Data breaches on the rise, data shows, threatening more CT residents

During the summer of 2020, Hartford school officials spent months sorting out what they imagined would be their biggest headache of the fall: how to hold classes in-person while simultaneously preventing the COVID-19 virus from spreading. Their hands were full.

Then, suddenly, an entirely different kind of infection entered the picture.

An unknown attacker had broken into the City of Hartford’s computers, and the most significant disruption hit the school bus system, which lost access to route information, leaving 4,000 students without a way to get to class. The school district had no choice but to delay reopening.

IT staff discovered the hack quickly and students were brought back to class within two days.

But “it took much longer to restore a wider range of systems,” Charisse Snipes, IT director for the City of Hartford, said in a statement. Ultimately, it took months to recover from the attack, which Snipes said was “severe. Both the National Guard and the Federal Bureau of Investigation became involved in an investigation.

It would be far from the only time an organization faced similar threats that year.

Reports of hacks and other forms of data breaches have skyrocketed in Connecticut in recent years, jeopardizing the personal information of an increasing number of residents. Experts believe more of that data is being lost to cybercriminals with the worst of intentions. 

Data released to Hearst Connecticut Media Group by the state Attorney General’s office shows 1,062 breaches affected roughly 546,000 Connecticut residents in 2020. Companies, government agencies, nonprofits, and others who conduct business in Connecticut are required by state law to disclose known electronic breaches of Connecticut residents’ personal information to the AG’s office.

The definitions of personal information range from Social Security numbers to confidential financial or health data.

The records show the number of breaches reported climbed by nearly 20% each of the last three years. 

Already in 2021, breaches have affected more than twice as many residents as in 2018.

Over the past nine years, organizations have collectively reported that the data of about 6 million residents was potentially compromised in data breaches. That strongly suggests many residents have been affected by multiple breaches, given the state is home to about 3.6 million people.

The AG’s information doesn’t include what type of attack the organization experienced. But Michele Lucan, the state’s deputy associate Attorney General and chief of the office’s privacy section, said in a statement malicious attacks from criminals are on the rise, in Connecticut and elsewhere.

Criminals often try to directly enrich themselves by demanding ransoms. Though a growing number of hacks have sought valuable personal data that can later be resold or used against individuals in other ways.

“In the past, these attacks were perceived to be purely financially motivated, but it has become clear that stealing data is another key goal,” Lucan said.

The uptick in breach reports is also due to more organizations collecting and storing people’s personal data, Lucan said, and awareness of the requirement to report is improving. The law requiring disclosure is close to a decade old, and state lawmakers updated it this year.

Many of those making reports — businesses large and small, hospitals, credit bureaus and more — are based outside of Connecticut. The counts are an approximation, because more than one organization might report the same breach.

Large, headline-dominating breaches are still affecting the greatest portions of state residents. For instance, 2.8 million residents saw their data lost in just two breaches, one at Target in 2013 and the Equifax incident in 2017.

But experts said the cyber threats to smaller organizations, and even schools and local governments, is increasing. Ransomware attacks — where criminals lock up a system and demand a ransom in order to restore service or delete stolen data — are especially prevalent. 

The reason ransomware attacks have become so popular is because they’re relatively easy to pull off, said Stephen Fitzgerald, a professor of IT Security at the University of Connecticut. Since one of the final steps of these attacks involves a malicious actor simply demanding money, the payoff is quick.

“You don't have to then sell the data,” Fitzgerald said. “You basically lock up someone and then say ‘Hey, pay us money to unlock.’”

Using ransomware is also effective because of its versatility. Depending on the time, resources and skill levels available to malicious actors, ransomware can be applied at different levels of risk and reward. 

Of course, there are large-scale and high-profile ransomware attacks, like the breach on the Colonial Pipeline Company, which owns the largest fuel pipeline in the country. In that attack, the company ultimately paid a cybercrime group a $4.4 million ransom in order to restore service after hackers shut down the pipeline for six days in May 2021. 

But smaller attacks can be just as profitable, because they’re easy to execute, according to Fitzgerald. Big companies like the Colonial Pipeline Company have robust cybersecurity protections that can be difficult to intrude. Typically, smaller institutions like doctors’ offices and schools lack the same level of security, making it easier for criminals to strike — and fast. 

“This is someone walking through the parking lot and jiggling the handles to the cars,” Fitzgerald continued. “With these smaller institutions, they're just jiggling the handle. If the car is locked, they move on.” 

Certain foreign governments turn a blind eye or even enable attackers, he said, multiplying threats worldwide and trickling down even to small organizations in Connecticut.

