Monday, November 8, 2021

WASHINGTON STATE – Attorney General Issues Data Breach Report

The Washington State Attorney General’s Office (AGO) recently released its latest annual Data Breach Report showing that data breaches affecting Washington State residents skyrocketed to 280 breaches in 2021, a 500% increase over last year’s 60 breaches.

We often hear about scams and frauds that target individuals through robocalls, email, and text messages. The goal of the scammers is to steal your money and to get your personal information that they can use in fraud schemes or sell on the dark web to other scammers.

Data breaches often have similar goals, but target personal information held by organizations such as businesses, educational organizations, health organizations, financial institutions, and governments. The hackers target organization databases that hold client, customer, or patient personal information to use in their own fraud schemes or to sell on the dark web. Since this is information about you that is held by someone else, we all have to rely on the organization to secure the privacy of our information.

The Attorney General’s Office defines a data breach as “…the unauthorized acquisition of data that compromises the security, confidentiality, or integrity of personal information maintained by a person, business, or agency.” The Attorney General’s report defines personal information as an individual’s first name or first initial and last name with a Social Security number, driver’s license number or Washington ID card number, account number or credit card or debit card number, student, military, or passport ID numbers, health insurance policy or ID numbers, full date of birth, private keys for an electronic signature, medical information, including medical history, mental or physical condition, diagnoses, or treatments, biometric data, username/email address with a password or security questions and answers.

The AGO looks at three sources of a data breach:

·         Cyberattack is where a hacker accesses secure data on a computer system. Cyberattacks constituted 87.5% of all reported data breaches in 2021 up from 63% in 2020. Of the methods of cyberattack, ransomware amounted to more than half of the cyberattacks in 2021- 150 of the total of 245 cyberattacks. Other methods of cyberattack include skimmers, spyware, and phishing email.

·         Unauthorized access is where an unauthorized person accesses secure data through an unsecured network or sift through sensitive documents on a desk. This method amounted to 7.5% of all cyberattacks.

·         Theft or mistake is where a clerical error mistakenly sends sensitive data to the wrong recipient or a laptop with sensitive data is stolen. Theft or mistake made up 5% of all cyberattacks.

Three entities bear responsibility for protecting personal information, holding cyber criminals accountable for their crimes, or blocking cybercriminals from successfully using personal information.

A business, government, financial organization, etc. needs to take actions to protect the data. Protecting personal information can be challenging as cybercriminals become more sophisticated in their attacks. But not assembling an effective cybersecurity team to plug security holes in a computer system and to keep up to date on the latest cybercriminal trends is inexcusable.

Governments are the best organizations to hold cybercriminals accountable for their crimes. But cybercrime is in the wild west of law enforcement. The federal government is probably the best governmental level to handle cybercrime cases since cybercriminals operate between state boundaries and country boundaries. However, since many cybercriminals operated beyond U.S. borders, the federal government needs the cooperation of other countries to suppress cyber criminal activity. The federal government is making efforts to protect personal data held in the U.S. as shown in this Associated Press article- https://apnews.com/article/technology-russia-crime-arrests-hacking-f0adf6f0765b0f079a20a95cf85c5334, but there remain many challenges to holding cybercriminals accountable.

As individuals there are actions that we can take to protect ourselves.

Some general things include,

·         Using strong passwords and storing them in a password manager/vault such as LastPass or 1Password. Also be sure NOT to use the same password for multiple accounts.

·         Use multifactor authentication (also known as 2 factor authentication) whenever you can. Here is a good explanation of multifactor authentication- https://askleo.com/two-factor-authentication/.

·         Use security software to keep malware off of your devices. Also, keep the software on your devices up to date with the latest security updates.

·         Watch out for phishing emails or texts. Phishing is a leading technique by cybercriminals to insert malware and steal data in computer systems.

If you are notified that your personal information may have been compromised in a data breach, you should be proactive. Some actions to take that the AGO recommends include,

·         Check your credit report, which you can obtain from one of the three credit bureaus (Experian, TransUnion, and Equifax).

·         Report the identity theft to the Federal Trade Commission (FTC) at https://www.identitytheft.gov/#/. This web site will take your report and will help you develop a plan to recover from the theft.

·         File a report with your local police department.

·         Send a copy of the police department to each of the three credit bureaus.

·         Ask the business that sent you the data breach notice to give you information about transactions made in your name. The AGO has a template for a letter that you can use at this link- https://view.officeapps.live.com/op/view.aspx?src=https%3A%2F%2Fagportal-s3bucket.s3.amazonaws.com%2Fuploadedfiles%2FHome%2FSafeguarding_Consumers%2FConsumer_Issues_A-Z%2FIdentity_Theft_(Privacy)%2FSample-Letter-for-ID-Theft-Victims-to-Request-Records.doc&wdOrigin=BROWSELINK

Depending what information was compromised in the data breach you may need to take additional steps. The Identity Theft Resource Center has recommendations at this link- https://helpcenter.idtheftcenter.org/s/article/What-to-do-If-You-Receive-a-Data-Breach-Notification

 

 

 

Washington State Attorney General’s Office:

https://www.atg.wa.gov/news/news-releases/ag-data-breach-report-2021-sets-new-record-number-data-breaches-and-ransomware

https://agportal-s3bucket.s3.amazonaws.com/2021%20Data%20Breach%20Report.pdf

 

The Seattle Times:

https://www.seattletimes.com/seattle-news/washington-sets-record-for-data-breaches-and-ransomware-attacks-says-ag-ferguson/

 

KIRO TV:

https://www.kiro7.com/news/jesse-jones/2021-data-breaches-just-keep-coming/LABPLG5GS5AOHJHJ4HDK6TWA5Q/

 

 

No comments:

Post a Comment