California's Cybercrime Problem Is Getting Worse

The number of Californians who were victims of data breaches increased 550% in 2015

California has in place relatively robust regulation on data privacy, with a statute in place since 2012 that businesses must report to the Attorney General’s Office any breach involving more than 500 Californians. With this data, Kamala Harris’s office published the California Data Breach Report this week. The results are sobering but not surprising. The increasing frequency and complexity of cyber attacks drove an unprecedented spike in the theft of Californians’ sensitive data.

Malware and cyber attacks dominate

Between 2012 and 2015, 657 data breaches accounted for over 49 million compromised records of Californians’ personal information. Malware and hacking represented the lion’s share of leaked data at 90% of records. This category of breach is also increasing in prominence, rising from 45% to 58% of all breaches. Hackers executed attacks on a new scale last year. Mega breaches at Anthem, UCLA Health, and Experian drove a huge increase in the number of Californians affected, from 4.3 million in 2014 to over 24 million in 2015.

Breaches stemming from insiders were also responsible for a significant amount of the damage. Although broken out separately in the report, breaches from malicious trusted insiders (misuse breaches, 7% of the total) and unintentional disclosures (breaches caused by errors, 17% of the total), accounted for 24% of all incidents. Organizations are rightfully concerned with risk from insiders since they bypass most preventative security controls.

Sensitive personal information pays hackers’ bills

 Not only were more residents victims of data breaches, but the most sensitive types of information made up the majority of stolen data. Breaches leaked 24 million records containing social security numbers and 18 million containing medical or healthcare information. Hackers are no longer content with low hanging fruit like online account credentials, which may be more carefully guarded than highly sensitive personal information. A medical record can be sold online for ten times the price of credit card information, offering a financial incentive for hackers to target healthcare companies.

It’s no wonder, then, that financial services and healthcare companies were the second and third most breached industries, respectively – and the Target breach was largely responsible for retail’s number one spot. While we expect financial services and healthcare companies to have the most security and control over customer and patient data, they are under constant attack from criminal hackers in search of the biggest possible payday.