Thursday, 30 October 2014

18.5M Californians Lose Data To Hackers, State Attorney General's Report Blames Rise On Big Retail Data Breaches

Huge data breaches at Target and other retailers helped fuel a 600 percent increase in the number of California residents’ records compromised in cyber attacks last year, according to a study released Tuesday.

The California Data Breach Report from state Attorney General Kamala Harris said 18.5 million Californians were involved in data breaches in 2013 – up from 2.5 million in 2012. The state’s population is about 38 million.

The numbers were skewed upward by the massive 41 million payment card breach at Target – which affected 7.5 million Californians. A separate 50 million record breach at LivingSocial, an e-commerce firm based in Washington, D.C., also contributed to the skyrocketing percentage increase.

Factoring out Target and LivingSocial, the number of compromised records of Californians last year increased 35 percent to 3.5 million.

“Data breaches pose a serious threat to the privacy, finances and personal security of California consumers,” Harris said in a statement. “The fight against these kind of cyber crimes requires the use of innovative strategies by government and the private sector to protect our state’s consumers and businesses.”

Cyber attacks have made more headlines recently because of the sheer amount of records stolen – particularly from brand-name retailers. Target’s revelation that cyber criminals lifted data off its payment card machines at check out was followed by news that Home Depot suffered a similar attack.

Retail breaches accounted for 84 percent – or 15.4 million – of total records breached in California last year, according to the report. They were followed by financial institutions and health care providers.

Financial losses suffered by Californians from these breaches are unclear. The Attorney General’s report didn’t pinpoint exact figures. But it did cite a national study by Javelin Strategy & Research that estimated that 36 percent of data breach victims suffered payment card fraud.

Paul Stephens, director of policy at San Diego’s Privacy Rights Clearinghouse, said it’s hard to establish a direct link between a data breach and fraud. But he noted that some data breaches are more risky than others.

“For consumers, any breach that involves a Social Security number should be of the upmost concern because of the ability (for criminals) to commit new account fraud — that is, open new accounts” in the consumer’s name, said Stephens. “For the most part, a payment card breach is not as concerning – though I’m not meaning to discount it.”

Credit card companies use analytics software that probes transactions to quickly spot unusual purchasing activity – a red flag for fraud. Even if that software misses a bogus purchase, the transaction will show up on the consumer’s monthly bill. It can be disputed and there is no obligation to pay.

On the other hand, new account fraud – or identity theft — can go undetected for months or even years, said Stephens, destroying a consumer’s credit rating and taking a long time to unravel.

Stephens added that debit cards are much more risky than credit cards. “When you use a credit card, you will find out on your statement” if there is fraud, he said. “With debit cards, the funds are almost immediately taken out of your bank account without your knowledge, and that is not undone easily.”