Personal information on about a third of Massachusetts residents has been compromised, according to the state's attorney general, citing statistics gleaned from the tough data breach reporting law there.
About 2.1 million of the state's roughly 6.6 million residents had some form of personal data put at risk in 1,166 reported theft incidents, says Attorney General Martha Coakley, according to a report in the Boston Globe. She was citing numbers gathered from the start of 2010 through this August.
QUIZ: The data breach quiz
She says she is reviewing the stats to see whether the law, which imposes heavy fines for non-compliance by entities entrusted with this data, is cutting back on breaches that lead to compromises.
The AG says a combination of hacking, errors by employees and a growing body of personal data that is stored electronically by businesses will put that data at more risk over time. "This is going to be an increasing target," she says.
The largest breach in the time period Coakley is reviewing involved information on about 800,000 people that was lost by a vendor hired to destroy it. Even information on 210,000 residents entrusted to a state agency was put at risk.
The types of data covered by the law include credit card and bank account numbers, Social Security numbers and medical records. Massachusetts' reporting law is considered one of the toughest in the nation. The state is also the home of TJX (See: "20 years for notorious TJX hacker Gonzalez", whose loss of millions of credit card numbers was notable for its scale and is still one of the largest ever.
Coakley says the compromised records were not necessarily exploited. So a person's credit card number might have been removed from a secure and trusted environment but not necessarily used without authorization.
Of the 1,166 breaches since 2010, 41% have occurred in the past eight months. A quarter of the compromises stem from hacking, but the data was also put in jeopardy by loss of laptops and paper documents, sending information to the wrong recipient and unauthorized viewing of files by employees.
Many of the reported incidents were small, with just one person being affected in 30% of the cases.