California’s first-ever data breach report came out last month, showing 2.5 million residents had personal information put at risk in 131 incidents in 2012. The report comes 10 years after California became the first state to require businesses and state agencies provide notification of data breaches that impact more than 500 people. In the years since, all but four states have followed suit. At a federal level, the government now requires notification of breaches in the health care sector. Proponents of the laws say notification gives people who may have been impacted early warning. Criminals used breached information to commit fraud. One in four breach-notice recipients becomes an identify theft victim, according to the recently released report. That’s four times the rate of the general public. The report — published after a requirement kicked in last year that requires those notifications to be sent the California Attorney General — shows the average reported incident in 2012 impacted 22,500 people. Five breaches affected 100,000 or more residents. Here’s a deeper look at what the report found:
- More than half of the breaches reported involved Social Security numbers. Payment card information was leaked in 40 percent of breaches, and health or medical information was compromised in 17 percent of breaches.
- About 28 percent of data breaches could have been prevented if the data in question had been encrypted. These incidents impacted 1.4 million Californians.
- The retail industry reported the most breaches, with 34. There were 30 data breaches in the finance and insurance industry.
- Fifty-five percent of breaches were the result of intrusions by unauthorized users. The remaining 45 percent were the result of security failures.
- Two of the five largest breaches were caused by hackers. Online game software company Valve Corporation reported a breach that affected 509,000 in February 2012. Electronic payment processor Global Payments, Inc. reported in July an intrusion that impacted 139,034 people.
- Physical failures accounted for another two of the five largest incidents. Personal information on 845,000 parents, children, and caregivers was comprised in March when the California Department of Social Services reported a lost computer storage device. Financial and medical information on 318,000 patients was released in May after Emory Healthcare, Inc. reported missing discs.
The reports makes it abundantly clear: sensitive information is leaked, and often. Keep reading for some tips on what to do if your information makes its way into the wrong hands.
- Read the breach notice to understand what kind of information was leaked. Follow any recommended steps outlined in the letter.
- A leaked password was likely encrypted (the breach notice should tell you), but to be safe, change it. Change your password on any other site you use the same login information.
- Look at little more closely at your bank statements and credit card bills. Keep an eye out for suspicious charges, and notify your bank if anything seems off.
- Set up an account with an identity theft protection site like LifeLock. The company responsible for the breach generally pays for this service. Thieves may not use the information they steal immediately, so it’s best to constantly monitor your credit report for changes.
- Obtain a free credit report. Check back periodically for any changes or inconsistencies.
Read the full report here.