More than 116,000 New Jersey residents were victims of 676 data breaches in 2016, state Attorney General Christopher Porrino said Monday.
Porrino made the announcement on the state’s first-ever release of annual statistics on data breaches.
“Doing business online and on our devices has become so routine that it’s easy to let our guard down. But as these statistics on data breaches highlight, it’s critical that we protect our sensitive personal information from the many who seek to access it for harmful ends,” said Porrino in a statement.
“The statistics compiled present a sobering picture of the challenges that face us when it comes to cyber security. We urge citizens to use the resources available through the Division of Consumer Affairs in order to protect themselves and their loved ones from identity theft and other forms of cybercrime,” said Sharon Joyce, the division’s acting director.
The information released by the Attorney General’s Office and the State Police details data breaches in New Jersey occurring in 2016. Data breaches involve the unauthorized access to personal information—which may include a person’s first and last name linked with a Social Security number, driver’s license number, or account, debit, or credit card number.
State law requires that any business that operates in New Jersey, or any public entity that compiles or maintains computerized records that include personal information, must disclose any breach of security to customers who are New Jersey residents and whose personal information was or is believed to have been accessed by an unauthorized person.
The business sectors most often involved with breaches include finance/banking, health services, and retail trade, the office said. Other areas include educational institutions, restaurants, industrial and manufacturing facilities, hotels, nonprofits, non-medical insurance, and telecommunications.
The methods used to breach security were led by phishing—a form of fraud in which the attacker tries to learn information such as login credentials or account information by masquerading as a reputable entity or person in email, instant message or other communication channels—and hacking, the office said. Website malware, employee incidents, unauthorized email access, and ransomware were also utilized.
The office cited three major data breach cases affecting New Jersey residents, though none was resolved in 2016:
- Vizio: On Feb. 6, 2017, the DCA announced that smart TV manufacturer Vizio Inc. and its subsidiary Vizio Inscape Services LLC agreed to pay the state and the Federal Trade Commission $2.5 million and change their business practices to settle allegations they violated the New Jersey Consumer Fraud Act and the Federal Trade Commission Act by surreptitiously tracking consumers’ television viewing habits and selling the information to marketing companies and data brokers. In a joint complaint filed in the U.S. District Court for the District of New Jersey, the state and the FTC alleged that Vizio and Inscape violated state and federal laws by failing to effectively inform consumers that Vizio smart televisions were continuously collecting and storing information about their viewing habits, and that the data was being sold to third parties for marketing purposes. Under the terms of the settlement, Vizio and Inscape paid the state $915,940 in civil penalties and $84,060 in attorney fees and investigative costs. Vizio and Inscape also agreed to destroy consumer viewing data collected prior to March 1, 2016, prominently disclose to consumers the type of data that will be collected by the “Smart Interactivity” feature, obtain consumers’ affirmative express consent before collecting their viewing information, and implement and maintain a comprehensive privacy program.
- Horizon: On Feb. 17, 2017, the DCA announced a settlement with Horizon Healthcare Services Inc., more commonly known as Horizon Blue Cross Blue Shield of New Jersey, to resolve claims under the New Jersey Consumer Fraud Act and the federal Health Insurance Portability Accountability Act. In a complaint filed in the District of New Jersey, the state alleged that Horizon violated the CFA and HIPAA by failing to properly protect the privacy of New Jersey policyholders whose unencrypted personal information was contained on two laptops stolen from the insurer’s Newark headquarters. Under the terms of the settlement, Horizon agreed to pay the state $1.1 million and to implement a plan to correct the problem.
- Target: On May 23, 2017, Porrino announced that Target Corp. agreed to pay New Jersey, 46 other states and the District of Columbia more than $18 million to resolve a multistate investigation into a data breach that compromised the payment card information of shoppers nationwide. New Jersey, which was a member of the multistate executive committee, received a total payout of $680,411 from Target. In addition to the monetary terms, Target agreed to enact a variety of cybersecurity reforms designed to prevent similar data breaches in the future, including the creation of an information security program.