From Wolf Street, by Wolf Richter
Healthcare providers, insurers, colleges, tax accountants… have your crown jewels. They get hacked all the time.
The big data breaches at Yahoo and Target make headlines. In fact, Yahoo’s data breaches, rejuvenated by new disclosures, can’t seem to get out of the headlines. If you use Yahoo with an alias and a fake date of birth, your exposure is limited. If your data is compromised at a retailer, if might include your credit card data, but not normally your date of birth or Social Security number. But if your data is compromised at a healthcare provider, insurer, a university (happened to me), or tax accountant, the hackers gained access to your crown jewels. Those data breaches occur all the time – though they might not make the news.
This year through February 28, according to the Identity Theft Resource Center, there have been 240 data breaches in the US with 1.1 million records “known” as compromised – though the number of records actually compromised is much higher (more in a moment). The ITRC report divides them in five categories. Note the top two:
- Medical/healthcare: 64 breaches, 569,364 records (51.7% of total)
- Business (excl. banking/financial): 120 breaches, 464,540 records (42.2% of total)
- Government/Military: 13 breaches, 39,232 records (3.6% of total)
- Educational: 13 breaches, 39,232 records (2.6% of total)
- Banking/financial: 2 breaches, 0 records “known”
The ITRC defines a data breach as an incident that exposes an individual name plus a Social Security number, driver’s license number, medical record, or financial record (including credit/debit cards) and thus triggers data-breach notification laws.
It also includes incidents that don’t require notification, such as exposure of user names, emails, and passwords without involving sensitive personal identifying information. This number of exposed “records” is not included and shows zero.
The report lists by name the 240 entities where data breaches have been reported so far this year. It also lists the number of records exposed by each entity, though most of the time the number is “unknown” and therefore not included in the totals. So the total number of records exposed is much higher.
Oh, the irony
Here are a few of the entities on that list – some of them ironic, other outright chilling:
- New York Life
- U.S. Anti-Doping Agency
- Cloudflare (which I use to guard WOLF STREET against denial-of-service attacks; they notified me of the breach; there was a “serious bug” in its software and it was “leaking data”; but it was fixed, they said, and they found “no instance of the bug being exploited.”)
- Several CPA and income tax services firms, whose client tax data would surely make them a high-value target
- Klondex Gold & Silver Mining
- Athletic Clubs of America
- Land Title Guarantee Company
- Several investment advisory firms
- Toys “R” Us
- A large number of school districts and public schools
- A large number of universities, including University of North Carolina School of Dentistry, Harvard Computer Society (I mean, really), Georgia Tech…
- Veteran’s Affairs
- New York City Department of Education
- North Carolina Department of Health and Human Services
- Michigan Department of Technology, Management and Budget
- California Correctional Health Care Services
- Alaska Department of Public Safety
- California Department of Justice
- Health insurers, including Highmark Blue Cross Blue Shield of Delaware and Humana (one of the largest health insurers in the US)
- A large number of healthcare providers, including Vanderbilt University Medical Center, West Virginia University Healthcare, St. Joseph’s Hospital and Medical Center (Arizona), Massachusetts General Hospital, Children’s Hospital Los Angeles, Center for Mental Health (Montana)….
- Healthcare services firms, including Medical Information Management Systems
- Walgreen Co.
240 of them, just in the first two months of 2017. Few of the breaches came to the attention of the media.
A new sad record in 2016
In 2016, the number of US data breaches tracked by ITRC soared 40% year-over-year, to an all-time high of 1,093. By the looks of it, this high will be taken out by this summer. The business sector topped the list last year, followed by healthcare:
- Business sector: 494 breaches (45.2% of total)
- Healthcare/medical: 377 breaches (34.5% of total)
- Education: 98 breaches (9% of total)
- Government/military: 72 breaches (6.6% of total)
- Banking/financial: 52 breaches (4.8% of total)
The report provides this chart. The top two lines: business (blue line) and healthcare (purple line). Clearly, they have not done nearly enough to contain the damage and are more and more targeted. The healthcare sector sits on the most valuable data, including payment-related data such as credit cards, voluminous amounts of health data, date of birth, Social Security number, contact data….
The other categories (government, educational, and banking/finance) are trying to plug the holes more successfully, it seems:
And the chart below shows how “hacking” has become the dominant type of data breach over the years, while the proportion of all other types of data breaches has declined:
In 2016, 52% of the breaches exposed Social Security numbers and 13.1% exposed credit and debit card info. If your Social Security number falls into the wrong hands, you can easily become victim of identity theft.
This is what happened to me, and how I dealt with it:
In 2006, the University of Texas at Austin notified me that “a security breach was discovered in the administrative information system” at the business school where I’d received my MBA years earlier. The information that was downloaded included my name, my date of birth, and my Social Security number. So the crown jewels. And it “strongly” encouraged me “to take precautions” to protect my credit.
Which I did. I did something nasty, something the industry hates: I put a “credit freeze” on my data at the three credit bureaus – Equifax, Transunion, and Experian – after which only financial institutions with which I already did business continue to have access to the data. It blocks all others from gaining access to this data. Hence, it’s nearly impossible for them, or even for me, to open new credit in my name.
This brought a big side benefit: it stopped the avalanche of “pre-approved” credit cards and cash transfer offers in my mailbox, which is a risk on its own. Credit bureaus sell your data to others. That’s their business model. When you put a credit freeze on it, they can no longer sell this data, and they hate it, and they make it as hard and cumbersome as possible for you to do this. But you can do it if you’re relentless enough.
And it has a (minor) drawback, which also shows that this credit freeze works: Even I cannot open a credit account or a deposit account. I can’t get a car loan or a mortgage. In order to get a new credit card, I would have to unfreeze the credit freeze. But I can maintain the financial relationships that I have.
I have had this credit freeze in place since 2006. I think it’s the single best precaution I’ve ever taken to protect myself against identity theft and the worldwide circulation of my credit data. Nothing is 100%, but there are some things we can do to avoid being the low-hanging fruit.