WASHINGTON STATE

ATTORNEY GENERAL’S OFFICE

2017 DATA BREACH REPORT

Report Contents:

I. LetterfromAttorneyGeneralBobFerguson...........................................................................................1

II. ExecutiveSummary.................................................................................................................................2

III. CausesofDataBreaches.........................................................................................................................3

IV. NumberofWashingtoniansAffected.......................................................................................................4

V. ImpactsofDataBreaches.......................................................................................................................5

VI. TypesofPersonalInformationCompromised........................................................................................6

VII. IndustriesReportingBreaches...............................................................................................................7

VIII. TimetoIdentifyandContainDataBreaches.........................................................................................10

IX. Washington’sDataBreachLaws.............................................................................................................11

X. HowDoesWashingtonComparewithOtherStates?............................................................................12

XI. ResourcesforBusinessesandIndividuals..............................................................................................13

October2017 DearWashingtonians,

Databreachesareasignificantthreattobothbusinessesandindividualconsumers.RecentlytheEquifaxdatabreachexposedthepersonaldataof143millionAmericans.Thisisasoberingreminderoftheimportanceofdatasecurity.

ThisisthesecondeditionoftheAttorneyGeneral’sOfficeAnnualDataBreachReport.In2015,theWashingtonLegislatureupdatedourdatabreachnotificationlawsensuringmyofficereceivesnoticewheneveradatabreachpotentiallyexposespersonalinformation.Thisallowsmyofficetobeadatabreachwatchdog.

Overthepastyear,78reporteddatabreachescompromisedthepersonalinformationofmorethan2,700,000Washingtonresidents.Thisisasignificantincreasefrom2016,whenmyofficewasnotifiedof39breachesaffectingthepersonalinformationofmorethan450,000Washingtonians.Thisincreasereflectsanalarmingtrend.Businessesandgovernmentsmusttakestepstosecurethedatatheypossess. Databreachesoccurinorganizationsofalltypes,includinghotelsandfitnesscompanies,financialservicecompaniesanduniversities.Similarly,thereisawidevarietyinthewaydatabreachescanoccur.Inonecase,anindividualpretendingtobethebusinessowneremailedarequestforall2016W-2formspreparedbythecompany.Therecordswereprovidedbeforethecompanydiscoveredtherequestcamefromafraudulentaccount.

Iamworkingwithotherstateattorneysgeneraltoensurethatbusinessestakenecessarystepstoprotectconsumers’personalinformationandtoinvestigateandholdbusinessesaccountablewhentheirsecuritymeasuresfallshort.

InNovember2013,dataheldbytheTargetCorporationwasbreachedwhencyberattackersgainedaccesstoacustomerservicedatabase,installedmalwareonthesystemandcapturedconsumerdata.Thebreachcompromisedthepersonalinformationofmillionsofconsumers.TargetenteredintoabindingagreementtoresolveaninvestigationbyWashingtonand46otherstateattorneysgeneral.TheagreementrequiresTargettodevelop,implementandmaintainacomprehensiveinformationsecurityprogramandemployapersonresponsibleforexecutingtheplan.Targetmustalsotakeadditionalmeasurestofurtherstrengthenthecompany’sdatasecurity.

ThisreportpresentsasummaryofthedatabreachnoticestheAttorneyGeneral’sOfficereceivedoverthepastyear.Youcanfindtipsandresourcesforconsumersandbusinessesattheendofthereport.Ihopeyoufindthisinformationhelpful.

Sincerely,BobFergusonWashingtonStateAttorneyGeneral

1

2

Executive Summary1

• DatabreachnotificationstotheAttorneyGeneral’sOfficeincreasedsharplyfrom39in2016to78in2017.AlistofthedatabreachnotificationsreceivedbytheAttorneyGeneral’sOfficecanbefoundat:http://www.atg.wa.gov/data-breach-notifications.

• Databreachesanalyzedforthisreportaffectedovertwoandahalfmillionrecordscontainingpersonallyidentifiableinformation,farmorethanthe450,000recordsaffectedin2016.2

• Manyofthefindingsinthe2016Reportarealsotruein2017: - ThemajorityofdatabreachesreportedtotheAttorneyGeneral’sOfficeaffectedfewerthan

10,000Washingtonresidents; - Paymentcardinformationwasthemostcommonlycompromisedtypeofpersonalinformation,

followedbynameandaddress; - MaliciouscyberattackswerethemostcommoncauseofdatabreachesaffectingWashington

consumers;and - Asingledatabreachresultedintheexposureofmorerecordsthanallotherbreachescombined.3

• Basedoninformationcompiledinthisreport,theAttorneyGeneral’sOfficemakesthefollowingrecommendations: -Businessesmustworkhardertoidentifyandresolvedatabreachesmorequickly. -Governmentsmustdoabetterjobofsecuringdata,includingstrengtheningtheirowndata securityandensuringgovernmentcontractorsadequatelysecurepersonalconsumerinformation. -Policymakersshould should consider whether a 45-day deadline for notice sufficiently

protects consumers, and whether a shorter deadline for notice to the Attorney General’s Office is appropriate.

