NBC 5 Responds

Was Your Data Breached? Reporting Requirements Vary By State, Angering Customers and Advocates

Illinoisans have had their personally identifiable information exposed or stolen at least 5.5 million times since 2020, according to an analysis of state records.

NBC Universal, Inc.

Editor's note: NBC 5 created a searchable database for Illinois consumers to check and see if the industries they interact with on a daily basis have been breached in the last two years (scroll below or click here to use it). 

It’s a persistent threat facing consumers everywhere that often starts with hearing two chilling words: data breach.

From the retailers where we shop, to the hospitals, schools and government agencies we interact with, our personally identifiable information is in so many hands these days, it’s angering when it slips through a company’s fingers and into the palms of hackers or thieves.

But trying to tabulate how often Illinoisans are victims can be a difficult task. 

While the state of Illinois does have laws on the books requiring all parties to notify the Attorney General’s office if an Illinoisan’s information has been compromised, the state -- like a majority across the U.S. -- does not publish those notifications for the public to see. 

But after filing a Freedom of Information Act (FOIA) request for all data breach notifications sent to the state in the last two years, NBC 5 Responds has gone ahead and done just that.

The database is similar to the notifications that Illinois’ neighboring states, Wisconsin, Iowa and Indiana, already post regularly to inform the public. (The Illinois AG’s office said it is exploring ways to do this in the future, but for now, the information is available to anyone who formally requests it.)

The records have illuminated a pressing statistic: Illinoisans have had their personally identifiable information (PII) exposed or stolen more than 5.5 million times in the last two years. 

That is an average of nearly one out of every two Illinois residents that had their information breached since 2020. (Based on how data breach notifications are reported to the state, it’s impossible to know whether the number of victims includes persons who had their data breached on multiple occasions.)

The number of victims who had their personal information compromised will likely rise.

There are so many data breach notifications sent to the Attorney General’s office each year that NBC 5 Responds has only received a third of the notification records we requested back in August. 

But with so many people at risk of having their information stolen, what are companies and states doing to protect consumers? And what can you do to protect yourself?

“I was fed up.”

Carolina Barrera is one of those 5.5 million Illinoisans now dealing with daily anxiety after she learned her personally identifiable information has been breached. 

The company responsible for securing that information? Her cell phone carrier: T-Mobile.  

So, when Barrera learned her information was swept up in the most recent, massive hack of T-Mobile’s customer database, her stress was dwarfed by her anger.

This was breach number five for the wireless provider in the last four years.

Barrera said because of that, she wasn’t buying the company’s explanation that a “bad actor illegally accessed unencrypted personal information,” according to the company’s notice to the Illinois Attorney General’s office. 

"A ‘very bad actor’?” Barrera said. “[T-Mobile] sent this ridiculous statement. And this is what made me more mad than anything."

Carolina Barrera's personal information was breached after an August cyberattack on her phone carrier, T-Mobile.
Carolina Barrera's personal information was breached after an August cyberattack on her phone carrier, T-Mobile.

That bad actor racked up a huge score: names, social security numbers and other PII of almost 50 million customers, according to the company’s news release

"They've been hacked quite a bit!" Barrera said. "And they're supposed to be one of the safest, as the commercials say? I don't think so."   

T-Mobile is by no means alone. 

It was one of more than 230 companies or institutions that have informed the AG’s office of a breach that were listed in our review of records.

Of the disclosures to the state, some victims divulged extensive details.

Like the notification sent by Paddock Publications on Jan. 5, 2021, informing the state that more than 18,000 of its customers were affected. 

Paddock’s notification included details on when staff first identified the problem within its computer systems, the steps it took to further investigate and copies of the notices it was mailing out to its customers who were impacted. 

But other notifications to the state are brief in nature, like T-Mobile’s disclosure on Aug. 17 for its most recent data breach. 

The varying levels of detail provided for each breach have made it difficult for those trying to understand the scope of the problem.

"We’re trying to fill a puzzle with more than half the pieces missing."

NBC 5 Responds surveyed the country to see how many states publish data breach disclosures as a normal course of business. The total number: 18 states, including Wisconsin, Indiana and Iowa. 

NBC 5 Responds found 18 states regularly publish information on data breaches impacting its residents.
NBC 5 Responds found 18 states regularly publish information on data breaches impacting its residents.

The fact that less than half of the country is publishing this information is mind-boggling for Privacy Rights Clearinghouse, a non-profit that has focused on consumer privacy rights and issues since 1992.

Emory Roane, an attorney for Privacy Rights Clearinghouse, said Illinois is among the states that could be doing more to better inform consumers of these breaches.

"I would, unfortunately, point to Illinois as it's kind of remarkable how little information your state shares," said Roane. "It is surprisingly difficult, incredibly so, to get reliable information on the true landscape of data breaches in the United States."

Roane points to the fact that there is no federal data breach law or standard for companies and institutions to follow, meaning requirements of companies to notify customers about a breach vary state-by-state.

"There is no federal data breach standard," Roane said. "Instead, there are 50 individual laws which vary considerably."

The Illinois Attorney General’s office told NBC 5 Responds the data breach notifications it receives by law are available to anyone who requests it. In the meantime, the office said it is exploring options for posting this information online in the future.

But in the meantime, NBC 5 Responds is doing just that.

Our team has compiled a list of every data breach disclosed in our ongoing Freedom of Information Act request. So far, the team has only received a third of the records requested for 2020 and 2021.

To use the database, search the name of the company, hospital or school you do business with, and see if they had reported a breach in the last two years.

Search in the table below or click here.

Tools to better inform consumers of potential risks to their personal information should be more readily available, and required, Roane said. 

“Data breach notification is one of those areas where we should see a single federal standard. Absolutely,” Roane said. “It's an embarrassment, a shame.”

Victims like Carolina Barrera agree. Though T-Mobile said it did offer those affected by its data breach free credit monitoring services, Barrera feels T-Mobile put the onus back on her to watch over crucial personal information it did not. 

“I'm doing their job, which is basically what I'm doing,” Barrera said. “And I have to protect myself obviously because they just don't care about me. It seems like they don't care.”

How To Protect Yourself From A Data Breach

There are some ways consumers can protect themselves, given the frequency of companies falling victim to data breaches.

Here are some recommendations from NBC News to prevent your information from a compromise:

  • Always use a unique, strong password for every account or website. That way in the event of a breach of one company, it doesn't affect all your accounts. If you have too many passwords to remember, use a password manager.
  • Use multifactor authentication. If one password to an account is breached, multifactor authentication adds another layer of protection before hackers can gain entry to your accounts.
  • Keep an eye on your financial accounts: Set up notifications or security alerts on bank accounts so that you know when transactions take place.
  • The website “haveibeenpwned” will tell you if your email address or phone number were exposed in a data breach. To test it out, click here.
        
  • If you were the victim of a data breach that stole your Social Security number or financial/banking information, freezing your credit can prevent thieves from having access to your line of credit. But remember, if you use this option, you’ll have to unfreeze your credit if you plan to apply for a credit card, loan or anything that refers back to your credit history.

Update – 11/16/2021: After this story was published, a spokesperson for T-Mobile sent NBC 5 Responds the following statement regarding its most recent cyberattack:

“Over the past several months we have worked with world-leading cybersecurity experts on a forensic investigation into the cyber breach. As we shared last week during our earnings call, that investigation is more complete, though our overall investigation into the incident is ongoing. During this time, we are cooperating with [Attorney General] inquiries, but those investigations are confidential.”

Contact Us