The amount of personal information compromised through data breaches was on the rise in 2011. According to the Privacy Rights Clearinghouse, about 30 million records were compromised in 2011 in 535 separate breaches in the United States. That’s up from 12.3 million in 2010. The numbers are much larger when viewed globally.
Most people assume that hackers using sophisticated techniques are to blame for all the data breaches. In most cases it’s the simple things that trip up organizations. Some don’t encrypt information inside databases. This was the case with Sony. Sensitive information is accessible on the Internet because someone left a server wide open. This was the case with the Texas Comptroller. People don’t take care of backup tapes or laptops and someone may steal them from a car. That has happened all too often.
It’s important for anyone keeping sensitive data to encrypt it. All current databases have built-in encryption, but someone has to implement it. All sensitive documents should be encrypted using a persistent security policy so the author can control who can access them. And make sure you don’t leave the keys (literally and figuratively) out so that anyone can easily come into your organization and steal something valuable.
So to conclude this year, here are 7 of the worst data breaches for 2011. Hopefully things will improve in 2012.
1. Sony – hackers compromised 100 million records
In two separate incidents in April and May, Sony suffered data breaches that prevented people from using the PlayStation Network, Sony Online Entertainment and its “Qriocity” music service. Hackers compromised over 100 million records, including 12 million unencrypted-credit card numbers. Because of the breach Sony shut down these networks and most likely lost millions of dollars of revenue. The culprit was lack of basic security on consumers personal data. Most information was not encrypted and left wide open.
2. Tianya – social networking site leaked user names and passwords
On December 25, hackers accessed some 40 million users’ names and passwords from the Chinese social networking site Tianya.cn. All the data was stored in clear text format instead of being encrypted. This followed other recent compromises of Chinese sites where millions more records were leaked. This again points to a lack of basic security.
3. Steam (Valve, Inc.) – gaming download site leaked personal data
A database containing 35 million user names, hashed and salted passwords, game purchases, email addresses, billing addresses and encrypted credit card information was accessed by hackers in November. Because the Steam online digital store, game library and multiplayer network is used as a consolidation point for many people who purchase games, this breach could affect a lot more than just this network. Fortunately credit card information was encrypted, but the fact that hackers got in at all is troublesome.
4. Epsilon – email database of major US companies compromised
In April, this marketing company had its database of email addresses compromised and about 50 million records were affected. Epsilon provides email marketing services for large companies, including, JPMorgan Chase, Marriott, Verizon, Best Buy, Citibank and Target. All the affected companies had to send out emails or letters to customers apologizing for the incident. These lost emails make people vulnerable to “spear phishing,” which occurs when a criminal sends an email that sounds and looks like it’s from a company to the customer.
5. Tricare – computer backup tapes stolen from a car
Last September, someone stole backup tapes from the car of an employee of Science Applications International Corporation (SAIC), a defense contractor for Tricare. The tapes had documents with the social security numbers, addresses, phone numbers, and other medical information of approximately 5 million patients. The patients affected were treated at military hospitals and clinics during the last 20 years. The breach led to a $4.9 billion lawsuit, which aims to compensate the victims. SAIC is supposed to physically secure the tapes during transport, but obviously didn’t.
6. Texas Comptroller – server files publicly accessible
The names, addresses and social security numbers of 3.5 million people were inadvertently left on a publicly accessible state server by the Texas Comptroller’s Office for a year or longer. The data was from the Teacher Retirement System of Texas, Texas Workforce Commission and the Employees Retirement System of Texas. This is another example of not doing the basics to lock down information on a server.
7. Sutter – a desktop computer was stolen from building
Last October, some people broke into the offices of Sutter Health and stole a desktop computer. It had names, addresses, dates of birth, phone numbers, email addresses, medical record numbers and health insurance plan names of about 3.3 million patients. Another 943,000 Sutter Medical Foundation patients had descriptions of medical diagnoses exposed, too. This was an old fashioned robbery. Unfortunately nothing was encrypted so Sutter had to inform government authorities and everyone affected.
Photo credit 89_tintop