WASHINGTON STATE
ATTORNEY GENERAL’S OFFICE
2017 DATA BREACH REPORT
Report Contents:
I. LetterfromAttorneyGeneralBobFerguson...........................................................................................1
II. ExecutiveSummary.................................................................................................................................2
III. CausesofDataBreaches.........................................................................................................................3
IV. NumberofWashingtoniansAffected.......................................................................................................4
V. ImpactsofDataBreaches.......................................................................................................................5
VI. TypesofPersonalInformationCompromised........................................................................................6
VII. IndustriesReportingBreaches...............................................................................................................7
VIII. TimetoIdentifyandContainDataBreaches.........................................................................................10
IX. Washington’sDataBreachLaws.............................................................................................................11
X. HowDoesWashingtonComparewithOtherStates?............................................................................12
XI. ResourcesforBusinessesandIndividuals..............................................................................................13
October2017 DearWashingtonians,
Databreachesareasignificantthreattobothbusinessesandindividualconsumers.RecentlytheEquifaxdatabreachexposedthepersonaldataof143millionAmericans.Thisisasoberingreminderoftheimportanceofdatasecurity.
ThisisthesecondeditionoftheAttorneyGeneral’sOfficeAnnualDataBreachReport.In2015,theWashingtonLegislatureupdatedourdatabreachnotificationlawsensuringmyofficereceivesnoticewheneveradatabreachpotentiallyexposespersonalinformation.Thisallowsmyofficetobeadatabreachwatchdog.
Overthepastyear,78reporteddatabreachescompromisedthepersonalinformationofmorethan2,700,000Washingtonresidents.Thisisasignificantincreasefrom2016,whenmyofficewasnotifiedof39breachesaffectingthepersonalinformationofmorethan450,000Washingtonians.Thisincreasereflectsanalarmingtrend.Businessesandgovernmentsmusttakestepstosecurethedatatheypossess. Databreachesoccurinorganizationsofalltypes,includinghotelsandfitnesscompanies,financialservicecompaniesanduniversities.Similarly,thereisawidevarietyinthewaydatabreachescanoccur.Inonecase,anindividualpretendingtobethebusinessowneremailedarequestforall2016W-2formspreparedbythecompany.Therecordswereprovidedbeforethecompanydiscoveredtherequestcamefromafraudulentaccount.
Iamworkingwithotherstateattorneysgeneraltoensurethatbusinessestakenecessarystepstoprotectconsumers’personalinformationandtoinvestigateandholdbusinessesaccountablewhentheirsecuritymeasuresfallshort.
InNovember2013,dataheldbytheTargetCorporationwasbreachedwhencyberattackersgainedaccesstoacustomerservicedatabase,installedmalwareonthesystemandcapturedconsumerdata.Thebreachcompromisedthepersonalinformationofmillionsofconsumers.TargetenteredintoabindingagreementtoresolveaninvestigationbyWashingtonand46otherstateattorneysgeneral.TheagreementrequiresTargettodevelop,implementandmaintainacomprehensiveinformationsecurityprogramandemployapersonresponsibleforexecutingtheplan.Targetmustalsotakeadditionalmeasurestofurtherstrengthenthecompany’sdatasecurity.
ThisreportpresentsasummaryofthedatabreachnoticestheAttorneyGeneral’sOfficereceivedoverthepastyear.Youcanfindtipsandresourcesforconsumersandbusinessesattheendofthereport.Ihopeyoufindthisinformationhelpful.
Sincerely,BobFergusonWashingtonStateAttorneyGeneral
1
2
Executive Summary1
• DatabreachnotificationstotheAttorneyGeneral’sOfficeincreasedsharplyfrom39in2016to78in2017.AlistofthedatabreachnotificationsreceivedbytheAttorneyGeneral’sOfficecanbefoundat:http://www.atg.wa.gov/data-breach-notifications.
• Databreachesanalyzedforthisreportaffectedovertwoandahalfmillionrecordscontainingpersonallyidentifiableinformation,farmorethanthe450,000recordsaffectedin2016.2
• Manyofthefindingsinthe2016Reportarealsotruein2017: - ThemajorityofdatabreachesreportedtotheAttorneyGeneral’sOfficeaffectedfewerthan
10,000Washingtonresidents; - Paymentcardinformationwasthemostcommonlycompromisedtypeofpersonalinformation,
followedbynameandaddress; - MaliciouscyberattackswerethemostcommoncauseofdatabreachesaffectingWashington
consumers;and - Asingledatabreachresultedintheexposureofmorerecordsthanallotherbreachescombined.3
• Basedoninformationcompiledinthisreport,theAttorneyGeneral’sOfficemakesthefollowingrecommendations: -Businessesmustworkhardertoidentifyandresolvedatabreachesmorequickly. -Governmentsmustdoabetterjobofsecuringdata,includingstrengtheningtheirowndata securityandensuringgovernmentcontractorsadequatelysecurepersonalconsumerinformation. -Policymakersshould should consider whether a 45-day deadline for notice sufficiently
protects consumers, and whether a shorter deadline for notice to the Attorney General’s Office is appropriate.
