New report reveals data breaches in Washington nearly doubled from 2016 to 2017

A spike in cyber attacks is hitting companies and agencies statewide.

A new report from the Attorney General’s office reveals that data breaches nearly doubled in Washington state from 2016 to 2017, with malicious cyberattacks the most common type of information exposure.

Cities, universities, and agencies all investigated data breaches, with Washington residents’ personal data, including W-2s with social security numbers, exposed.

“It's very surprising to me, and it’s frightening,” Patty Pastore said.

Content Continues Below

Pastore was one of several Port Angeles residents who said they discovered charges on the credit or debit cards they used to pay their utility bills on the city of Port Angeles’s website. She always worried about hackers someday targeting her or her husband, who used a debit card often for purchases, including paying their utility bill.

She said her husband reviews their statements online frequently, and asked her about an odd charge on iTunes.

“It was a very small charge,” she said. “He just sat there and I said, ‘That's not my charge, Bob.’ You need to call the credit union right now.”

A letter filed with the Attorney General's office shows the city of Port Angeles advised 9400 utility customers of “a possible breach” last July and told them that “credit or debit card payments would be “shut down until the issue is resolved.”

Acting city manager Nathan West said they hired a firm to review the alleged breach, but it could not confirm it.

“We haven't been able to find any factual evidence that either fraud or data actually left the system with compromising information,” he said.

But West said the company that makes the payment software they used is still investigating nearly a year later, proof how complicated these types of incidents can be.

Meanwhile, the city has switched to a third-party vendor to handle utility payments. It also restored online payment capabilities for customers after about six months.

Scroll down to continue reading

More news from KIRO 7

“It's important to the city to continue to be protective and making sure IT infrastructure-- software and hardware-- is up to par and as secure as absolutely possible,” West said.

Tracy Bulino, another Port Angeles resident who noticed odd charges on her account, said she acted quickly to have the credit card company shut down her card. When KIRO 7 told her the city said it had not found proof of a data breach, she was surprised.

“I didn’t do the investigation so I can't do anything for sure,” she said, “but it's a little coincidental that a whole lot of people who were paying their bills on this one particular website got hacked right around the same time.”

But the city of Port Angeles wasn't the only one hit by hackers in 2017.

KIRO 7 discovered the Pacific Science Center in Seattle was targeted with a "spear phishing attack,” with hackers accessing W-2 forms that included people’s Social Security numbers.

Pacific Lutheran University was hit, with hackers potentially accessing people’s W-2 forms.

And even Bellevue-based Bulletproof 360, the makers of Bulletproof coffee, stated customers' payment card information may have been accessed on several occasions through 2016 and 2017.

According to the 2017 Data Breach Report from the Attorney General’s Office, the number of breaches in Washington nearly doubled between 2016 and 2017. In 2016, the office was notified of 39 breaches, affecting the personal information of more than 450,000 Washingtonians; in 2017, the office was notified of 78 data breaches, compromising the information of more than 2.7 million Washington residents.

“Millions of Washington consumers have had their personal information compromised as a result of these data breaches,” Attorney General Bob Ferguson said.

Ferguson is currently suing rideshare company Uber on behalf of at least 10,088 residents. Uber took more than a year to notify drivers about a data breach that exposed their names and driver’s licenses.

“If there were folks who had their information compromised, and they had to spend money to get credit freezes, or they were harmed financially, we try to get dollars back to those consumers,” Ferguson said.

Uber’s notification broke the law, Ferguson said, that he himself proposed and that was passed in 2015.

It requires companies to notify his office in 45 days whenever a data breach exposes personal information of 500 or more Washington residents.

And Ferguson says he wants lawmakers to strengthen that law.

“We thought the notice requirement to consumers, if their information's been compromised, should be 30 days,” he said. “Also, the types of information that if compromised, triggers these requirements, I think we can expand that, to include things like your passwords on your computers.”

With hackers always working to break into accounts, consumers know they have to be checking their credit card statements.

But how do you protect yourself from becoming a target in the first place?

Cybersecurity expert Bryan Seely said technology is advancing every day, and everyone needs to be vigilant.

He recommends that people scrutinize every email they get, even if it looks like it’s legitimately from their employer.

“If you get a link saying ‘Sign in,’ it could be an attempt to get your credentials,” he said. “Go the website they're asking you to go to but without clicking on the link.”

He said people also need to think twice while surfing the web and going to unknown websites.

“You click a link and you start going down the rabbit trail of whatever, you'll end up somewhere, thinking, oh wow, this is interesting,” he said, “or that advertisement caught your eye-- if they're pulling your attention towards something, it's probably not a great idea.”

After spending hours on the phone, Patty Pastore said their money was finally reimbursed to their account about a week later.

She said she and her husband have learned their lesson about using debit cards, which allows hackers direct access to their money, instead of a credit card company’s funds.

“It was a blessing,” Pastore said. “It really was. We haven't used our debit card since then… we have one credit card that we use for everything and that's it.”

Seely recommends that everyone have credit monitoring and even consider credit freezes, because they protect people from hackers trying to open accounts in their names. He said people can temporarily lift that freeze if they are applying for an apartment or a new credit card.

More news from KIRO 7