“There's always information worth a ransom, on any computer,” said Vahid Behzadan, a professor of computer and data science and a cybersecurity expert at the University of New Haven.

Hacking has become relatively easy in recent years, experts said. Cybercriminals now operate in an online economy where tools enabling almost anyone to make an attack are for sale at affordable prices, said Behzadan. 

“If anybody wants to get into cyber criminal activities, the bar is not so high,” Behzadan said. “They can actually get into it quite easily. The problem is whether they can get away with it.” 

Beyond hacks, employees frequently disclose sensitive data accidentally.

The state-run health insurance exchange, Access Health CT, has reported 111 breaches since 2013, more than any other organization, inside or outside Connecticut, Attorney General office data shows.

Kathleen Tallarita, a spokeswoman for Access Health, said “nearly all of the breaches reported by (Access Health CT) involve only one consumer.”

But some were larger. Its biggest reported breach involved the data of 1,100 people. Kathleen Tallarita, a spokeswoman for Access Health, said the incident was the result of a phishing attack sent via email to an employee. In another case, a call center employee misplaced their notes, which contained the personal information of about 400 consumers. 

Tallarita said Access Health “is committed to protecting the security of consumer information.”

On a much larger scale, a breach at the financial services firm Morgan Stanley affected more Connecticut residents in 2020 than any other. The company reported to the Attorney General that 220,000 state residents were affected in the breach, which happened when computer hardware was not properly disposed of and unencrypted data was left exposed to a vendor.

A spokeswoman for Morgan Stanley did not answer a question about how many people the breach affected nationwide. The firm said it has strengthened its security policies. 

“We have continuously monitored the situation and we do not believe that any of our clients’ information has been accessed or misused,” the spokeswoman said. “Safeguarding our clients’ information is of paramount importance.”

The incident resulted in class action lawsuits against the company, a consequence large corporations often encounter after a breach.

A new Connecticut law could protect organizations from that possibility, however. Passed in 2021, the law protects companies from having to pay damages in breaches if they have instituted certain cybersecurity controls.

Ashley Zane, government affairs associate for the Connecticut Business & Industry Alliance, which lobbied in support of the bill, said the relief the law provides offers an incentive for businesses — particularly small ones — to beef up their protections. 

“Investing in cybersecurity can be costly,” Zane said. “A lot of times you don't see a benefit until you have a breach.”

Especially for smaller entities, Fitzgerald from UConn said that upfront cost can be extremely burdensome, especially since it cannot be ignored. Companies that don’t have the in-house expertise to combat cyber attacks often have to rely on third-party service providers for protection. 

While there’s a financial barrier involved in hiring a third-party to handle cybersecurity for many entities, there’s also a security risk inherent in that information exchange. 

“A lot of these mom-and-pop places, they know that they don't have the resources or the know-how to deal with cyber threats, so they outsource … that service to a provider,” he said. “Those providers then become big fish [for cyber criminals to target], because those providers are giving services to a lot of small businesses.” 

The surge in breaches in Connecticut fits with the trend seen globally.

In the first half of 2021 alone, criminals attempted roughly 304.7 million attacks worldwide, according to a report from the cybersecurity firm SonicWall. That figure is more than the entire number for 2020, the experts wrote, and 2021 will assuredly “go down as the worst year for ransomware SonicWall has ever recorded.”

The monetary worth of your personal data on the dark web depends on the type of information, according to the credit monitoring firm Experian. Diplomas can sell for between $100 and $400, medical records can go for up to $1,000 and passports for $2,000, Experian reported.

“By itself, it doesn't have any value to the criminal,” Fred Scholl, cybersecurity program director at Quinnipiac University, said. “But they can sell it to someone else.” 

Further complicating matters, Scholl said, is the fact that it can be difficult for the victim of a cyberattack to tell what information was lost, if any.

In the case of Hartford Schools, Snipes, the IT director, said a forensic analysis only recently concluded, more than a year after the attack. While Mayor Luke Bronin said at the time officials did not believe any personal information had been stolen, the City is now notifying some individuals their data could have been compromised “out of an abundance of caution,” Snipes said.

The state Attorney General’s office has only pursued legal action against a company for failure to report under the notification law on one occasion, when Uber Technologies waited a year to report a breach, eventually notifying states in 2017. A group of the states’ top lawyers ultimately won a $148 million settlement, $4.5 million of which went to Connecticut. 

John Neumon, assistant Attorney General, said in a statement instances of failing to report a breach to the office are usually handled informally. 

“The goal is to get notice out timely to consumers with understandable and relevant information so that consumers understand what happened and what they can do,” Neumon said.