3
Causes of Data Breaches
• Nearlytwo-thirdsofWashingtondatabreachesin2017werearesultofcyberattacks.Thisisanincreaseover2016,whennearlyhalfofdatabreacheswerecausedbycyberattack.
• Therearethreebroadcategoriesofcausesofdatabreaches: - Malicious cyberattack:Whenathirdpartydeliberatelyattemptstogainorsucceedsingainingaccess
tosecuredatastoredonaserver.Theattackcanuseavirus,malware,phishingemail,orsimilarmeansofaccessingsecuredata.
- Theft or mistake:Thiscategoryincludesthelossortheftofinformation,suchasthetheftofalaptopcontainingpatientmedicalrecordsoraclericalerrorthatsentW-2informationtoanunintendedrecipient.
- Unauthorized access:Whenanunauthorizedpersonaccessessecuredatathroughmeanssuchasanunsecurednetwork.
Cause of Data Breach Number of 2017 breaches
Percentage of 2017 breaches
Number of 2016 breaches
Percentage of 2016 breaches
Maliciouscyberattack 50 64.10% 19 48.72%Theftormistake 21 26.92% 16 41.03%
Unintentionalbreach 7 8.97% 4 10.25%
Cause of Breach 2017 Theft or mistake
Malicious cyberattack
Unintentional breach
4
Number of Washingtonians Affected
• In2017therewere78databreaches,affecting2.7millionWashingtonians.• Themajorityofdatabreachescompromisedthepersonalinformationof500-999residents.• Thenumberofdatabreachesaffecting500-999peopleissignificantlyhigherthanduring2016.• ACTIVEOutdoorswasanoutlier;ithadabreachofinformationofnearly1.5millionindividuals.Morethan
halfofthetotalnumberofWashingtoniansaffectedbydatabreacheswereaffectedbythisbreach,whichwascausedbyunauthorizedaccessofanunsecuredserver.
• TherewasanincreaseindatabreachnotificationsforeveryrangeofnumberofaffectedWashingtonresidents.Breachesaffecting500-999residentshadthelargestincreasecomparedto2016.
0
5
10
15
20
25
30
50,000+10,000-49,9991,000-9,999500-999
2017
2016
Number of Washingtonians Affected
Number of Consumers Affected
Num
ber o
f Bre
ache
s
30
7
28
19
4 4
12
2 2
9
5
Impact of Data Breaches
Businessesofallsizesareimpactedbydatabreaches.UnderWashingtonlaw,businesseshavearesponsibilitytotakereasonablestepstoprotectindividuals’personalinformation.Thevarietyofwaysthatdatabreachescanoccur,includinginadvertentdisclosure,theftofhardcopyinformation,andmaliciouscyberattacks,putallbusinessesatrisk.
Overthepastyear,theAttorneyGeneral’sOfficereceivednotificationsofdatabreachesfromawidevarietyofbusinesses,includingsmallretailbusinesses,arboristservicesandsupplies,financialinstitutions,healthinsurers,healthcareproviders,constructioncompanies,hotelchains,individualhotels,andsmalltaxpreparers.
AccordingtoanationalstudybythePonemonInstitute,theaveragecostofadatabreachtoabusinessis$225percompromisedrecord.5Usingthisfigure,databreachescompromisingthepersonalinformationofWashingtonconsumerslikelycostbusinessesmorethan$500millionduringthepastyear.Thestudyfoundthat,ofthe$225percompromisedrecord,$146relatestoindirectcosts,suchasturnoverofcustomersresultingfromthebreach,and$79directlyrelatestothebreach,includinglegalfees,creditmonitoringservicesforconsumers,andsecurityimprovements.
SimilartothenoticesreceivedbytheAttorneyGeneral’sOffice,thestudyalsofoundthatmaliciousattacksaretheprimarycauseofdatabreaches,andthemostexpensivetypeofdatabreachesforbusinesses.ThecompaniesincludedinthePonemonInstitute’sstudyarealllargercompanieswithaccesstosophisticatedsecurity.
Thestudyalsofoundthatthemorequicklyabreachcanbeidentifiedandcontained,thelowerthecosttothebusiness.
