Thursday, April 3, 2008

Top Security Breaches - 2007

David Hakala on January 22, 2008

Every year sees a fresh crop of security breaches. Most go unreported, unless they involve consumers' personal data, at which point companies are required to give timely public notice of security breaches. The following list of 2007's worst security breaches consists mainly of such reportable incidents. The incidents are sorted in descending order of severity based on how many individuals were potentially affected.

Note that remote hackers played a role in a small minority of cases. Most data losses occurred because laptops, tapes or disks were not properly secured. It is a never-ending struggle to get users to adhere to physical security protocols.

Jan 17, 2007: The TJX Companies Inc. (which operates T.J. Maxx, Marshalls and other stores) announced that it suffered an “unauthorized intrusion” into its computer systems that process customer transactions. The company subsequently revealed that the hackers had access to between 46 million and 215 million customer records for 17 months. The costs of this breach have reportedly reached $216 million, and the lawsuits are still flying.

July 3, 2007: Some 8.5 million customer records were stolen by a database analyst employed by Certegy Check Services Inc., a subsidiary of Fidelity National Information Services. The theft included credit card and bank account data, as well as other personal information. In November 2007, the employee pled guilty to conspiracy and fraud charges. A California class-action lawsuit against the company and its parent alleging negligence remains pending.

Sept. 15, 2007: Online stockbroker TD AMERITRADE’s computer system was infiltrated by hackers, who stole up to 6.3 million customer contact records including names, addresses and phone numbers. The hackers were able to install a backdoor program on the company's server, which gave them access.

April 10, 2007: A CD containing the personal information of 2.9 million Medicaid and child health care insurance recipients was lost in shipping. Officials would not reveal whether the data was encrypted. The data was being shipped from an Atlanta office of Affiliated Computer Services Inc., which manages claims for the state, to another contractor in Maryland.

Aug. 23, 2007: Monster revealed that intruders using legitimate usernames and passwords entered its system and made off with 1.3 million jobs seekers' records, including email addresses, names, home addresses and phone numbers.

Sept. 28, 2007: A laptop containing the personal information — including Social Security numbers — of 800,000 employment applicants was stolen from the offices of a third-party vendor that manages application data for fashion retailer Gap Inc.

July 20, 2007: SAIC, a Pentagon contractor, failed to encrypt data on 580,000 military households before transmitting it over the Internet. The data included names, addresses, birth dates, Social Security numbers and health information. The data was stored on an unsecured server.

June 15, 2007: In Ohio, a backup tape stolen from a 22 year-old intern’s car contained the names and Social Security numbers of all 500,000 state employees, plus 225,000 similar records of taxpayers.

Oct. 4, 2007: The Massachusetts Division of Professional Licensure, responding to public-records requests from marketers, mailed out disks containing the names and addresses of 450,000 licensed professionals in the state. Then, the division hurriedly mailed letters to all 450,000 professionals saying that their Social Security numbers had been included inadvertently. All but two of the disks were recovered.

May 19, 2007: Hackers broke into the network of the Illinois Department of Financial and Professional Regulation in January 2007 and accessed nearly 300,000 records regarding licensed professionals and applicants for licenses. The breach was discovered on May 3, 2007.

Aug. 23, 2007: A laptop containing 280,000 records about city retirees was stolen from a consultant to the City of New York Financial Information Services Agency as he sat in a restaurant.

Dec. 5, 2007: The names and Social Security numbers of 268,000 blood donors were on a laptop stolen from Memorial Blood Centers in Duluth, Minn.

March 30, 2007: Three laptops were stolen from the offices of the Los Angeles County Child Support Services. The data included 130,500 Social Security numbers — most without names — 12,000 individuals’ names and addresses, and more than 101,000 child-support case numbers.

May 19, 2007: A computer was stolen from the Texas Commission on Law Enforcement Standards and Education. It contained the names, home addresses, driver-license numbers, birth dates and Social Security numbers of every licensed law enforcement officer in the state — some 230,000 individuals.

Oct. 30, 2007: Three backup tapes containing 230,000 records of The Hartford Financial Services Group Inc.'s customers were misplaced.

Oct. 23, 2007: West Virginia Public Employees Insurance Agency notified 200,000 current and past members of its insurance programs that a computer tape containing names, addresses, phone numbers and Social Security numbers was lost while being shipped via United Parcel Service of America Inc.

May 14, 2007: A virus that could have allowed a hacker access to 197,000 records about students at College of Southern Nevada attacked a server, but the school is not sure whether any data was actually taken.

Jan. 26, 2007: Tapes containing names, Social Security numbers and other data regarding 196,000 Wellpoint Anthem Blue Cross Blue Shield customers were stolen from a lockbox held by one of the company’s contractors.

Nov. 16, 2007: Tae Kim, a former auditor for the U.S. Department of Veterans Affairs, was arrested after being caught using fraudulent credit cards. His home computer contained 1.8 million records on Veterans Affairs medical patients pertaining to 185,000 unique individuals.


No comments: