More than 1.3 million Massachusetts residents had personal information compromised last year by cybercriminals, careless workers, and old-fashioned crooks, a fourfold increase from 2014 and the most since the state began tracking data breaches in 2007.
The jump was remarkable not only for the number of people affected, but also for the breadth of the data breaches. In the past, such surges were driven by one or two massive breaches, such as the theft nationally of more than 40 million debit and credit card numbers from Target Corp. stores in 2013.
But last year, Massachusetts residents had credit card data, Social Security numbers, addresses, medical records, and mortgage information exposed through a host of businesses. They include health insurance companies, pharmacies, wireless carriers, brokerage firms, and universities, as well as the vineyards and amusement parks visited by state residents on vacation, according to the Massachusetts Office of Consumer Affairs & Business Regulation, which tracks the data breaches.
In a world where every business has a website and companies store customer and employer data online, everybody is potentially exposed, said Andy Obuchowski Jr., a Boston-based director of security and privacy at RSM US LLP, an auditing firm.
“It’s unfortunately the world we live in, when we combine business and technology,” Obuchowski said.
Last year’s breaches outpaced 2013, when 1.2 million Massachusetts residents — including about 1 million who were victims of the Target data theft — had personal information exposed. In 2014, about 350,000 residents had personal information inappropriately released, according to the state’s consumer affairs division.
Attorney General Maura Healey’s office has ongoing investigations into several of these breaches, including the one at Target. The cases are aimed at the companies that hold the consumer data and examine whether they had adequate systems in place to protect the information.
Tracking down the criminals behind these data thefts has been more difficult, and arrests are rare. No arrests have been made of the masterminds behind the Target breach. Federal prosecutors last year did charge two Israelis and an American for a 2014 cyberattack against financial firms, including Fidelity Investments and JP Morgan Chase & Co., that compromised the contact information of more than 100 million people.
Among the companies attacked in 2015 was Anthem Inc., the Indianapolis-based health insurance giant. Cybercriminals were able to access personal information, including names, Social Security numbers, dates of birth, and employment records of about 78 million people nationwide, including 654,400, in Massachusetts, according to the state report.
Malware installed in stores owned by Sally Beauty Holdings Inc., a Texas distributor of professional beauty supplies, allowed cybercriminals in the spring of 2015 to steal credit card information of an estimated 58,500 Massachusetts residents.
Defense companies, big-box retailers, and large financial institutions have long had to deal with cyberattacks, spending millions on technology and training to protect themselves. Now, other sectors, such as higher education, are coming under increasing attack, analysts said, and so have smaller companies.
Criminals have realized the cybersecurity protections commonly used by smaller firms may be less sophisticated, although the information possessed by the firms can be just as valuable, said Charles Benway, executive director of the Advanced Cyber Security Center, a Massachusetts business and government coalition addressing computer security.
“It’s easier to go after the softer targets,” Benway said. “You’re seeing an increase in attacks on these smaller organizations, these soft targets where cybersecurity wasn’t their business.”
Universities, for example, are trying to do more to protect data. At Boston University, laptops issued by the school’s technology department are encrypted, said Robert Sprinkle, assistant vice president of research computing and medical campus technology at the university.
But he warns, “It’s sort of a whack-a-mole sometimes. Every time you fix one thing, they’ve found some other thing to exploit.”
The school discovered last summer that hackers linked to an Internet address in Russia had slipped into a university server, which had records on participants in a medical research project. University officials aren’t sure whether the hackers accessed those medical records. But the hackers did use the server to attack other servers, including one in Nova Scotia, Sprinkle said.
For consumers, it is getting difficult to keep track of all the ways their information can get into the wrong hands, said Edgar Dworsky, founder of the consumer information website ConsumerWorld.org.
“It’s just become a fact of life,” Dworksy said. “There’s not a lot we can do to prevent the hackers from getting into databases or a clumsy executive leaving a laptop in the airport.”
Chris Goetcheus, spokesman for the state’s consumer affairs division, said Massachusetts residents should check their bank accounts and credit card statements frequently to make sure there aren’t unauthorized charges. If they are concerned, he said, they should ask the companies they deal with how their personal information is protected, stored, and maintained.