3

Causes of Data Breaches

• Nearlytwo-thirdsofWashingtondatabreachesin2017werearesultofcyberattacks.Thisisanincreaseover2016,whennearlyhalfofdatabreacheswerecausedbycyberattack.

• Therearethreebroadcategoriesofcausesofdatabreaches: - Malicious cyberattack:Whenathirdpartydeliberatelyattemptstogainorsucceedsingainingaccess

tosecuredatastoredonaserver.Theattackcanuseavirus,malware,phishingemail,orsimilarmeansofaccessingsecuredata.

- Theft or mistake:Thiscategoryincludesthelossortheftofinformation,suchasthetheftofalaptopcontainingpatientmedicalrecordsoraclericalerrorthatsentW-2informationtoanunintendedrecipient.

- Unauthorized access:Whenanunauthorizedpersonaccessessecuredatathroughmeanssuchasanunsecurednetwork.

Cause of Data Breach Number of 2017 breaches

Percentage of 2017 breaches

Number of 2016 breaches

Percentage of 2016 breaches

Maliciouscyberattack 50 64.10% 19 48.72%Theftormistake 21 26.92% 16 41.03%

Unintentionalbreach 7 8.97% 4 10.25%

Cause of Breach 2017 Theft or mistake

Malicious cyberattack

Unintentional breach

4

Number of Washingtonians Affected

• In2017therewere78databreaches,affecting2.7millionWashingtonians.• Themajorityofdatabreachescompromisedthepersonalinformationof500-999residents.• Thenumberofdatabreachesaffecting500-999peopleissignificantlyhigherthanduring2016.• ACTIVEOutdoorswasanoutlier;ithadabreachofinformationofnearly1.5millionindividuals.Morethan

halfofthetotalnumberofWashingtoniansaffectedbydatabreacheswereaffectedbythisbreach,whichwascausedbyunauthorizedaccessofanunsecuredserver.

• TherewasanincreaseindatabreachnotificationsforeveryrangeofnumberofaffectedWashingtonresidents.Breachesaffecting500-999residentshadthelargestincreasecomparedto2016.

0

5

10

15

20

25

30

50,000+10,000-49,9991,000-9,999500-999

2017

2016

Number of Washingtonians Affected

Number of Consumers Affected

Num

ber o

f Bre

ache

s

30

7

28

19

4 4

12

2 2

9

5

Impact of Data Breaches

Businessesofallsizesareimpactedbydatabreaches.UnderWashingtonlaw,businesseshavearesponsibilitytotakereasonablestepstoprotectindividuals’personalinformation.Thevarietyofwaysthatdatabreachescanoccur,includinginadvertentdisclosure,theftofhardcopyinformation,andmaliciouscyberattacks,putallbusinessesatrisk.

Overthepastyear,theAttorneyGeneral’sOfficereceivednotificationsofdatabreachesfromawidevarietyofbusinesses,includingsmallretailbusinesses,arboristservicesandsupplies,financialinstitutions,healthinsurers,healthcareproviders,constructioncompanies,hotelchains,individualhotels,andsmalltaxpreparers.

AccordingtoanationalstudybythePonemonInstitute,theaveragecostofadatabreachtoabusinessis$225percompromisedrecord.5Usingthisfigure,databreachescompromisingthepersonalinformationofWashingtonconsumerslikelycostbusinessesmorethan$500millionduringthepastyear.Thestudyfoundthat,ofthe$225percompromisedrecord,$146relatestoindirectcosts,suchasturnoverofcustomersresultingfromthebreach,and$79directlyrelatestothebreach,includinglegalfees,creditmonitoringservicesforconsumers,andsecurityimprovements.

SimilartothenoticesreceivedbytheAttorneyGeneral’sOffice,thestudyalsofoundthatmaliciousattacksaretheprimarycauseofdatabreaches,andthemostexpensivetypeofdatabreachesforbusinesses.ThecompaniesincludedinthePonemonInstitute’sstudyarealllargercompanieswithaccesstosophisticatedsecurity.

Thestudyalsofoundthatthemorequicklyabreachcanbeidentifiedandcontained,thelowerthecosttothebusiness.

6

Types of Personal Information Compromised

Inboth2016and2017,financialinformationwasthemostcommonlycompromisedtypeofpersonalinformation.Paymentcardinformationwastypicallyacquiredeitherthroughmalwareononlinepaymentsystemsorthroughtheuseofskimmersinbrickandmortarstores.Skimmersaredevicesthatallowcollectionofpaymentinformation.Financialdatawerecompromisedin56ofthe78databreachesthisyear,totaling208,216individualfinancialrecords.

NUMBER OF BREACHES BY TYPE OF INFORMATION COMPROMISED

2017

2016

0 10 20 30 40 50 60 70 80

Driver'slicense/IDcard

SocialSecurityNumber

Name

ThelawrequiresnotificationtotheAttorneyGeneral’sOfficewhenthecompromiseddataincludesanindividual’snameincombinationwithanyofthefollowing:• SocialSecuritynumber;• Driver’slicenseorIdentificationcardnumber;or• Bankingorfinancialinformation,includingpaymentcardinformation.ThelawalsorequiresnotificationtotheAttorneyGeneral’sOfficewhenpersonalhealthinformationcoveredbyHIPAAiscompromised.

7

Industries Reporting Breaches

Overtwo-thirdsofthe2017databreachesinWashingtonaffectedbusinesses.Maliciouscyberattacks,especiallymalwareinstallationonpaymentsystemswerethecauseofthemajorityofthedatabreachesaffectingbusinesses.Hospitality,entertainmentandclothingbusinesseshadthelargestnumberofbreachesaffectingthebusinessindustry.

Ente

rtain

men

t

Cosmet

ic

Consum

able

Cloth

ing

Acces

ories

Real E

state

Softw

are

Nonprofit

Hospita

lity

Human

Res

ources

Man

ufact

uring

Fitnes

s

Home

Biote

ch

Healthcare

Government

FinancialServices

Business

Number of Breaches by Industry

A Closer Look at Businesses Reporting Breaches

0

2

4

6

8

10

12

0 10 20 30 40 50 60

Thisyear,thereportusesindustrycategoriesbasedontheIdentityTheftResourceCenter’sbreachcategoryclassifications: •business, •education, •financialservices, •government,and •healthcare. Thebusinesscategoryincludesretail,nonprofit,realestate,humanresources,hospitality,manufacturing,andsoftwarecompanies.

Num

ber o

f Bre

ache

s

8

Industries Reporting Breaches

Businessbreachesaccountedfor71%of2017databreaches,whilegovernmentbreachesaccountedfor3%.However,businessbreachesaccountedforonly7%ofthenumberofrecordsbreachedandgovernmentbreachesaccountedfor52%ofallrecordscompromisedin2017databreaches.

In2017,databreachesofgovernmentrecordsresultedinthegreatestnumberofrecordscompromised.ThevastmajorityofthesecompromisedrecordsweretheresultoftheACTIVEOutdoorsbreach,whichcompromisedthepersonalinformationofatleast1,449,645Washingtonians.ACTIVEOutdoorshostedtheonlineapplicationsystemusedtoapplyfororpurchasestatehuntingandfishinglicenses.AlthoughACTIVEOutdoorsisnotagovernmentagency,thiswascategorizedasagovernmentbreachbecauseofthenatureoftheinformationthatwasexposed.Mostconsumerswhopurchasedlicensesthroughthissystemwerenotawarethesystemwasoperatedbyathirdparty.Theinformationcompromisedincludedname,address,dateofbirth,anddriver’slicensenumber,aswellasphysicaldescriptioninformation,andinsomecases,thepartialSocialSecuritynumbersofWashingtonresidents. Recommendation: Governments must do a better job of securing data, including strengthening their own data security and ensuring government contractors adequately secure personal consumer information.

0

100,000

200,000

300,000

400,000

500,000

600,000

700,000

800,000

HealthcareGovernmentFinancialServicesBusiness

Average Records Per Breach in 2017

9

14% 7%

26%

52%1%

Share of Data Breaches

Compromised by Industry

2017

Share of Records Compromised by

Industry2017

68%

11%

3%

13%

5%

Health Care Government Financial Services Education Business

Industries Reporting Breaches

10

Time to Identify and Contain Data Breaches

Themajorityof2017databreachestookbetween300and399daystoresolve,meaningthecauseofthebreachwasidentifiedandtheinformationwassecured.Therewere12breachesin2017wherethenumberofdaystoidentifyandcontainthebreachwasunspecified.Thesebreacheshadthehighestnumberofrecordsperbreachatanaverageof212,989recordsperbreach.Acomparisonto2016isnotavailablebecausethismetricwasnotanalyzedinthe2016report. Asnotedearlier,thenationalstudybythePonemonInstitutefoundthatthemorequicklyabreachcanbeidentifiedandcontained,thelowerthecosttothebusiness.Ofthe63companiesinthestudythatexperienceddatabreaches,ittookbusinessesanaverageof191daystoidentifyand66daystocontainthebreach.6 Recommendation: Businesses must work harder to quickly identify and resolve data breaches.

