Data breaches affect 2m in Mass.
Firms increasingly targets for hackers, Coakley warns
Personal information from nearly one out of three Massachusetts residents, from names and addresses to medical histories, has been compromised through data theft or loss since the beginning of 2010, according to statistics released yesterday by the office of Attorney General Martha Coakley.
A state law enacted in 2007 requires all companies doing business in Massachusetts to inform consumers and state regulators about security breaches that might result in identity theft. That could include leaks of individual names along with other sensitive information, such as Social Security numbers or bank account, credit card, and debit card numbers. The law was passed in 2007, after hackers stole 45 million credit card numbers from Framingham-based retailer TJX Cos.
Coakley said that her office is just beginning to analyze the reports to find out whether the law is helping to reduce data breaches. But she predicted the problem will get worse as more Americans store vital personal data on various computer networks. “There is going to be more room for employee error, for intentional hacking,’’ Coakley said. “This is going to be an increasing target.’’
The attorney general’s office has received 1,166 data breach notices since January 2010, including 480 between January and August of 2011. About 2.1 million residents were affected by the various incidents, though it’s unknown whether any of them were actually defrauded as a result of the data leaks.
Of the reported incidents, 25 percent involved deliberate hacking of computer systems containing sensitive data. Another 23 percent involved accidental sharing of information with unauthorized people, such as sending faxes or e-mails with personal information to the wrong recipient. In 15 percent of cases, retailers reported the theft of customer credit card numbers. Data was also lost through thefts or accidental losses of laptop computers and paper documents, or in cases in which workers deliberately gained unauthorized access to client files.
The biggest single data breach in the report occurred last July, when South Shore Hospital in South Weymouth said it lost 14 years’ worth of records on 800,000 patients, employees, volunteers, and vendors. The hospital blamed an outside data management company for losing a batch of records they had been ordered to destroy.
Other major breaches included an incident in May, when the state’s Executive Office of Labor and Workforce Development found a virus in its computer system that transmitted data to unidentified hackers. The agency said that files on 210,000 state residents were compromised. A similar virus attack in June affected the records of more than 2,000 patients at Beth Israel Deaconess Medical Center.
Among major data breaches this year was a case in April, when the e-mail marketing firm Epsilon Data Management LLC reported that data thieves had stolen the e-mail addresses of as many as 60 million people. In the same month, Japan’s Sony Corp. revealed that three of its online gaming networks had been raided by hackers, who had compromised the credit card numbers of 101 million people worldwide.
The incidents in Massachusetts have involved far fewer victims. In 82 percent of reported breaches in the state, fewer than 100 people were affected; in 30 percent of the cases, just one person’s information was at risk.
Beth Givens, director of the Privacy Rights Clearinghouse in San Diego, said that consumers would be even better served by being able to sue companies that lose their data. “Unfortunately, there have been very few successful lawsuits,’’ said Givens, because it’s hard to prove that someone whose information was lost or stolen has actually been harmed by the loss.
Givens said that laws like the one in Massachusetts are the next best thing. They force companies to publicly acknowledge the problem and take action to upgrade their security policies.
Coakley said companies must do more to protect the personal data in their files. “They need to be able to have up-to-date systems that both prevent a breach and identify breaches when they occur,’’ she said.
Hiawatha Bray can be reached at firstname.lastname@example.org.