In Massachusetts, data breaches, threats on the rise

Massachusetts companies and government agencies have seen a twofold increase in data breaches since 2012, according to an Axios Boston review of state data.

What's happening: Data breaches have become more common as hackers grow more sophisticated, experts say, with residents' Social Security numbers, credit card numbers, driver's license details and other sensitive information falling into the wrong hands.

• The shift to remote work also made some companies more vulnerable, particularly those that didn't bolster their cybersecurity protections outside of the office.
• In 2020 alone, Massachusetts residents lost almost $100 million from reported cyber crimes, ranking No. 13 in the country, according to a report from the FBI Internet Crime Complaint Center.

The latest: Quincy-based Shields Health Care reported a data breach earlier this month that has affected 2 million people nationwide. The company hasn't reported to the state how many of them are from Massachusetts.

By the numbers: These incidents have doubled from 1,130 in 2012 to 2,488 in 2021, per the state data.

• The number of affected residents has also increased, from 325,867 to more than 1.8 million in 2021.
• So far in 2022, more than 1,000 data incidents have been reported to the state, affecting close to 846,000 people in Massachusetts. Hackers accessed users' Social Security numbers in more than half of those breaches.
• That means Massachusetts is on pace to see as many (if not more) residents affected by data breaches this year as last year.

Between the lines: 10 data breaches account for more than 80% of affected Massachusetts users this year.

• The largest breach targeted Comstar, a Rowley-based ambulance billing service, and affected nearly 192,000 Massachusetts residents.
• Cash App Investing's data breach, the second-largest by affected users, hit 126,000 Massachusetts residents, and the company estimates that 8 million total users may have been affected.

How it works: Data breaches can result from malware or hackers exploiting a weakness in software to infiltrate a person or organization's systems.

• Hackers can also use stolen usernames and passwords obtained in a previous cyber attack to get into a company or agency's system.
• Of note: While the worst breaches tend to come from planned attacks, sometimes people's data becomes compromised in accidental leaks, like when a phone without two-factor authentication or other protections is lost or stolen.

What they're saying: "One of the things we see quite often in these data breaches, especially where usernames and passwords are concerned, we see the attackers take those and try to use them in other places you might go," Kev Breen, director of cyber threat research at Immersive Labs, tells Axios.

• "So if your Facebook account is stolen, then you use that same password to log onto your mobile banking, actually now the attacker could start logging into your bank," he says.

Be smart: It's not just private companies. ​​The town of Fairhaven reported a breach in May that affected an estimated 21,188 people.

The bottom line: Data breaches and leaks are virtually inevitable, but companies and government agencies can train to recognize suspicious activity and implement crisis response plans.

• "No matter who you are, at some point in time, you're going to suffer a data leak or a data breach,” Breen says, "whether it's because you've been deliberately attacked or it's something incidental."