0

5

10

15

20

Unknown500+400-499300-399200-299100-1991-990

Time to Identify and Contain Data Breaches in 2017

Num

ber o

f Bre

ache

s

Number of Days to Identify and Contain Data Breaches

11

Washington’s Data Breach Laws

A data security breach, or data breach, is the unauthorized acquisition of data that compromises the security, confidentiality, or integrity of personal information maintained by a person, business, or agency. Data breaches are costly for the economy and can lead to individuals becoming victims of identity theft. NotificationBusinessesandpublicagenciesarerequiredtonotifyaffectedindividualswhenadatabreachoccurs,andnotifytheAttorneyGeneral’sOfficewhenadatabreachaffects500ormoreWashingtonresidents.

Undertherevisedlaw,notificationrequiredwhenabusinessorpublicagencyexperiencesabreachofpersonalinformationif:• Thebreachisreasonablylikelytosubjectanindividualtoariskofharm;• Theinformationaccessedduringabreachwasnotsecured;or• Theconfidentialprocess,encryptionkey,orothermeanstodecipherthesecuredinformationwas

acquired.

Thenotificationlaws,RCW19.255.010andRCW42.56.590,cover“personalinformation.”Personalinformationisdefinedassomeone’sfirstnameorfirstinitialandlastnameincombinationwithanyofthefollowing:• SocialSecuritynumber;• Driver’slicensenumberorWashingtonidentificationcardnumber;or• Accountnumberorcreditordebitcardnumber,incombinationwithanyrequiredsecuritycode,access

code,orpasswordthatwouldpermitaccesstoanindividual’saccount.

EntitiescoveredbytheHealthInsurancePortabilityandAccountabilityAct(HIPAA)mustalsoprovidenotificationtotheAttorneyGeneral’sOfficewhenabreachoccursinvolvinghealthinformationcoveredbyHIPAA.TheseentitiesaredeemedtocomplywiththetimelinessofthenotificationrequirementaslongastheycomplywiththerequirementsoftheHealthInformationTechnologyforEconomicandClinicalHealth(HITECH)Act(RCW19.255.010(10)). Theft of Financial InformationUnderWashington’scriminallaw,improperlyobtainingfinancialinformationisaClassCfelony(RCW9.35.010).Itisillegaltoobtainorseektoobtainfinancialinformationthatapersonisnotauthorizedtohave.Thelawalsoestablishesthecrimeofidentitytheft,whichisfocusedonfinancialinformation,asaClassBorCfelonydependingonthedamagecaused.Thislawisenforcedbycountyprosecutingattorneys.

12

How Does Washington Compare with Other States?

Currently,48stateshavelawsrequiringthatconsumersreceivenotificationwhenadatabreachoccurs.7

When is notification required? •In32states,notificationisnotrequirediftheinformationcompromisedwasencrypted,redacted,orotherwiseunreadable. •In15states,includingWashington,notificationisrequired,eveniftheinformationcompromisedwasencrypted,redacted,orunreadable,iftheencryptionkeywasobtainedinthebreach. •Tennessee’sstatutedoesnotexemptbreachesofencryptedinformation.8

Is notification to the Attorney General required? •In25states,includingWashington,notificationofabreachmustbeprovidedtotheAttorneyGeneral.MarylandrequiresthattheAttorneyGeneralbenotifiedbeforenotificationisprovidedtoconsumers. What is the deadline for notification after discovery of a data breach? •In11states,includingWashington,notificationmustbeprovidedtoconsumersbyaspecificdeadline. Themostcommondeadlineis45days,whichistherequirementunderWashingtonlaw.Floridarequires notificationtoconsumersandtheAttorneyGeneralwithin30days. •Moststates,includingWashingtonandotherstatesthatsetaspecificdeadline,requirethatnotification“be giveninthemostexpedienttimeandmannerpossibleandwithoutunreasonabledelay,consistentwiththe legitimateneedsoflawenforcement.”

Recommendation: Policy makers should consider whether a 45-day deadline for notice sufficiently protects consumers, and whether a shorter deadline for notice to the Attorney General’s Office is appropriate.

