Data breaches jump in California and are expected to keep climbing

Two massive hacks last year at Target Corp. and daily deals website LivingSocial each hit roughly 7.5 million Californians. Above, a Target credit card scanner in Miami.
(Joe Raedle / Getty Images)

Data breaches soared last year in California as cybercriminals leaped over digital security gates to endanger the personal data of millions of consumers, California Atty. Gen. Kamala Harris said.

Harris, in a report released Tuesday, highlighted the effect that headline-producing data breaches had on the Golden State: two massive hacks last year at Target Corp. and daily deals website LivingSocial each hit roughly 7.5 million Californians.

In all, 18.5 million people in the state had their data stolen last year, a more than 600% jump from 2012. The number of breaches reported to Harris’ office climbed 28% to 167, and is expected to rise again in 2014.


“Data breaches … threaten the privacy, the security and the economic well-being of consumers and businesses,” Harris said at a news conference in Los Angeles.

California residents aren’t any more prone to data hijacking than others, but an unusual state law requires businesses and state agencies to notify customers of any breach involving more than 500 accounts. That law resulted in the California Data Breach Report, which underscored the difficulties faced by companies who are constantly racing against wily thieves to secure sensitive information.

The parade of companies that has been targeted recently by hackers includes Home Depot, Michaels, Neiman Marcus and P.F. Chang’s.

Security experts predict that the number of breaches, especially on a big scale, will keep growing.

“The data breaches are going to continue and will probably get worse with the short term,” said Jim Penrose, former chief of the Operational Discovery Center at the National Security Agency.

Penrose, now executive vice president at the cybersecurity start-up Darktrace, said hackers have to steal a large amount of payment card data to make their efforts worthwhile. Often, only about 3% to 7% of cards can be used before the breach is discovered and the cards are canceled, he said.


Another vulnerable sector is the healthcare industry. Stealing medical records can be more “insidious” than stealing other data because they can be used for identity theft and fraud over a longer stretch of time, Penrose said.

The attorney general laid out steps in the report that companies and consumers can take to reduce their vulnerability.

Harris said businesses need to adopt stronger encryption technologies that safeguard sensitive consumer data. And retailers must make their breach notifications to consumers more visible and should upgrade their systems to handle payment cards equipped with microchips, which make cards more difficult to counterfeit, Harris said.

Although some retailers such as Target and Home Depot have said they plan to adopt the EMV system — named for its developers Europay, MasterCard and Visa — the U.S. has fallen behind Europe and other parts of the world in embracing this chip technology.

Major credit card processors have set a deadline of October 2015 for U.S. retailers to upgrade their payment systems or risk liability over fraudulent activity. However, the enormous costs associated with making the switch have some experts forecasting that fewer than half of merchants will make the deadline.

For years, U.S. companies followed the standards set by the Payment Card Industry Security Standards Council, which was created by credit card companies in 2006 to tighten protections against data thieves.

But security experts said complying with PCI standards will not protect companies against hackers.

“Merchants are confusing compliance with security,” said Matt Little, vice president of product development at data security firm PKWare. “If a good security team is trying to build a 100-foot fence, compliance for us is a 3-foot fence.”

Harris also emphasized actions that lawmakers and consumers can take to curtail an explosion in data theft.

The attorney general urged legislators to provide grants to small and medium-size businesses so they can better safeguard customer data. The report also asked California lawmakers to improve the way consumers are notified once a breach occurs.

Harris asked Californians to carefully monitor their accounts for suspicious activity following a breach and promptly change any passwords and user names involved.

Norma Garcia, manager of the financial services program at Consumers Union, said hacking victims should keep an eye on their accounts long after the theft occurs.

“The fraudsters aren’t going to hit necessarily right after the breach,” she said at the Tuesday news conference. “They are going to wait. When you are no longer looking — that is when they are going to hit.”

Twitter: @ByShanLi, @khouriandrew