6
Types of Personal Information Compromised
Inboth2016and2017,financialinformationwasthemostcommonlycompromisedtypeofpersonalinformation.Paymentcardinformationwastypicallyacquiredeitherthroughmalwareononlinepaymentsystemsorthroughtheuseofskimmersinbrickandmortarstores.Skimmersaredevicesthatallowcollectionofpaymentinformation.Financialdatawerecompromisedin56ofthe78databreachesthisyear,totaling208,216individualfinancialrecords.
NUMBER OF BREACHES BY TYPE OF INFORMATION COMPROMISED
2017
2016
0 10 20 30 40 50 60 70 80
Driver'slicense/IDcard
SocialSecurityNumber
Name
ThelawrequiresnotificationtotheAttorneyGeneral’sOfficewhenthecompromiseddataincludesanindividual’snameincombinationwithanyofthefollowing:• SocialSecuritynumber;• Driver’slicenseorIdentificationcardnumber;or• Bankingorfinancialinformation,includingpaymentcardinformation.ThelawalsorequiresnotificationtotheAttorneyGeneral’sOfficewhenpersonalhealthinformationcoveredbyHIPAAiscompromised.
7
Industries Reporting Breaches
Overtwo-thirdsofthe2017databreachesinWashingtonaffectedbusinesses.Maliciouscyberattacks,especiallymalwareinstallationonpaymentsystemswerethecauseofthemajorityofthedatabreachesaffectingbusinesses.Hospitality,entertainmentandclothingbusinesseshadthelargestnumberofbreachesaffectingthebusinessindustry.
Ente
rtain
men
t
Cosmet
ic
Consum
able
Cloth
ing
Acces
ories
Real E
state
Softw
are
Nonprofit
Hospita
lity
Human
Res
ources
Man
ufact
uring
Fitnes
s
Home
Biote
ch
Healthcare
Government
FinancialServices
Business
Number of Breaches by Industry
A Closer Look at Businesses Reporting Breaches
0
2
4
6
8
10
12
0 10 20 30 40 50 60
Thisyear,thereportusesindustrycategoriesbasedontheIdentityTheftResourceCenter’sbreachcategoryclassifications: •business, •education, •financialservices, •government,and •healthcare. Thebusinesscategoryincludesretail,nonprofit,realestate,humanresources,hospitality,manufacturing,andsoftwarecompanies.
Num
ber o
f Bre
ache
s
8
Industries Reporting Breaches
Businessbreachesaccountedfor71%of2017databreaches,whilegovernmentbreachesaccountedfor3%.However,businessbreachesaccountedforonly7%ofthenumberofrecordsbreachedandgovernmentbreachesaccountedfor52%ofallrecordscompromisedin2017databreaches.
In2017,databreachesofgovernmentrecordsresultedinthegreatestnumberofrecordscompromised.ThevastmajorityofthesecompromisedrecordsweretheresultoftheACTIVEOutdoorsbreach,whichcompromisedthepersonalinformationofatleast1,449,645Washingtonians.ACTIVEOutdoorshostedtheonlineapplicationsystemusedtoapplyfororpurchasestatehuntingandfishinglicenses.AlthoughACTIVEOutdoorsisnotagovernmentagency,thiswascategorizedasagovernmentbreachbecauseofthenatureoftheinformationthatwasexposed.Mostconsumerswhopurchasedlicensesthroughthissystemwerenotawarethesystemwasoperatedbyathirdparty.Theinformationcompromisedincludedname,address,dateofbirth,anddriver’slicensenumber,aswellasphysicaldescriptioninformation,andinsomecases,thepartialSocialSecuritynumbersofWashingtonresidents. Recommendation: Governments must do a better job of securing data, including strengthening their own data security and ensuring government contractors adequately secure personal consumer information.
0
100,000
200,000
300,000
400,000
500,000
600,000
700,000
800,000
HealthcareGovernmentFinancialServicesBusiness
Average Records Per Breach in 2017
9
14% 7%
26%
52%1%
Share of Data Breaches
Compromised by Industry
2017
Share of Records Compromised by
Industry2017
68%
11%
3%
13%
5%
Health Care Government Financial Services Education Business
Industries Reporting Breaches
10
Time to Identify and Contain Data Breaches
Themajorityof2017databreachestookbetween300and399daystoresolve,meaningthecauseofthebreachwasidentifiedandtheinformationwassecured.Therewere12breachesin2017wherethenumberofdaystoidentifyandcontainthebreachwasunspecified.Thesebreacheshadthehighestnumberofrecordsperbreachatanaverageof212,989recordsperbreach.Acomparisonto2016isnotavailablebecausethismetricwasnotanalyzedinthe2016report. Asnotedearlier,thenationalstudybythePonemonInstitutefoundthatthemorequicklyabreachcanbeidentifiedandcontained,thelowerthecosttothebusiness.Ofthe63companiesinthestudythatexperienceddatabreaches,ittookbusinessesanaverageof191daystoidentifyand66daystocontainthebreach.6 Recommendation: Businesses must work harder to quickly identify and resolve data breaches.
