California, Texas, Florida and New York suffered the greatest financial losses due to cybercrime in 2017, according to the FBI’s annual Internet Crime Report. The report, published Monday, goes through a year’s worth of cyberattacks reported to the bureau.
Added up, the more than 300,000 cybercrime complaints the FBI heard last year accounted $1.4 billion in financial losses. Targets in California suffered losses totaling $214.2 million, followed by Texas with $115.7 million, Florida with $110.6 million, and New York with $88.6 million. Arizona, Washington, Illinois, New Jersey, Colorado and Massachusetts round out the top 10.
The bulk of the cybercrimes the FBI investigated last year had to do with compromised email accounts, data breaches and schemes to defraud the elderly. Compromised email systems led to $676 million in losses, while complaints received from victims older than 60 accounted for $342 million.
One of the year’s biggest cybersecurity stories — high-profile ransomware attacks on companies and governments — barely registered on the FBI’s list, most likely for two reasons: The Internet Crime Complaint Center mostly receives complaints from individual consumers, and the report doesn’t measure overall economic impact of cyberattacks. Of all the complaints tallied by the FBI, only 1,783 mentioned ransomware, accounting for $2.3 million in direct losses to crooks. Ransomware typically locks victims out of their data until hackers receive payment, often in a digital currency like bitcoin. The FBI advises against paying such ransoms.
The broader impact of ransomware comes from recovering or replacing frozen IT infrastructure once a victim has decided not to pay. Some companies hit by ransomware last year have said they lost hundreds of millions of dollars recovering. FedEx reported a $300 million loss after the shipping giant’s Dutch subsidiary found its files suddenly encrypted by the NotPetya worm. The pharmaceutical manufacturer Merck reported $310 million in lost sales and additional expenses after it was hit by the same virus last June.
Expenses to overcome a ransomware attack quickly outstrip the hackers’ demands. In the case of NotPetya, several corporations shelled out big even though they were only asked to pay the equivalent of about $300 to hackers. High-profile ransomware attacks against state and local governments in 2018 have resulted in similarly lopsided expenditures by the victims.
Atlanta, which is still recovering from the March ransomware attack that briefly knocked out city-government systems and online citizen services, has spent more than $5 million in emergency cybersecurity contracts. Colorado has spent nearly $1.5 million since February, when its transportation department was hit.
In Atlanta’s case, the hackers behind the crippling ransomware known as SamSam had asked for about $51,000 in bitcoin.