13

Resources For Individuals Affected by a Data Breach or Identity Theft

Whiletherearestepsyoucantaketoprotectyourselffromidentitytheft,thereisnofoolproofwaytoensurethatyourinformationwillnotbecompromised.Ifyoureceiveadatabreachnotificationorbelievethatyoumaybeavictimofidentitytheft,pleasevisittheWashingtonAttorneyGeneral’swebsiteathttp://www.atg.wa.gov/GUARDIT.ASPXforhelp.

IdentityTheft.gov,providedbytheU.S.FederalTradeCommission(FTC),isalsoavaluableresourceforvictimsofidentitytheft.

Ifyoususpectyouarethevictimofidentitytheft:

1. Callthecompanieswhereyouknowfraudoccurred;2. Workwithoneofthecreditbureaus(Experian,TransUnion,andEquifax)toplaceafraudalertorcredit

freezeonyourcreditreportandreceiveacopyofyourcreditreports;3. ReporttheidentitythefttotheFTC;and4. Fileareportwithyourlocalpolicedepartment.

Resources for Businesses to Protect Themselves

Allindustriesandbusinessesarepotentiallysusceptibletodatabreach.However,therearestepsbusinessescantaketopreventabreachfromhappening.TheWashingtonAttorneyGeneral’sOfficeprovidesresourcesforbusinessestoprotectagainstdatabreachesandtohelpexplainthelawsregardingdatabreachesandnotifications.Theseresourcesareavailableat:http://www.atg.wa.gov/identity-theft-and-privacy-guide-businesses.

Thesebasicstepscanassistbusinessesinevaluatinghowwelltheyareprotectingpersonalinformation:

1. Understandyourbusinessneedsandhowtheyrelatetodatasecurity.Thisincludesknowingwhatinformationyoucollectaboutconsumersorclients,andknowingwhatinformationyouretainandhowitisretained;

2. Minimizetheamountofinformationthatyoucollectandretain.Deleteanyinformationthatisnolongerneeded;and

3. Createandimplementaninformationsecurityplan.

Attorney General’s Office Consumer Resource Center

8005thAve,Suite2000Seattle,WA98104-31881-800-551-4636(instate)1-206-464-6684(outofstate)1-800-833-6388(relayserviceforthehearingimpaired)www.atg.wa.gov/consumer-protection

Photo Credits

Cover-PhotobyJannoon028-Freepik.com

14

Notes 1ThedatarepresentedinthisreportreflectsthedatabreachesreportedbetweenJuly24,2016andJuly23,2017.ThedataforthisreportwerecollectedfromthedatabreachnotificationsrequiredbyRCW19.255.010andRCW42.56.590,availableat:http://www.atg.wa.gov/data-breach-notifications.ThisreportincludesonlynotificationsreceivedthatwererequiredunderWashington’snotificationlaw.Somebusinessesprovidednotificationofbreachesaffectingfewerthan500Washingtonians;thesewerenotincluded.Othernoticeswereomittedbecausetheydidnotinclude“personalinformation”asdefinedinthelaw.Additionally,fourteendatabreachnotificationstotheAttorneyGeneral’sOfficedidnotspecifythenumberofWashingtoniansaffected,meaningagreaternumberofrecordswerelikelybreachedorsusceptibletobreachthanreportedhere.2ThereisapossibilitythatcertainWashingtonresidentswereimpactedbymorethanonebreach.ThisnumberisthesumofrecordscompromisedbyindividualdatabreachesaccordingtonotificationssubmittedtotheAttorneyGeneral’sOffice.3ThelargestdatabreachinvolvedunauthorizedaccesstoACTIVEOutdoors’systemusedtostoredataforhunting/fishinglicenses.Thecompanyreportedthattheinformationofnearly1.5millionWashingtoniansmayhavebeenaccessed.4DatacomparisonsaremadebetweendatabreachnotificationsfromJuly24,2016toJuly23,2017(referredtoas2017databreaches)anddatabreachnotificationsbetweentheimplementationofthedatabreachnotifica-tionlawandJuly23,2016(referredtoas2016databreaches).5“2017CostofDataBreachStudy,”PonemonInstitute,June2017.6“2017CostofDataBreachStudy,”PonemonInstitute,June2017.7“SecurityBreachNotificationLaws,”NationalConferenceofStateLegislators,April12,2017.http://www.ncsl.org/research/telecommunications-and-information-technology/security-breach-notification-laws.aspx8Tenneseecode§§47-18-2107;8-4-119.

Washington State Office of the Attorney General1125WashingtonSt.SEPOBox40100Olympia,WA98504(360)753-6200www.atg.wa.gov