0
5
10
15
20
Unknown500+400-499300-399200-299100-1991-990
Time to Identify and Contain Data Breaches in 2017
Num
ber o
f Bre
ache
s
Number of Days to Identify and Contain Data Breaches
11
Washington’s Data Breach Laws
A data security breach, or data breach, is the unauthorized acquisition of data that compromises the security, confidentiality, or integrity of personal information maintained by a person, business, or agency. Data breaches are costly for the economy and can lead to individuals becoming victims of identity theft. NotificationBusinessesandpublicagenciesarerequiredtonotifyaffectedindividualswhenadatabreachoccurs,andnotifytheAttorneyGeneral’sOfficewhenadatabreachaffects500ormoreWashingtonresidents.
Undertherevisedlaw,notificationrequiredwhenabusinessorpublicagencyexperiencesabreachofpersonalinformationif:• Thebreachisreasonablylikelytosubjectanindividualtoariskofharm;• Theinformationaccessedduringabreachwasnotsecured;or• Theconfidentialprocess,encryptionkey,orothermeanstodecipherthesecuredinformationwas
acquired.
Thenotificationlaws,RCW19.255.010andRCW42.56.590,cover“personalinformation.”Personalinformationisdefinedassomeone’sfirstnameorfirstinitialandlastnameincombinationwithanyofthefollowing:• SocialSecuritynumber;• Driver’slicensenumberorWashingtonidentificationcardnumber;or• Accountnumberorcreditordebitcardnumber,incombinationwithanyrequiredsecuritycode,access
code,orpasswordthatwouldpermitaccesstoanindividual’saccount.
EntitiescoveredbytheHealthInsurancePortabilityandAccountabilityAct(HIPAA)mustalsoprovidenotificationtotheAttorneyGeneral’sOfficewhenabreachoccursinvolvinghealthinformationcoveredbyHIPAA.TheseentitiesaredeemedtocomplywiththetimelinessofthenotificationrequirementaslongastheycomplywiththerequirementsoftheHealthInformationTechnologyforEconomicandClinicalHealth(HITECH)Act(RCW19.255.010(10)). Theft of Financial InformationUnderWashington’scriminallaw,improperlyobtainingfinancialinformationisaClassCfelony(RCW9.35.010).Itisillegaltoobtainorseektoobtainfinancialinformationthatapersonisnotauthorizedtohave.Thelawalsoestablishesthecrimeofidentitytheft,whichisfocusedonfinancialinformation,asaClassBorCfelonydependingonthedamagecaused.Thislawisenforcedbycountyprosecutingattorneys.
12
How Does Washington Compare with Other States?
Currently,48stateshavelawsrequiringthatconsumersreceivenotificationwhenadatabreachoccurs.7
When is notification required? •In32states,notificationisnotrequirediftheinformationcompromisedwasencrypted,redacted,orotherwiseunreadable. •In15states,includingWashington,notificationisrequired,eveniftheinformationcompromisedwasencrypted,redacted,orunreadable,iftheencryptionkeywasobtainedinthebreach. •Tennessee’sstatutedoesnotexemptbreachesofencryptedinformation.8
Is notification to the Attorney General required? •In25states,includingWashington,notificationofabreachmustbeprovidedtotheAttorneyGeneral.MarylandrequiresthattheAttorneyGeneralbenotifiedbeforenotificationisprovidedtoconsumers. What is the deadline for notification after discovery of a data breach? •In11states,includingWashington,notificationmustbeprovidedtoconsumersbyaspecificdeadline. Themostcommondeadlineis45days,whichistherequirementunderWashingtonlaw.Floridarequires notificationtoconsumersandtheAttorneyGeneralwithin30days. •Moststates,includingWashingtonandotherstatesthatsetaspecificdeadline,requirethatnotification“be giveninthemostexpedienttimeandmannerpossibleandwithoutunreasonabledelay,consistentwiththe legitimateneedsoflawenforcement.”
Recommendation: Policy makers should consider whether a 45-day deadline for notice sufficiently protects consumers, and whether a shorter deadline for notice to the Attorney General’s Office is appropriate.
