Re: Almost 60% Of UK Consumers Affected By Data Breaches In 2019
Harold Yengo
Malicious cyberattacks continued to be the leading cause of data breaches, accounting for approximately 65 percent of all breaches reported in 2020. Breaches of businesses affected on average 16,759 Washingtonians per breach, which rose from 2019 when breaches of businesses affected on average 3,831 Washingtonians.
Attorney General Ferguson has repeatedly taken action to protect Washingtonians when companies fail to reasonably secure data or provide timely notice regarding breaches. Ferguson led a coalition of 30 state attorneys general investigating a data breach by Premera Blue Cross, the largest health insurance company in the Pacific Northwest. As a result of that investigation, the office announced in July 2019 that Premera would pay $10 million for failing to secure sensitive consumer data and for misleading consumers before and after a data breach affecting millions across the country.
The data used in the report is acquired through a high-level review of breach notices submitted to our office. A list of all data breach notices that have been sent to our office since 2015 is publicly available at: -breach-notifications. Information for businesses on reporting data breaches is available at www.atg.wa.gov/identity-theft-and-privacy-guide-businesses.
The Office of the Attorney General is the chief legal office for the state of Washington with attorneys and staff in 27 divisions across the state providing legal services to roughly 200 state agencies, boards and commissions. Visit www.atg.wa.gov to learn more.
The scope of the data breach problem extends well beyond Equifax. The consumer reporting industry has a sordid history of poor cybersecurity. For example, in May 2016 identity thieves stole the tax and salary data of more than 431,000 people from Equifax. In October 2015, Experian breached the records of 15 million T-Mobile customers, which included names, addresses, SSNs, dates of birth, and identification numbers. Equifax, Experian, and TransUnion all exposed the credit reports of celebrities in March 2013. These are only a few examples of breaches at credit bureaus.
Identity theft is an enormous problem for consumers. The Federal Trade Commission reported 399, 225 cases of identity theft in the United States in 2016. Of that number, 29% involved the use of personal data to commit tax fraud. More than 32% reported that their data was used to commit credit card fraud, up sharply from 16% in 2015. A 2015 report from the Department of Justice found that 86% of the victims of identity theft experienced the fraudulent use of existing account information, such as credit card or bank account information. The same report estimated the cost to the U.S. economy at $15.4 billion.
The vulnerability that caused the breach was vulnerability Apache Struts CVE-2017-5638. Apache Struts is a popular framework for creating Java Web applications maintained by the Apache Software Foundation. The Foundation issued a statement announcing the vulnerability and released a patch on March 7, 2017.
The following day, the Department of Homeland Security contacted Equifax, Experian, and TransUnion to notify them of the vulnerability. On March 9, 2017, an internal email notification was sent to Equifax administrators directing them to apply the Apache patch. Equifax's information security department ran scans on March 15, 2017 that were meant to identify systems that were vulnerable to the Apache Struts issue, but the scans did not identify the vulnerability.
Equifax advised people to sign up for their credit monitoring service TrustedID Premiere, but in doing so consumers agreed to terms of use with a mandatory arbitration clause. After public outcry that Equifax was forcing consumers to give up their right to sue, the company issued a press release explaining that the arbitration clause would not apply to claims arising from the security breach.
Second, CRAs should provide free monitoring and easy access to credit history. Current laws allow consumers access to free credit reports, but the process is cumbersome, and few consumers take advantage. A rationalized market would help ensure that consumers have as much information as possible about the use of their personal data by others. Instead, Equifax and other credit reporting agencies profit from the very problems they create.
Third, Congress should require mandatory disclosure of secret scores and algorithms used by CRAs. Algorithmic transparency is key to accountability. Absent rules requiring the disclosure of these secret scores, lists, and the underlying data and algorithms upon which they are based, consumers will have no way to even know, let alone solve, these problems.
