Roughly one in five Massachusetts residents were affected by a data breach last year, according to numbers released today by the Commonwealth’s Office of Consumer Affairs & Business Regulation (OCABR).
The number, about 1.2 million residents, is nearly a 60 percent increase from 2012.
“Last year was an unprecedented year for high volume and high profile data breaches. I alone had my information breached four times,” said Undersecretary of Consumer Affairs and Business Regulation Barbara Anthony in a statement accompanying the 2013 Data Privacy Report Thursday.
The number is likely bloated by the massive Target breach at the tail end of 2013. Target operates 36 stores in Massachusetts and almost 950,000 Mass. residents, 80 percent of all the state’s breach victims, were affected by last winter’s hack. Yet as the report notes, if the Target numbers are discounted, fewer residents were actually breached in 2013 than 2012. The drop – almost a 36 percent dip – is something the state is attributing to what it calls its “stringent and protective” data security laws.
In 2007 (.PDF) Massachusetts became the 39th state to enact personal data breach legislation when Governor Deval Patrick asked all businesses to collectively notify the attorney general, the director of consumer affairs and business regulation, along with the affected resident when a breach occurs.
As is to be expected, the bulk of breaches reported to the state – 76 percent –revolved around credit or debit information pilfered from payment processing centers and retail establishments.
The lion’s share of these breaches dealt with information that was stolen from a third party, when either a point of sale terminal or a PIN pad was compromised.
The Briar Group, a Boston-based restaurant chain that was fined by the state in 2011 after hackers got customers’ credit and debit card information, was breached again last fall. The group, which owns 10 restaurants and bars in Boston, reported in December that hackers had again made off with customer names, credit-card numbers, and expiration dates.
In a very distance second place, 88 data breaches comprising 5 percent of the total affected the health care field. Many schools and universities were hit hard in 2013 including the University of Massachusetts Center for Language, Speech, and Hearing, which experienced a data breach that affected about 1,600 patients when malware infected a workstation containing patient data last summer. Concord, Mass.-based Adult & Pediatric Dermatology was forced to pay $150,000 as a result of a data breach as well last year.
While the report plays up the enormity of the Target attack, those numbers aside, perhaps the most surprising figure is the 611 percent jump the Commonwealth saw in breaches affecting the education sector from one year to the next. Nearly 32,000 individuals were affected last year, a far cry compared to the 5,000 or so individuals that were affected in 2012. Likely to blame: A breach that affected Boston’s Berklee College of Music, and its third-party ticket vendor, Vendini Inc., that ultimately compromised the credit card information of nearly 20,000 victims last year.
Recent breaches like last month’s news that popular Massachusetts supermarkets like Star Market and Shaw’s were breached, along with Tuesday’s news that Home Depot, which operates 50 or so stores in the state, was also compromised, suggest Massachusetts’ numbers may increase in the future.