In the first report of its kind, state Attorney General Kamala Harris said 2.5 million Californians had Social Security numbers, credit card and bank accounts and other sensitive information exposed in 131 data breaches.
The breaches occurred at companies ranging from Petco to Barnes & Noble, universities across the state and government agencies. American Express Travel Related Services was named 19 times, along with banks and other companies that handle financial transactions. Most of the data breaches reported to the attorney general occurred in 2012. But several happened in 2011 and one dates back to November 2010.
"The numbers are certainly staggering," said Paul Stephens, director of policy and advocacy for the San Diego-based Privacy Rights Clearinghouse.
The disclosure comes amid increasing concerns about the safety of personal data as more people move their financial records online, make purchases through the Internet and use social networks, even as they are being tracked by third-party advertisers.
"Companies are collecting too much information that they can't protect," said Marc Rotenberg, executive director of the Washington, D.C.-based Electronic Privacy Information Center. "The consequence is that they're leaving their users at risk when these breaches occur. It they can't protect it, they shouldn't collect it."
Harris issued the report Monday following a 2003 California law that requires government agencies, retailers, universities and others that collect data to report any breaches involving more than 500 Californians, beginning for the first time in 2012.
Nearly half the people whose information was exposed -- 1.4 million Californians -- could have been easily protected if the data had been encrypted, the report said.
The law does not require Harris to report on the data breaches, but she voluntarily issued the report. It comes at the same time the case of Edward Snowden, the former defense contractor employee who leaked secrets about a massive government surveillance program, raises questions about who has access to data.
"This (report) is on the heels of the Snowden incident," said Eric Chiu, president and co-founder of Mountain View-based HyTrust, a cloud security company. "It's yet another wake-up call to companies and government organizations to focus on security access to data, which is ultimately what insiders and hackers want to profit from and make public, which is what Edward Snowden wants."
Data breaches were experienced by a wide range of well-known companies and organizations including American Express Travel Related Services and its affiliates; Kaiser Permanente; Kaiser Foundation Health Plan; State Farm Insurance; Pepperdine University; Stanford University Hospital; University of Southern California Gotickets; Petco Animal Supplies; Discover Financial Services; Bank of America Merchant Services; St. Joseph's Medical Center; and Sacramento Area Fire Fighters Local 522.
Several state agencies also had data breaches, including the departments of Social Services, Child Support Services; Corrections and Rehabilitation; and Health Care Services.
The retail industry represented most of the cases: 34, or 26 percent of the total.
The report does not provide details on what happened to people whose sensitive information was exposed. But in 2012, Harris' office reached a settlement with Blue Cross of California, which does business under the trade name Anthem Blue Cross, after the company printed Social Security numbers on letters mailed to more than 33,000 of its Medicare Supplement and Medicare Part D subscribers.
The settlement required Anthem to pay $150,000 and implement safeguards for its data management system, restrict employee access to members' Social Security numbers and provide enhanced data security training.
According to the attorney general's report, a typical data breach involved information on 22,500 people. But five breaches involved information for 100,000 or more people.
And more than half of the cases -- 56 percent -- involved Social Security numbers, which the attorney general's office said "posed the greatest risk of the most serious type of identity theft."
While 55 percent of the cases involved outsiders or unauthorized users, 45 percent were the result of failures by information managers to adopt or carry out security measures.
Harris vowed that her office will make it a priority to investigate data breaches involving unencrypted personal information.
Peter Eckersley, technology projects director for the Electronic Frontier Foundation, said Harris' report offers a big step toward containing future data breaches.
"We need transparency when data is compromised," he said. "It's gotten really cheap and easy for companies to accumulate enormous stores of information about their customers and, even more horrifyingly, about people who are not their customers. ... All it takes is one employee's laptop to be compromised and suddenly millions of people's most intimate secrets can be exposed."
For the companies who lost data -- and for those who will have to report future breaches -- Stephens, of the Privacy Rights Clearinghouse, believes the attorney general's report will pressure them to treat customers' and clients' data more carefully.
"Companies," Stephens said, "don't want to be seen as the entities that were involved in a breach."
Contact Dan Nakaso at 408-271-3648. Follow him at Twitter.com/dannakaso.
According to a report on data breaches from state Attorney General Kamala Harris:
A typical data breach involved information on 22,500 people.
Five breaches involved information for 100,000 or more people.
More than half of the cases -- 56 percent -- involved Social Security numbers.
More than half of the people whose personal data was exposed -- 1.4 million Californians -- would have been protected if the companies and agencies that gathered the information had encrypted it.