MAUREEN CAVANAUGH: Our top story on Midday Edition, The big holiday shopping season is right around the corner. So, it is particularly distressing to hear that consumer data breaches in California are still on the rise. A report from Attorney General Kamala Harris says losses of personal consumer data by businesses was up right 28% last year, potentially affecting 18.5 million Californians. The report urges business, consumers, and legislature, to tighten cyber security. Like to welcome my guest, Chris Simpson. Welcome to the show. CHRIS SIMPSON: Thank you for having me. MAUREEN CAVANAUGH: You read the report, what is your general reaction? CHRIS SIMPSON: It's an interesting report that has some good data and statistics that really highlight the increased threat, and the increased breaches we have experienced throughout California and the country. MAUREEN CAVANAUGH: The report places heavy emphasis on stores to implement encryption solutions. What can stores and businesses do that they are not doing now? CHRIS SIMPSON: There are a couple of things that they can do. Credit card industry itself is pushing for the move to chip technology, and they're looking to have that deployed by October 2015. That enhances security and merchants that do not do that will have increased liability. It is a motivation factor for companies to enhance security. MAUREEN CAVANAUGH: The report says that more than half of the 2013 breaches were caused by malware and hacking are there programs businesses can run to see if their information is being hacked? CHRIS SIMPSON: There are great tools out there that companies can use to detect theft. A big thing that companies need to do is to have a risk assessment approach to understand risk and build a defense strategy. Know what one tool or technique will be 100% effective. That by having a defense approach they can block attacks and maybe be able to detect and stop those attackers early. MAUREEN CAVANAUGH: Is that happening? CHRIS SIMPSON: I think so. There is great awareness of security requirements in small business groups. Even people that run smaller businesses have concerns about security. A lot of these small businesses are actually deciding to take additional measures to protect systems. MAUREEN CAVANAUGH: How much to those programs cost? How much would that add to a small business overhead? CHRIS SIMPSON: It can be a significant cost, but some of them if they focus on the basics, they are not that expensive to implement. Additionally, there is a lot of free government information out there that companies and organizations can use on procedures to implement. For example, the national and to do of standards and technology has a publication that gives the top 10 things that businesses must do to protect systems. They are not that hard or expensive to implement at a basic level. Another consideration is, a lot of companies especially in San Diego manage service providers that provide support at a reasonable cost. MAUREEN CAVANAUGH: What happens to all of this information being stolen? CHRIS SIMPSON: The criminals have exchanges where they exchange the credit card information at certain prices for bits and pieces of personal information. They exchange that and some organizations make counterfeit cards and try to use them to make purchases. There is a vibrant market for this data. MAUREEN CAVANAUGH: The healthcare industry as part of this report, they have had breaches as well with patient information taken or lost. It is unclear in this report whether that information has just been lost by medical centers. What could health information used for? CHRIS SIMPSON: Health information could be used to blackmail someone in the case of something, maybe a celebrity did not want disclosed publicly. It could be used to target people for spam or something like that, or in the case of personal identifying information such as Social Security numbers. They may use that to steal an identity or for other purposes. MAUREEN CAVANAUGH: How sophisticated are today's hackers and cyber thieves? CHRIS SIMPSON: They have developed all kinds of new ways to take into systems, they are really sophisticated. A countermeasure comes out and they find a way around it. Hackers are good a maybe not attacking a target directly, but using a third party to get into a primary target. The Target breach of last year is a good example. Their HVAC provider was the target of the initial attack for cyber criminals. MAUREEN CAVANAUGH: Explain that more. CHRIS SIMPSON: Let's say I am a cyber criminal and I want to target a big company. I may find a smaller company that company does business with, and smaller companies may not have better security measures in place. I will attack them first and use leverage from permissions and access from that company to attack a bigger company. That can be through sending fake emails or trying to get someone in a big company to click on a file with malware and they would gain access to the larger company and gain a foothold. Attackers will gain a foothold and leverage that to gain additional privileges and try to gain access to other parts of the organization. MAUREEN CAVANAUGH: So the cybernetic version of going to the back door? CHRIS SIMPSON: That's a good analogy, looking for the way that you do not expect. MAUREEN CAVANAUGH: I think it's surprising to a lot of people in this day and age, cyber security is not an essential part of what is Mrs. think of when they are starting to take personal information from people. Is that becoming more of a first line of defense thought, or are there still people hanging back and hoping it does not happen? CHRIS SIMPSON: It's a mix of both. Many small business owners I have talked to understand the threats, they may not know the first steps, but if we get them in the right direction they can take those. It is definitely increased awareness. Honestly, I don't think a day goes by that we don't hear about a successful cyber related attack. MAUREEN CAVANAUGH: Recommendation made by the Attorney General is that legislation should be enacted to clarify responsibilities of data owners who are collecting information from consumers or patients. What are their response abilities now? CHRIS SIMPSON: There are limited responsibilities on what organizations have to do with that data, a lot of it has to do with the type of data and it also depends on where the data is located. Some ASIC measures typically for more sensitive information, like Social Security and stuff like that, it needs be encrypted and needs to only be disclosed to people have a requirement for that information. MAUREEN CAVANAUGH: I think people are becoming used to news reports of security breaches or emails from companies saying that personal information has potentially been compromised. What is the best thing to do when you get that notification? CHRIS SIMPSON: A couple of steps you can take when you get that notification, you can run a credit report to see if there are any new credit cards or other accounts opened in your name. Typically if you are the victim of a data breach, the complete responsible will give you some type of access to that information. Keep an eye on your ink accounts and credit cards. If you can determine where you think it happened, that may help. A lot of attackers and a lot of scammers at gas stations, you can correlate it to where you lost that information, you may be able to tell that business what happens. Keep a close eye on your accounts. If there is a data breach associated with passwords, change your passwords. A