13
Resources For Individuals Affected by a Data Breach or Identity Theft
Whiletherearestepsyoucantaketoprotectyourselffromidentitytheft,thereisnofoolproofwaytoensurethatyourinformationwillnotbecompromised.Ifyoureceiveadatabreachnotificationorbelievethatyoumaybeavictimofidentitytheft,pleasevisittheWashingtonAttorneyGeneral’swebsiteathttp://www.atg.wa.gov/GUARDIT.ASPXforhelp.
IdentityTheft.gov,providedbytheU.S.FederalTradeCommission(FTC),isalsoavaluableresourceforvictimsofidentitytheft.
Ifyoususpectyouarethevictimofidentitytheft:
1. Callthecompanieswhereyouknowfraudoccurred;2. Workwithoneofthecreditbureaus(Experian,TransUnion,andEquifax)toplaceafraudalertorcredit
freezeonyourcreditreportandreceiveacopyofyourcreditreports;3. ReporttheidentitythefttotheFTC;and4. Fileareportwithyourlocalpolicedepartment.
Resources for Businesses to Protect Themselves
Allindustriesandbusinessesarepotentiallysusceptibletodatabreach.However,therearestepsbusinessescantaketopreventabreachfromhappening.TheWashingtonAttorneyGeneral’sOfficeprovidesresourcesforbusinessestoprotectagainstdatabreachesandtohelpexplainthelawsregardingdatabreachesandnotifications.Theseresourcesareavailableat:http://www.atg.wa.gov/identity-theft-and-privacy-guide-businesses.
Thesebasicstepscanassistbusinessesinevaluatinghowwelltheyareprotectingpersonalinformation:
1. Understandyourbusinessneedsandhowtheyrelatetodatasecurity.Thisincludesknowingwhatinformationyoucollectaboutconsumersorclients,andknowingwhatinformationyouretainandhowitisretained;
2. Minimizetheamountofinformationthatyoucollectandretain.Deleteanyinformationthatisnolongerneeded;and
3. Createandimplementaninformationsecurityplan.
Attorney General’s Office Consumer Resource Center
8005thAve,Suite2000Seattle,WA98104-31881-800-551-4636(instate)1-206-464-6684(outofstate)1-800-833-6388(relayserviceforthehearingimpaired)www.atg.wa.gov/consumer-protection
Photo Credits
Cover-PhotobyJannoon028-Freepik.com
14
Notes 1ThedatarepresentedinthisreportreflectsthedatabreachesreportedbetweenJuly24,2016andJuly23,2017.ThedataforthisreportwerecollectedfromthedatabreachnotificationsrequiredbyRCW19.255.010andRCW42.56.590,availableat:http://www.atg.wa.gov/data-breach-notifications.ThisreportincludesonlynotificationsreceivedthatwererequiredunderWashington’snotificationlaw.Somebusinessesprovidednotificationofbreachesaffectingfewerthan500Washingtonians;thesewerenotincluded.Othernoticeswereomittedbecausetheydidnotinclude“personalinformation”asdefinedinthelaw.Additionally,fourteendatabreachnotificationstotheAttorneyGeneral’sOfficedidnotspecifythenumberofWashingtoniansaffected,meaningagreaternumberofrecordswerelikelybreachedorsusceptibletobreachthanreportedhere.2ThereisapossibilitythatcertainWashingtonresidentswereimpactedbymorethanonebreach.ThisnumberisthesumofrecordscompromisedbyindividualdatabreachesaccordingtonotificationssubmittedtotheAttorneyGeneral’sOffice.3ThelargestdatabreachinvolvedunauthorizedaccesstoACTIVEOutdoors’systemusedtostoredataforhunting/fishinglicenses.Thecompanyreportedthattheinformationofnearly1.5millionWashingtoniansmayhavebeenaccessed.4DatacomparisonsaremadebetweendatabreachnotificationsfromJuly24,2016toJuly23,2017(referredtoas2017databreaches)anddatabreachnotificationsbetweentheimplementationofthedatabreachnotifica-tionlawandJuly23,2016(referredtoas2016databreaches).5“2017CostofDataBreachStudy,”PonemonInstitute,June2017.6“2017CostofDataBreachStudy,”PonemonInstitute,June2017.7“SecurityBreachNotificationLaws,”NationalConferenceofStateLegislators,April12,2017.http://www.ncsl.org/research/telecommunications-and-information-technology/security-breach-notification-laws.aspx8Tenneseecode§§47-18-2107;8-4-119.
Washington State Office of the Attorney General1125WashingtonSt.SEPOBox40100Olympia,WA98504(360)753-6200www.atg.wa.gov