California Data Breaches Hit More Than 20 Million Accounts
SACRAMENTO (AP) — California businesses and government agencies have experienced 300 separate data breaches exposing the personal information of more than 20 million customer accounts during the past two years, leading state Attorney General Kamala Harris on Thursday to elevate cybersecurity as a key focus of the state's top crime-fighting agency.
Harris said the California Department of Justice will begin playing a more active role in advising employers about cybersecurity, while her office will be taking the lead on a previously announced state-level investigation into some of the most significant nationwide data breaches.
The 170 breaches reported to the attorney general's office in 2013 represent a 30 percent increase over the 131 identified the year before, when state law required such reporting for the first time, according to figures provided to The Associated Press. Among entities reporting breaches in 2012 were American Express Travel Related Services Co., Kaiser Permanente and several state government agencies, including the departments of Public Health and Social Services.
A second report analyzing the 2013 data thefts is scheduled to be released this spring.
Electronic data breaches compromised the Social Security numbers, credit card and bank account information, and other sensitive data on 21.3 million customer accounts during the two-year period. The actual number of victims is unknown because many people could have had multiple accounts exposed.
"California is at the center of the digital revolution that is changing the world," Harris said in an introductory letter for a new cybersecurity business guide her department released Thursday. "Unfortunately, cybercrime, data breaches, theft of proprietary information, hacking and malware incidents are now routine."
Harris' office also disclosed that California is leading a multi-state investigation into the massive holiday season consumer data theft at discount retailer Target Corp. and luxury retailer Neiman Marcus. More than 7 million Californians were affected by the Target breach alone, Special Assistant Attorney General for Law and Technology Jeff Rabkin said.
The U.S. Justice Department is taking the lead in trying to identify the culprits, who are suspected to be based overseas, while the multistate investigation focuses on whether the retailers share blame because they lacked the necessary precautions to prevent the thefts. The state investigation also will explore whether Target and Neiman Marcus acted properly as soon as they learned of the problem, Rabkin said in a telephone interview.
The investigation by some states has previously been disclosed, but not California's leadership role. Rabkin declined to give details or say whether other retailers also are under scrutiny, citing the ongoing investigation.
Target Corp., the nation's second-largest retailer, was told of suspicious activity on Dec. 12 and publicly announced the breach a week later. It affected about 40 million credit and debit card accounts nationwide.
Molly Snyder, a company spokeswoman, said Target is cooperating with investigators.
"We are continuing to work with the attorney generals and other elected officials to keep them informed and updated as our investigation continues," she said in an emailed statement.
A Neiman Marcus senior vice president testified before a congressional committee earlier this month that the company learned of a problem on Dec. 13, its internal investigators made a report on Jan. 2, and customers were notified Jan. 10.
Its data breach affected 350,000 customers, company spokeswoman Ginger Reeder said in an email.
Reeder said the company would have no comment about California's role in the multi-state investigation.
The 34-page guide Harris released Thursday advises smaller businesses to encrypt data, use a secure browser connection, install firewalls, protect passwords and prepare an emergency response plan if a cyberattack is suspected, among other steps. It was developed at no cost to the state in cooperation with the California Chamber of Commerce and security experts at Lookout, a San Francisco-based mobile security firm.
Small- and medium-sized businesses are particularly vulnerable because they usually lack full-time cybersecurity personnel, Harris said. Half of hacking attempts statewide in 2012 targeted businesses with fewer than 2,500 employees, and nearly a third of all attacks were aimed at businesses with fewer than 250 employees.
Retail breaches were the biggest problem in 2013, according to early numbers provided to the AP. Data thefts at Target and LivingSocial Inc., alone each affected about 7.5 million California customer accounts.
Overall, thefts from retailers were responsible for nearly three-quarters of the breaches affecting the 21.3 million accounts over the two-year period.