Over a million Massachusetts residents had their personal information compromised last year, according to a new report issued today by the state’s Office of Consumer Affairs and Business Regulation (OCABR).
The largest data breach in 2013 was reported to OCABR by Target. The breach was the result of a malicious attack on the company’s payment origination systems that allowed hackers to steal 40 million debit and credit card numbers. OCABR said this breach emphasizes the importance of implementing a Written Information Security Program (WISP), conducting regular employee training and selecting their third-party data security vendors carefully.
“Last year was an unprecedented year for high volume and high profile data breaches. I alone had my information breached four times,” said Massachusetts Undersecretary of Consumer Affairs and Business Regulation Barbara Anthony.
“However, with the exception of Target, the number of Massachusetts residents whose personal information was compromised by data breaches was down by almost 40 percent from 2012, which is encouraging,” Anthony said.
The annual report — which comprehensively details the data breaches of Massachusetts consumers’ personal information — shows that with excluding the Target data breach, the number of breach notifications increased from 2012 to 2013 while the actual number of residents impacted by the breaches dropped.
In 2013 alone, with Target included, more than 1.1 million Massachusetts residents were affected by a total of 1,821 data breaches. If Target is excluded, the number of impacted residents is 216,642.
In 2013, the overwhelming majority of data breach incidents (88 percent) involved electronic records, the report shows. The data obtained by OCABR also shows that breaches largely occur at payment processing centers and retail establishments.
The breach notifications received by OCABR in 2013 also suggest that the state’s education sector experienced a significant increase in data breaches.
Previously, the education sector drew little attention and was an unremarkable breach resource, OCABR said. Last year, however, it saw a 611 percent increase of personal information compromised — a jump from 5,208 to 31,870 residents affected. Of the 20 breaches reported, all 20 were electronic and the majority were malicious, meaning that the systems were hacked or malware was placed on it, documents or electronics were stolen, or there was intentional misuse by an individual.
“It isn’t a surprise that the education sector was a target given the types of sensitive information that they collect for financial aid and admissions,” Anthony said.
Under the state’s 2007 Data Breach Security Law, businesses must maintain a comprehensive WISP detailing the security measures they have in place to safeguard personally identifiable consumer and employee information such as name, credit or debit card number, Social Security number, financial account number, and driver’s license number. Those businesses which fall victim to a data security breach revealing consumers’ personal information are obligated to inform OCABR and the state Attorney General’s Office.
The Office of Consumer Affairs advises consumers to follow these tips for good online safety habits:
• Keep a clean machine: Use security software programs to scan the computer and external devices, such as USB drives. Make sure that the software is current and updated.
• Protect personal information: Make passwords strong by combining capital and lowercase letters with numbers and symbols to create a secure password. Use different passwords for different accounts, and do not share them with others. Set the browser’s privacy and security settings to limit information sharing.
• Connect with care: Do not click suspicious looking links in e-mails, tweets or posts, even if the recipient knows the source. Limit the online behavior on public Wi-Fi hotspots and adjust the settings on the personal computer or portable device to limit who can access the machine.
• Be web wise to identify scams: Be wary of any communication that asks the recipient to “act immediately” or requests personal information outside of a secure site. If it sounds too good to be true, it probably is.
Was this article valuable?
Here are more articles you may enjoy.