Skip to main content

California by the Numbers (Part 1): 24 Million Compromised in 2015

Look for Part 2 tomorrow:  Recommendations on how to stay out of future reportscalifornia-flag-graphic

California Attorney General Kamala Harris has released a report of the data breaches that have been reported to her office from 2012 until 2015. Although the California data breach notification law took effect in 2003, beginning in 2012, businesses and government agencies have been required to notify the Attorney General of data breaches affecting more than 500 California residents.

The number of personal records that were compromised is staggering; 178 breaches were reported during 2015 and 24 million personal records were compromised.

According to the report:

  • Number or breaches reported to the California Attorney General between 2012 and 2015 and number of affected records: 657 data breaches affecting 49.6 million records of California residents.  NOTE:  California's population is only 38.8 million.
  • Type of data breaches: 54% of the total data breaches (or 365 data breaches) were caused by malware and hacking into computer systems by unauthorized individuals. This type of breach affected 90% of the breached records (or 44.6 million records). The 6 largest breaches reported between 2012 and 2015 (Anthem, Target, Living Social, UCLA Health, PNI Digital Media, and T-Mobile/Experian) were all malware and hacking breaches and accounted for more than 70% of all records breached. The remainder of the data breaches resulted from: physical theft and loss of unencrypted data on electronic devices or paper documents (22% of the total data breaches, affecting 6% of the breached records or 2.8 million records), errors of employees and service providers, such as delivery of personal information to unintended recipients, unintentional posting of information on a public website, failure to securely dispose of personal information, and unauthorized employee access to personal information (17% of the total data breaches, affecting 4% of the breached records or 2.8 million records), and misuse of access privileges by insiders (7% of the total breaches, affecting over 206,000 records).
  • Type of breached data: Social Security numbers were involved in 48% of all breaches and comprised 47% of the records breached (or 24 million records), payment card data was involved in 39% of all breaches and comprised 32% of the records breached (or 16 million records), medical or health insurance information was involved in 19% of all breaches and comprised 36% of the records breached (or 18 million records), driver’s license numbers were involved in 11% of data breaches and comprised 17% of the records breached, online account credentials were involved in 9% of data breaches.
  • Data breaches by industry sectors: The retail, finance, and health care sectors represent nearly 60% of all data breaches and accounted for over 80% of the records breached. The largest number of data breaches was in the retail sector, accounting for 25% of all data breaches (or 163 breaches) and for 42% of the breached records (or 21 million records), with most retail data breaches having been caused by malware and hacking and the type of data most commonly breached being payment card data. The second largest number of data breaches was in the financial sector (includes insurance), accounting for 18% of all data breaches (or 118 breaches) and for 26% of the breached records (or 13 million records), with most financial data breaches having been caused by employees and service providers through either intentional misuse of privileges or unintentional errors and the type of data most commonly breached being Social Security numbers. The third largest number of data breaches was in the health care sector, accounting for 16% of all data breaches (or 103 breaches) and for 14% of the breached records (or 6.8 million records), with most health care data breaches having resulted from physical theft and loss (declining from 72% in 2013 to 39% in 2015) and malware and hacking (on the rise from 5% in 2012 to 21% in 2015) and the type of data most commonly breached being patient records and Social Security numbers.
  • How does 2015 compare to 2014? On a comparative basis, the number of California residents affected by data breaches increased from 4.3 million in 2014 to over 24 million in 2015 due largely to the Anthem data breach (10.4 million records), the UCLA Health data breach (4.5 million records), the PNI Digital Media data breach (2.7 million) and the T-Mobile/Experian data breach (2.1 million records).


Subscribe To Viewpoints


Cynthia J. Larose

Member / Co-Chair, Privacy & Cybersecurity Practice

Cynthia J. Larose is Chair of the firm's Privacy & Cybersecurity Practice, a Certified Information Privacy Professional-US (CIPP-US), and a Certified Information Privacy Professional-Europe (CIPP-E). She works with clients in various industries to develop comprehensive information security programs on the front end, and provides timely counsel when it becomes necessary to respond to a data breach.

Julia Siripurapu