An Empirical Analysis of California Data Breaches
By Richard Chen and Zakir Durumeric
Data breaches have steadily become more frequent over the last several years. Under California’s data breach notification law, all companies serving California residents who had their data stolen in a breach are required to disclose a breach report detailing the incident. We empirically analyze the public dataset of California data breach notifications, which contains 1,437 breach incidents between January 2012 and September 2018, to find patterns in the types of companies breached, attack vectors, and information stolen. We find that the financial services industry and large companies with over 10,000 employees are most likely to be breached. Software vulnerability is the most common descriptive attack vector. Social security numbers and payment cards are by far the two most common personal information stolen. We also show how attack vectors and information stolen tend to be predictable based on the company’s profile.
