New York Data Breaches Exposed 1.6 Million Records Last Year

Print Email

New York Attorney General Eric Schneiderman on Wednesday said nearly 1,300 data breaches occurred in the state last year and that those incidents exposed personal records of some 1.6 million of the state’s residents. The number of incidents rose 60% year over year and the number of exposed records tripled.

The exposed records consisted “overwhelmingly” of Social Security numbers and financial account information. The AG’s office attributed the release of the personal data primarily to hacking (40%) and inadvertent disclosure (24%). Employee negligence — a combination of inadvertent disclosure, insider wrongdoing and lost devices or media — accounted for 37% of all breaches, nearly as much as hacking.

Schneiderman said:

In 2016, New Yorkers were the victims of one of the highest data exposure rates in our state’s history. … Hacking is increasingly prevalent – making it all the more important for companies and citizens alike to take precaution when sharing and storing personal data. It’s on all of us to guard against those who try to use our personal information for harm – as these breaches too often jeopardize the financial health of New Yorkers and cost the public and private sectors billions of dollars.

According to the report, 69% of the records exposed were due to hacking attacks while just over 20% were down to employee negligence.

The most frequently acquired information in 2016 was Social Security numbers and financial account information, which together accounted for 81% of breaches in New York. Other records such as driver’s license numbers (8%), date of birth (7%) and password/account information (2%) together accounted for nearly 1.3 million exposed personal records in 2016. Social Security numbers alone accounted for more than 42% of the exposed records.

The AG’s report noted last year’s largest reported breaches:

On October 12, 2016, Newkirk Products, Inc., a business associate of Capital District Physicians’ Health Plan, Inc., CDPHP Universal Benefits, Inc., and Capital District Physicians’ Healthcare Network, Inc., reported exposing the personal health information of 761,782 New Yorkers. The next largest breach, reported on January 13, 2016, was at HSBC bank. It exposed the financial, personal, and social security information of 251,201 New Yorkers. Additionally, breaches at Eddie Bauer and Emblem Health reportedly affected 60,205 and 55,664 New Yorkers in August and November, respectively.

The AG’s full press release is available here. The state of New York also did a multiyear study on data breaches that is available here.