good practice is not to have the same password on different websites, have different passwords on different sites. MAUREEN CAVANAUGH: Do you do certain things as a security expert that the general public does not do when it comes to having a credit card that you use exclusively at gas stations or other precautions that you take so that private information and credit cards are not compromised? CHRIS SIMPSON: I probably take the same measures is most. A few things that I do different, I keep my hard drive encrypted. It is easy to do now with modern operating systems. I keep an eye on my different credit card accounts, and stay aware of that. I keep an eye on what is going on in the news. Another thing that is a good measure that I do not always practice but I try to, use one web browser for all sensitive transactions, and do not do any other type of web browsing if you are banking or using sensitive information. If you use Google Chrome and Internet explorer, only use one of those for banking and sensitive information, and do not visit other sites with that web browser. MAUREEN CAVANAUGH: I would imagine that separate security is becoming quite a popular line of education for a lot of students today. Do you see this field growing, or do you think we will get a hold on this so it is not as leaky as it is now? CHRIS SIMPSON: I think you will see security improving. There are a lot of reports indicating shortages in the number of cyber security professionals out there. In National University we have seen growth in our program. We graduated approximately 130 students from our masters program in the couple of years it has been around, and I have seen increased enrollment of about 80 people in the pipeline now in our program both online and on-site. As more professionals get out and as the public becomes more aware of the threats and can take measures they need, hopefully we will see a decline in cybercrime. MAUREEN CAVANAUGH: We were just talking about how often these reports come out, or headlines are about cyber security breaches. I think it makes people alarmed, but I think they are more blasÈ than they used to be. It used to terrify people at the notion, and now you go on and see that nothing terrible happens after something like that. Do you think that becoming a bit blasÈ about this is a good idea? Or should a certain level of concern be maintained like consumers about these security breaches? CHRIS SIMPSON: I think you want a certain level of concern without being too fearful. You do not want to let it impact your day-to-day business transactions. Periodic reviews of credit reports, checking your credit card statements regularly, and honestly, the credit card and payment industry are good at detecting fraud. That has improved, so they notify you early and can put a stop to it. I think they've been able to reduce that somewhat. Don't live in fear, take general precautions. If you go to a gas station or ATM, take a look for signs of tampering on the machines, that may be an additional way to protect yourself. MAUREEN CAVANAUGH: Last year, after a major company had a security reach, we are saying it may be best to simply pay in cash. I am thinking, as the holiday season approaches, would that be a piece of advice you might give people? CHRIS SIMPSON: That is one way to do it, but if you carry cash, you increase your risk of getting robbed. You can also do prepaid cards. That might reduce risk. This follows common sense as well, watch the website you go to if you do online transactions. Honestly, I would not live in fear of not going to vendors and using a credit card. MAUREEN CAVANAUGH: Thank you very much for your time.
Personal information about more than 18.5 million Californians was hacked, stolen or otherwise exposed last year and as many as one-third of those people will become victims of fraud, California Attorney General Kamala Harris said Tuesday in a new report on data breaches in the nation's biggest state.
Retailers, banks, health care providers and other organizations reported 167 different breaches in the state during 2013. That's six times more than the 2.5 million accounts hacked in 131 breaches in 2012, and represents nearly half of the state's 38 million residents. The alarming increase in malicious hacking and accidental leaks due to poor information security was mainly due to breaches at Target stores and Living Social, an online marketplace. Even without those two incidents, the number of customer accounts exposed by hacking, lost and stolen hard drives and accidental data leaks, jumped 35 percent last year.
As many as one third of people whose information is exposed in a data breach will subsequently suffer some kind of fraud, Harris adds in the report, citing estimates by Javelin Strategy and Research, a California firm that tracks financial industry trends.
More than half of the breaches reported in California involved malicious attempts by hackers or cyber-criminals who were determined to steal customer data, according to the report, which said "trans-national criminal organizations" appear to be responsible in many cases.
"Increasingly, highly sophisticated criminal organizations and state-sponsored entities - located as far away as Russia, China and Eastern Europe - are responsible for breaches," Harris said. The report cites one federal prosecution of an overseas hacker group. It doesn't provide any new details on a multi-state investigation, announced earlier this year, in which officials from California and elsewhere said they were looking into Target Corp.'s response to its breach.
State law requires businesses to notify consumers when their data is exposed in a breach affecting more than 500 accounts. They also must file a report with Harris's office. While there is no similar requirement at the federal level, the figures from California may provide insight into broader trends nationwide.
Retailers were the largest category of businesses that were hacked, followed by financial institutions and then health care providers. Health care organizations were more likely to report the loss or theft of laptop computers or other electronic storage devices containing patient files. What was taken? Social security numbers were exposed in nearly half of the breaches; 38 percent of breaches involved account information for credit or debit cards.
Criminals can use both to commit financial fraud: The average amount of fraud linked to a stolen social security number is $2,330 and the average for a credit card is $1,251, according to estimates that the attorney general attributes to Javelin.
A new state law that goes into effect next year will require companies to offer at least one year of free theft-prevention assistance, such as credit monitoring, to consumers affected by data breaches. While many companies already do this, the report says that kind of help was only offered in half of the breaches reported over the last two years.
Harris is recommending additional changes, including legislation that sets stricter notification requirements and provides financial aid to help small businesses adopt data safeguards. She also urges companies to use stronger encryption and other protective methods, although she noted that a recent legislative effort to require encryption was unsuccessful.
Harris also is urging companies to notify consumers about data breaches more promptly and to make their notices easier to understand, with less legal jargon. She notes that the purpose of such notices "is undercut if the recipients cannot understand them."