WASHINGTON — Once upon a time, bogeymen were limited to lurking in bushes and sheds. Now, they’ve got the Internet.
A new report from the state Attorney General’s Office reveals that increasingly, Washingtonians are haunted by very modern kinds of specters: malicious software programs, “skimmers” and other means of stealing personal information.
According to the second annual Data Breach Report, the number of breaches “rose sharply” between July 2016 and July 2017. During that one-year period, 78 data breaches were reported to AGO. In all, they compromised the personal information of more than 2.7 million Washington residents. By contrast, during previous year, there were just 39 data breaches, which affected about 450,000 people.
“This increase reflects an alarming trend,” Attorney General Bob Ferguson said in a press release. He called on Washington businesses and government organizations to do more to secure their data.
A focus on small biz
Even people who are vigilant about protecting their privacy can fall prey to data breaches, because they can’t control what happens to their information after it gets shared with businesses, websites and government organizations. This year’s study found that the number of small-scale breaches — those that affect just a few hundred people — appear to be on the rise. This shift suggests that scammers may have figured out that small and mid-sized entities have security weaknesses that can be exploited for profit.
Additionally, data thieves are using more varied and sophisticated means of stealing personal information. As a result, breaches occurred at all kinds of organizations last year, including universities, hotel and fitness companies and financial services companies. Two-thirds occurred at private businesses, with hospitality, entertainment and clothing businesses being the most common targets.
Small numbers, big consequences
Only about 3 percent of the breaches occurred at government organizations, but these had an outsized impact. While breaches at business accounted for just 7 percent of all compromised records, breaches at government organizations accounted for 52 percent.
Most of this was due to one incident, when the Texas-based vending company Active Outdoors revealed that a computer hacker who used the name “Mr. High” had stolen records from millions of people in Oregon, Washington and Idaho. Those states used Active Outdoors to sell hunting and fishing licenses online.
The breach affected more than 1.4 million people in Washington. Mr. High was able to secure names, addresses, dates of birth, drivers license numbers, physical description information, and in some cases, partial Social Security numbers.
About two-thirds of the breaches were the results of cyber-attacks — an increase over 2016, when only about half were caused by cyber attacks.
Many of these are considered “malicious”, meaning that the perpetrators deliberately used viruses, malware, phishing or other similar means of gaining access to secure data. One of the biggest-ever breaches of this kind occurred in 2013, when attackers installed software on servers for Target stores that captured information from millions of customers.
Some recent breaches occurred as a result of theft of laptops or other devices, others as a result of clerical errors. In one case, a person who was pretending to be a business owner emailed a request for 2016 W-2 forms prepared by the company. Staff sent them out, then later discovered the request was fraudulent, according to the report.
Skimming for data
Data thieves love collecting financial information — especially payment card information — but it’s also common for them to target Social Security numbers, names, and medical information.
One of the most common tactics for stealing bank and credit card data involves skimmers. The illegal devices can be installed at cash machines and registers, where they collect information from customers as they make transactions. There are also software programs that gather information by tracking keyboard activity as a computer user types.
A big hit for business
Information theft can have dire consequences for the victims, who may find themselves paying for purchases they didn’t make, fighting to regain control of their identity and credit, or reading private details of their lives online.
However, the consequences can also be serious for the businesses and organizations where breaches occur. One national study found that the average cost to a business is about $225 per compromised record. While about $79 of that goes to direct costs like legal fees and security improvements, most of the cost goes to indirect costs, like lost business when unhappy customers take their money elsewhere.
Using those figures, the AGO estimates that compromised information cost Washington businesses $500 million or more during the last year.
In most cases, the breaches took at least 300 days to contain. Businesses that are able to address breaches quickly take less of a financial hit, the study found.
Room for improvement
Washington is one of just 15 states where consumers must be notified for virtually all types of data breaches, and one of just 11 states where consumers must be notified by a specific deadline. Organizations that have been breached must notify consumers and the Attorney General within 45 days.
Despite the state’s relatively progressive approach to dealing with stolen information, Ferguson says this year’s results are “a sobering reminder” that business and government need to do more to protect consumers from this growing threat.
He said the current 45-day notification deadline may not be adequate to protect consumers, and urged policy-makers to consider implementing a shorter reporting deadline.
The AGO website offers information and resources for victims of data theft and identity theft, as well as for businesses that are coping with a data breach.