First, Congress should set national, baseline data breach notification standards to limit the damage caused by data breaches. The federal standard should require immediate and efficient notification of impacted consumers, regulators, and the public. Companies are increasingly interacting with consumers on social media and via automated text and e-mail messages, so it is reasonable to expect that companies can notify consumers within 48-72 hours of a breach.
Second, Congress should mandate reasonable data security measures. Prompt breach notifications are necessary to ensure that consumers and regulators can quickly deal with a data breach after it happens.
Third, consumers affected by data breaches should have a private right of action. Companies often require consumers to agree to contracts with arbitration clauses that block consumers from bringing lawsuits. Credit reporting agencies and other financial institutions should be prohibited from using these arbitration agreements to block consumer actions for breach, improper disclosure, or misuse of their personal data. And a breach of personal data should be sufficient harm to provide a cause of action.
The United States has fallen behind many other countries that are seeking to ensure that the rapid adoption of new technologies does not leave them vulnerable to data breach, identity theft, and cyber attack. A good starting point would be to enact the Consumer Privacy Bill of Rights, baseline privacy legislation that would put the responsibilities on companies that collect and use personal data to protect the information they choose to collect. The Consumer Privacy Bill of Rights follows the structure of many privacy laws in the United States and elsewhere. That means it could both harmonize and simplify compliance, and the CPBR could help resolve pending trade disputes with Europe and others about the protections for transborder data flows.
The United States should also establish as Data Protection Agency as has virtually every other advanced economy facing the challenges of the digital age. The current agencies in the United States tasked with protecting consumers and citizens lack the authority and even the personnel to do what needs to be done.
A security breach at Comcast-owned Xfinity has exposed the personal data of nearly all the internet provider's customers, including account usernames, passwords and answers to their security questions.
Comcast said in a filing with Maine's attorney general's office that the hack affected 35.8 million people, with the media and technology giant notifying customers of the attack through its website and by email, the company said Monday. The intrusion stems from a vulnerability in software from cloud computing company Citrix, according to Comcast.
Although Citrix patched the vulnerability in October, Xfinity learned that unauthorized users gained access to its internal systems between Oct. 16 and Oct. 19, revealing customer data. For some people, that included their names, contact information, account usernames and passwords, birthdates, parts of their Social Security numbers and answers to their security questions.
In addition to Xfinity, Citrix provides software to thousands of companies around the world. The previously-announced vulnerability, dubbed "Citrix Bleed," has also been linked to hacks targeting the Industrial and Commercial Bank of China's New York arm and a Boeing subsidiary, among others.
Under new federal rules that took effect Monday, the Securities Exchange Commission requires public companies to disclose all cybersecurity breaches that could affect their financial results within four days of determining a breach is material.
"While Xfinity advises customers not to re-use passwords across multiple accounts, the company is recommending that customers change passwords for other accounts for which they use the same username and password or security question," Comcast noted.
Some Xfinity users continued to express frustration on Wednesday in wake of the cyberattack. Said one poster on social media in contacting its customer service team: "I signed in, changed password. I try to sign out by tapping my profile icon. It states sign in, but the webpage is showing my account information even though it says I'm signed out. You have more issues than just password leaks."
Customers with questions can contact Xfinity toll-free at (888) 799-2560 24 hours a day Monday through Friday from 9 a.m. to 9 p.m. Eastern time. More information is available on Xfinity's website at xfinity.com/dataincident.
In 2023, the number of data compromises in the United States stood at 3,205 cases. Meanwhile, over 353 million individuals were affected in the same year by data compromises, including data breaches, leakage, and exposure. While these are three different events, they have one thing in common. As a result of all three incidents, the sensitive data is accessed by an unauthorized threat actor.
Some industry sectors usually see more significant cases of private data violations than others. This is determined by the type and volume of the personal information organizations of these sectors store. In 2022, healthcare, financial services, and manufacturing were the three industry sectors that recorded most data breaches. The number of healthcare data breaches in the United States has gradually increased within the past few years. In the financial sector, data compromises increased almost twice between 2020 and 2022, while manufacturing saw an increase of more than three times in data compromise incidents.