The Washington State Attorney General’s Office (AGO) recently released its latest annual Data Breach Report showing that data breaches affecting Washington State residents skyrocketed to 280 breaches in 2021, a 500% increase over last year’s 60 breaches.
We often hear about scams and frauds that target individuals
through robocalls, email, and text messages. The goal of the scammers is to
steal your money and to get your personal information that they can use in fraud
schemes or sell on the dark web to other scammers.
Data breaches often have similar goals, but target
personal information held by organizations such as businesses, educational
organizations, health organizations, financial institutions, and governments.
The hackers target organization databases that hold client, customer, or patient
personal information to use in their own fraud schemes or to sell on the dark
web. Since this is information about you that is held by someone else, we all
have to rely on the organization to secure the privacy of our information.
The Attorney General’s Office defines a data breach as
“…the unauthorized acquisition of data that compromises the security,
confidentiality, or integrity of personal information maintained by a person,
business, or agency.” The Attorney General’s report defines personal
information as an individual’s first name or first initial and last name with a
Social Security number, driver’s license number or Washington ID card number, account
number or credit card or debit card number, student, military, or passport ID
numbers, health insurance policy or ID numbers, full date of birth, private
keys for an electronic signature, medical information, including medical
history, mental or physical condition, diagnoses, or treatments, biometric data,
username/email address with a password or security questions and answers.
The AGO looks at three sources of a data breach:
·
Cyberattack is where a hacker accesses
secure data on a computer system. Cyberattacks constituted 87.5% of all
reported data breaches in 2021 up from 63% in 2020. Of the methods of cyberattack,
ransomware amounted to more than half of the cyberattacks in 2021- 150 of the
total of 245 cyberattacks. Other methods of cyberattack include skimmers,
spyware, and phishing email.
·
Unauthorized access is where an
unauthorized person accesses secure data through an unsecured network or sift
through sensitive documents on a desk. This method amounted to 7.5% of all
cyberattacks.
·
Theft or mistake is where a clerical error
mistakenly sends sensitive data to the wrong recipient or a laptop with sensitive
data is stolen. Theft or mistake made up 5% of all cyberattacks.
Three entities bear responsibility for protecting personal
information, holding cyber criminals accountable for their crimes, or blocking cybercriminals
from successfully using personal information.
A business, government, financial organization, etc.
needs to take actions to protect the data. Protecting personal information can
be challenging as cybercriminals become more sophisticated in their attacks. But
not assembling an effective cybersecurity team to plug security holes in a
computer system and to keep up to date on the latest cybercriminal trends is
inexcusable.
Governments are the best organizations to hold
cybercriminals accountable for their crimes. But cybercrime is in the wild west
of law enforcement. The federal government is probably the best governmental
level to handle cybercrime cases since cybercriminals operate between state
boundaries and country boundaries. However, since many cybercriminals operated
beyond U.S. borders, the federal government needs the cooperation of other countries
to suppress cyber criminal activity. The federal government is making efforts
to protect personal data held in the U.S. as shown in this Associated Press
article- https://apnews.com/article/technology-russia-crime-arrests-hacking-f0adf6f0765b0f079a20a95cf85c5334, but there remain many challenges to holding cybercriminals
accountable.
As individuals there are actions that we can take to
protect ourselves.
Some general things include,
·
Using strong passwords and storing them in
a password manager/vault such as LastPass or 1Password. Also be sure NOT to use
the same password for multiple accounts.
·
Use multifactor authentication (also known
as 2 factor authentication) whenever you can. Here is a good explanation of
multifactor authentication- https://askleo.com/two-factor-authentication/.
·
Use security software to keep malware off
of your devices. Also, keep the software on your devices up to date with the
latest security updates.
·
Watch out for phishing emails or texts.
Phishing is a leading technique by cybercriminals to insert malware and steal
data in computer systems.
If you are notified that your personal information may
have been compromised in a data breach, you should be proactive. Some actions
to take that the AGO recommends include,
·
Check your credit report, which you can
obtain from one of the three credit bureaus (Experian, TransUnion, and Equifax).
·
Report the identity theft to the Federal
Trade Commission (FTC) at https://www.identitytheft.gov/#/.
This web site will take your report and will help you develop a plan to recover
from the theft.
·
File a report with your local police
department.
·
Send a copy of the police department to
each of the three credit bureaus.
·
Ask the business that sent you the data
breach notice to give you information about transactions made in your name. The
AGO has a template for a letter that you can use at this link- https://view.officeapps.live.com/op/view.aspx?src=https%3A%2F%2Fagportal-s3bucket.s3.amazonaws.com%2Fuploadedfiles%2FHome%2FSafeguarding_Consumers%2FConsumer_Issues_A-Z%2FIdentity_Theft_(Privacy)%2FSample-Letter-for-ID-Theft-Victims-to-Request-Records.doc&wdOrigin=BROWSELINK
Depending what information was compromised in the data
breach you may need to take additional steps. The Identity Theft Resource
Center has recommendations at this link- https://helpcenter.idtheftcenter.org/s/article/What-to-do-If-You-Receive-a-Data-Breach-Notification
Washington State Attorney General’s Office:
https://agportal-s3bucket.s3.amazonaws.com/2021%20Data%20Breach%20Report.pdf
The Seattle Times:
KIRO TV:
No comments:
Post a Comment