Cause for Alarm: New York’s 2017 Data Breach Report

Cause for Alarm: New York’s 2017 Data Breach Report on cyberguard360.comA record number of data breaches in New York

The number of data breaches reported to the New York Attorney General reached an all-time high in 2017 – up 23% from the previous year. It’s obvious that even with heightened security and diligence, the value of personal data is making hackers double down to get what they can sell.

The 10-page report offers up breaches, stolen data, and damage by the numbers. Here’s a distillation of the biggest trends, as well as what your company can do to protect sensitive data from the main threats.

Report headline

Attorney General Eric T. Schneiderman lays it out clearly in his introductory letter. He notes that companies and other entities reported 1,583 breaches to his office in 2017. Those breaches exposed the personal records of 163 million individuals throughout the United States – including 9.2. million New Yorkers.

“New York State’s current data security law has proven inadequate to address the ever-growing threat of data breaches,” Schneiderman says in the letter. He goes on to note that current law, “does not require most companies to maintain reasonable data security, except if the company collects social security numbers. Companies also are not required to report breaches of certain critical data types, including username-and-password combinations, and biometric data like the fingerprint you use to unlock an iPhone.”

In other words, these breaches may just be the tip of the iceberg. Schneiderman’s office has no real way of knowing the true numbers – nor the extent of the damage – caused by breaches; only the ones that are reported.

Based on what’s known

Keeping in mind that the law only requires companies who store social security numbers to report breaches, it’s no surprise that the 1,583 breaches exposed data mostly consisting of this identifying information. The breakdown of social security numbers comes to 40%, while financial account information such as credit card numbers accounted for 33% of the records exposed.

This self-reported information shows that hacking was the leading cause of the breaches. The AG’s office says this accounted for 44%, with 25% of the exposed personal information due to negligence on behalf of the companies entrusted to keep this data confidential.

Is there anything good to take away from this? There might be.

Note that 25% of the data breaches were caused by human error. The AG says this is “Employee behavior that can be rectified with more training and vigilance.” The recommendation is that companies must “put in place policies and procedures to prevent negligence when protecting consumer data.”

Equal danger

The report also points out something important about the massive uptick in the number of individual records that were breached. Much of the total was via the breach that happened at Equifax, which compromised the social security numbers of over 145 million people in the US, including 8,447,840 in New York.

Hackers accessed the Equifax computer system after it failed to patch a known vulnerability in its web application software.

The next largest breach was at GameStop. This company reported that 111,000 New Yorkers had their financial information exposed to hackers.

Otherwise, the majority of the reported breaches impacted less than 10 individuals per incident. While that might seem reassuring, the AG notes that compared to the previous year, there were 138 more breaches that affected between one and 10 personal records.

“No organization, Schneiderman says, “is exempt from the risk of data breach.”

Proactive steps

What can your company do to protect sensitive data? The AG’s office makes the following recommendations:

  • Identify and minimize data collection practices: Data that doesn’t exist cannot be stolen or lost. Delete information you no longer need.
  • Implement encryption: Data that’s stolen but useless because it’s encrypted has no value.
  • Take immediate action: Know what you are required to do in the event of a breach.

Do you know what you’re required to do under New York’s DFS Cybersecurity regulations? Check out this handy infographic.

And if you need help implementing cybersecurity best practices, contact us today.