July 24, 2017
A series of new reports on hacking of credit card data at Trump hotels highlights a newly public records data source that can be increasingly high-value: data breach notices.
As companies have increasingly been targeted by hackers – and have become increasingly aware of the risks around exposing public data – states have imposed new laws requiring that companies disclose these data breaches to their affected (or potentially affected) customers. This typically takes the form of a fairly standardized data breach letter, disclosing some details of the breach and who is affected.
These can be a really interesting source of news and intelligence around the companies that file them and regarding the incidents themselves, but normally they’re only posted on the companies websites (often obscurely) or only sent to the recipients.
However, the state of California (along with a handful of other states) actually retains a database of major breaches. State law “requires a business or state agency to notify any California resident whose unencrypted personal information, as defined, was acquired, or reasonably believed to have been acquired, by an unauthorized person.” And in turn, that any notice sent to more than 500 California residents be sent to the California State Attorney General. Those notices are posted on an online database of major data breaches here.
These notices variously provide some details of what happened in the breach and – on occasion – how many folks are affected and what data was affected. For example, in the case of the filing for Trump Hotels the notice details how the breach happened (though not the overall number of people affected):
The Sabre SynXis Central Reservations system (CRS) facilitates the booking of hotel reservations made by consumers through hotels, online travel agencies, and similar booking services. Following an investigation, Sabre notified us on June 5, 2017 that an unauthorized party gained access to account credentials that permitted access to payment card data and certain reservation information for some of our hotel reservations processed through Sabre’s CRS. The investigation found that the unauthorized party first obtained access to Trump Hotels-related payment card and other reservation information on August 10, 2016. The last access to this information was on March 9, 2017.
While other states maintain similar data resources, California’s is the most comprehensive and appears to be the most frequently updated. Washington state also posts notices as they’re received, as does the state of Oregon, the state of Vermont, the state of Wisconsin, the state of Maine, and Montana.
The state of Massachusetts also posts some information on data breach notices, but they appear to update their records quarterly. The same appears to be true in Maryland. New Hampshire has a small number of records available as well.
The State of Indiana appears to release their reports on an annual basis.
At the federal level, HHS reports this information for breaches of unsecured protected health information affecting 500 individuals or more.
The Identity Theft Resource Center also aggregates a lot of this information on their website on a weekly basis.
While sometimes these filings become the center of news stories, they often don’t at the time, and can be a useful point to look back to for context.
Databases like California’s Data Breach Notices are integrated into the Vigilant research platform and be accessed and monitored for new records through the platform. Contact us if you’re interested in a trial.