The number of data breaches reported by organizations required to file notices on the California State Attorney General’s website dropped significantly between the second half of 2017 and the first half of 2018. In the second half of 2017, organizations added 149 notification letters to the site. In the first half of 2018, organizations added 62. This change represents a 58 percent decrease between the periods.
There is no way to say definitively why there were more breaches reported in the second half of 2017. However, details reveal that 26 of the notifications added in 2017 were the result of the Sabre Hospitality Solutions Central Reservation System (CRS) hack. A well-known and highly-documented breach compromising payment card and reservation systems that serve as many as 39,000 hotel properties.
The total number of records breached in all of the reported cases is unknown. California law mandates that organizations required to issue breach notifications to more than 500 state residents must file a copy of the notice on the AG’s site. Notices do not specify the total number of records involved. The most recent statistics Dtex observed there, were issued in 2016. These show that between 2012 and 2015, there were 657 breaches reported and 49.4 million records compromised.
There is no way to estimate the total cost incurred by all of the organizations that reported breaches in California. Expenses will vary based on the number of records impacted and the total number for each reported breach is not available. It is worth noting that this year’s IBM Cost of a Data Breach Report found that the average breach expense across multiple countries is $3.86 million. In the United States it is almost twice that amount at $7.91 million. Average breach costs rose by just over 6 percent, according to the report.
What Breach Notifications Tell Us
To report a breach in California, organizations submit their notification letters and fill out a data sheet on the AG’s site. The data sheet is standardized. The notification letters reviewed varied in style and information provided. Most if the notices reviewed defined what happened, how breaches were discovered, mitigation steps taken, systems impacted, contributing factors, and data-types either stolen or accessed. Most of the organizations that reported breaches during the period stated that they engaged some type of computer forensics firm to investigate the cause. Almost all notices included instructions on how effected individuals could attempt to remain protected in the face of the incidents. Some notices included offers for credit monitoring and protection services at no charge.
Because there is no single or uniform way in which organizations presented information in their notification letters, we developed categories based on information provided. After reviewing all notices made available on the site between the second half of 2017 and the first half of 2018, we concluded the following:
Systems Impacted: There were more than 195 types of systems impacted in reported breaches.
The top 4 are:
- Email Accounts: 34
- Sabre Central Reservation System (CRS): 26
- Websites, webpages, eCommerce sites and stores: 18
- Networks, servers, IT systems, computer systems: 44
- eCommerce Accounts and Systems: 14
Causes: There were 123 reported causes that led to breaches.
The top 4 are:
- Unauthorized access: 93
- Human Error: 12
- Physical Theft: 10
- Unknown access: 4
Contributing Factors: There were 80 contributing factors reported. The top 4 are:
- Malware/ransomware: 40
- Compromised Credentials: 23
- Phishing: 19
- File Sent to Wrong Destinations: 8
Culprit Classification: There were 13 different types of culprits identified in the notices.
The top 4 are:
- Party(ies)/Third Party(ies): 57
- Individual(s)/Person(s)/Actor(s): 34
- Thief/Thieves: 11
- Employees: 8
We think it is worth noting that organizations that reported breaches identified culprits as “hackers” only 7 times and “Cybercriminals” only 2 times. Two notifications identified “foreign IP addresses” as the source of attacks and one named “Iran.” A “security researcher” who was unauthorized to run penetration tests was identified as the offender in five notifications.
The many different reasons why data breaches continue to occur show that multiple security layers are needed to ensure effective security and compliance. They also show that organizations as a whole are still struggling to solve problems created by malware, compromised credentials, phishing and human errors. This may be due to an over-reliance on legacy technologies and yesterday’s strategies, which are not capable of keeping pace with these and other challenges.
How Dtex Assists
Dtex assists organizations in the detection of insider threats caused by negligent employees who can be prone to error and easily fall victim to social engineering attacks launched through phishing campaigns. To learn more about how Dtex can help your organization avoid defend against phishing, read: Dtex Analyst Files: Catching Phish With User Behavior Intelligence. To learn more about how Dtex helps customers reduce insider threat risks, read: How Dtex Fights Insider Threats.
Disclaimer: This Dtex provided research was not conducted in conjunction with the California State Attorney General or any other government agency. Data and results are based on publicly accessible information on the CAAG data breach reporting site: https://oag.ca.gov/privacy/databreach/list