the necessary precautions to prevent the thefts. The state investigation also will explore whether Target and Neiman Marcus acted properly as soon as they learned of the problem, Rabkin said in a telephone interview.

The investigation by some states has previously been disclosed, but not California's leadership role. Rabkin declined to give details or say whether other retailers also are under scrutiny, citing the ongoing investigation.

Target Corp., the nation's second-largest retailer, was told of suspicious activity on Dec. 12 and publicly announced the breach a week later. Neiman Marcus learned of its problem on Dec. 13 and notified customers nearly a month later, on Jan. 10.

Retail breaches were the biggest problem in 2013, according to early numbers provided to the AP. Data thefts at Target and LivingSocial, Inc., alone each affected about 7.5 million California customer accounts.

Overall, thefts from retailers were responsible for nearly three-quarters of the breaches affecting the 21.3 million accounts over the two-year period.