ALBANY Nearly 23 million private records of New Yorkers have been exposed in data security breaches reported by more than 3,000 businesses, nonprofits and governments over the past eight years, New York's attorney general reported.
Deliberate hacking was responsible for 40 percent of the 5,000 incidents, which exposed a majority of the records, followed by lost or stolen equipment, insider wrongdoing and inadvertent errors, according to the report released on Tuesday.
"As we increasingly share our personal information with stores, restaurants, health care providers and other organizations, we should be able to enjoy the benefits of new technology without putting ourselves at risk," Attorney General Eric Schneiderman said. He urged collaboration between industry and security experts so businesses and organizations have the tools to secure data and address the growing, complex problem.
Since 2005, New York law has required breached institutions to advise the attorney general and the individuals when computerized private data consisting of names and account, social security or driver's license numbers were acquired by an unauthorized user. The report noted that it excludes thousands of data breaches involving sensitive information that don't fit under the law's reporting requirements.
The 7.3 million records exposed in 900 security breaches last year cost institutions an estimated $1.37 billion to investigate, rectify and help customers, the report said. They included the two largest so far, both involving retailers, when Target Corp. was hacked, exposing the personal information and credit card numbers of more than 70 million customers nationwide including 1.8 million New Yorkers, and LivingSocial's data was hacked, exposing 4.75 million records of New Yorkers.
Target said it subsequently imposed several security measures with enhanced monitoring, limiting vendor access, streamlining firewalls and resetting passwords.
LivingSocial spokesman Kevin Nolan said none of their customers' credit card data was ever compromised, that the exposed data in 2013 was limited to usernames and encrypted passwords that were useless outside of its system.
While black market sales of private data were cited as the primary motivation for hacking, the report didn't identify New York consumer losses. It cited studies by the Javelin Strategy and Research Group and LexisNexis estimating one-fourth of records lost in data security breaches end up used for fraudulent purposes, often identity theft, which accounted for $24.7 billion direct and indirect losses in the U.S. in 2012, exceeding all other property crimes combined.
For businesses, nonprofits and governments, the report advises identifying the data they require and how it's secured, collecting no unnecessary data and setting expiration dates on collected information, and establishing a security plan with encryption. For consumers, it advises creating strong and different passwords for various accounts, not storing them electronically, carefully monitoring credit and debit card statements, and not posting sensitive information on social media.