In recognition of October’s Cyber Security Awareness Month, Attorney General Rosenblum today released updated data showing an increase in data breaches reported to the Oregon Attorney General’s office. In the first nine months of 2021, 131 violations have already been reported, compared to 110 incidents reported in 2020. Other incidents of ransomware attacks, or an attack that threatens to block access to your computer or software system, have also been reported. . Most of these breaches happen online and involve businesses from all industries.
In September 2021, for the first time, the Oregon DOJ also settled a data breach case involving an Oregon professional services company. The $ 50,000 settlement with Gustafson & Company LLC, a Portland-based chartered accountant (CPA) firm, stems from a 2020 data breach that exposed the personal and financial information of 1,881 Oregonians.
“This month is a good reminder to do a ‘cybersecurity cleanup’,” Attorney General Rosenblum said. “Make sure your passwords are strong and that the software on all your devices is up to date. You should never click on a link you don’t know and watch for signs of spoofing from a boss, client, or anyone else in your network. Don’t click a link in an email or text message if something doesn’t or doesn’t look right to you.
Data breaches reported to the Oregon Department of Justice:
2018: 109 violations reported
2019: 99 violations reported
2020: 110 violations reported
2021: 131 (* in September)
In 2015, Attorney General Rosenblum led updates to Oregon’s data breach laws, giving his office the power to enforce state sanctions against violators. Since then, the DOJ has investigated and negotiated numerous settlements on behalf of Oreogn consumers, including a $ 2.8 million share of a 50-state settlement with the consumer credit reporting giant. Equifax, and a $ 10 million nationwide settlement against health insurer Premera Blue Cross. Last year, the Oregon Department of Justice also struck a deal with Burgerville for $ 150,000 and several significant changes to the company’s operations to better protect information.
Gustafson Data Breach:
In January 2020, a scammer gained access to Gustafson’s computer network by posing as a customer attempting to send a W-2 via a zip file. The malware was on the Gustafson network for about a week before it was identified and removed from the network. Even though the company had a large volume of sensitive customer data, Gustafson reportedly failed to investigate the breach to determine if any files had been accessed. It wasn’t until March 2020, after five other customers filed fraudulent tax returns, that Gustafson hired a forensic investigator to conduct a full investigation into the incident.
Gustafson did not notify Oregon residents of the breach until the end of May 2020. Under Oregon law, a company must notify a security breach in the fastest way, but not more than 45 days after discovering the security breach.
“CPAs have a duty to protect consumer data from unauthorized access,” said AG Rosenblum. “My office will continue to monitor and crack down on those who have access to Oregonians’ personal and financial information and who do not maintain the highest standards of security. AG Rosenblum also thanked his team at the Oregon Department of Justice, including Assistant Attorney General Kristen Hilton in the consumer protection section.
In addition to the $ 50,000 settlement, Gustafson will develop and maintain several data security practices designed to strengthen its information security program and protect consumers’ personal information.
Source: Oregon Attorney General