Attacks/Breaches
12/27/2011
04:17 PM
Connect Directly
RSS
E-Mail
50%
50%

6 Worst Data Breaches Of 2011

Historically speaking, these 2011 data breaches rate among the biggest or most significant data-loss incidents to date.

When it comes to data breaches, how does 2011 compare with previous years?

A new report from the Privacy Rights Clearinghouse (PRC) notes 535 breaches during 2011, involving 30.4 million sensitive records. But that's just a conservative estimate, since not all data breaches see the light of day. "Because many states do not require companies to report data breaches to a central clearinghouse, data breaches occur that we never hear about," said PRC director Beth Givens in the report.

Even so, 2011 saw some of the biggest or most significant breaches in history, PRC says:

1. Sony. Sony suffered over a dozen data breaches, stemming from attacks that compromised Sony PlayStation Network, Sony Online Entertainment, and Sony Pictures, among other Sony-owned websites. Notably, these breaches occurred after Sony had laid off many of its security personnel in the months preceding the attacks. Ultimately, Sony faced an ongoing customer relations fallout--as well as class-action lawsuits--over its failure to protect over 100 million user records. Owing to the frequency with which users reuse passwords, many Sony customers are now at risk from attackers using the stolen password data to access their accounts on other sites.

2. Epsilon. When companies outsource business processes, who's ultimately responsible for the security of any shared customer data? Answer: the company that outsourced the job. That's the lesson from the April breach of cloud-based email service provider Epsilon, which fell to a spear-phishing attack. The breach affected data from 75 of Epsilon's clients--meaning, businesses that had trusted Epsilon with their customers' data. "Epsilon has not disclosed the names of the companies affected or the total number of names stolen," according to the PRC report. "However, millions of customers received notices from a growing list of companies, making this the largest security breach ever." Conservative estimates are that 60 million customer emails addresses were breached.

3. RSA. One of the most high-profile breaches of 2011 didn't involve consumer information, but rather one of the world's most-used two-factor authentication systems. After attackers breached the systems of EMC's RSA in April, stealing information relating to its SecurID system, the company drew fire for failing to detail exactly what had been stolen, or exactly how the attack put customers at risk of being exploited. RSA ultimately traced the attack to an unnamed nation state, and revealed that the exploit had relied on a very low-tech spear-phishing attack. One significant result of the attack has been that many companies are now retooling their security and training processes to help prevent these types of low-cost, easy-to-execute social-engeineering attacks from succeeding.

4. Sutter Physicians Services. Data from both Sutter Physicians Services and Sutter Medical Foundation was breached in November when a thief stole a desktop computer from the organization, which contained about 3.3 million patients' medical details--including name, address, phone number, email address and health insurance plan name--stored in encrypted format. "The security lapse occurred on two levels: both the data itself (being unencrypted) and the physical location (stored in an unsecure location)," according to the PRC report. A class-action lawsuit lodged against the companies alleged that they also failed to inform affected patients about the breach in a timely manner.

5. Tricare and SAIC. In September, backup tapes containing SAIC (Science Applications International Corporation) data were stolen from the car of a Tricare employee. Much of that data related to current and retired members of the armed services, as well as their families. The breach led to a $4.9 billion lawsuit being filed, which aims to award $1,000 to each of the 5.1 million people affected by the breach. "The Tricare/SAIC breach is significant because not only are the victims at risk of medical identity theft, but financial identity theft as well. The breach begs several questions: Why were the backup tapes being transported in an employee's personal vehicle? And why were those records not encrypted?" according to the PRC report.

6. Nasdaq. Not all breaches target massive quantities of customer data. Notably, attackers breached Directors Desk, a cloud-based Nasdaq system designed to facilitate boardroom-level communications for 10,000 senior executives and company directors. By monitoring Directors Desk, attackers may have had access to inside information, which they could have sold to competitors or perhaps used to make beneficial stock market trades.

Prepare For Breaches What's the takeaway from the above six breaches? First, data breaches are a fact of life, and in all industries. Accordingly, security experts recommend that businesses have a data breach response plan formulated in advance. You should also have the right processes and technology in place to spot a breach.

But it's important to proactively stop data breaches too. To help, the PRC report highlighted the importance that companies must place on creating "strict privacy and security policies," as well as data retention policies. Furthermore, businesses could avoid "breaches" simply by properly encrypting all sensitive information. Notably, if encrypted data gets lost or stolen, it doesn't count as a data breach or trigger consumer notification requirements.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Thomas-bioLock-forSAP
50%
50%
Thomas-bioLock-forSAP,
User Rank: Apprentice
11/21/2013 | 7:01:22 PM
Don't spot a breach - STOP the breach!
There is plenty of technology out there to stop breaches. Businesses just need to start taking IT Security serious and move on from outdated passwords and look new technologies - such as biometrics! It is scary to imagine that 10,000 Nasdaq directors communicate in a portal that was and probably still is password protected! Any decent hacker or any coworker or family member that can read a yellow sticky note has access to insider trading information! See the difference in this technical presentation. Especially if you work with SAP and security you should take a look: www.realtimenorthamerica.com/download/bioLockSAPSSOArchitectureComparison.pps
Bprince
50%
50%
Bprince,
User Rank: Ninja
12/31/2011 | 2:50:38 PM
re: 6 Worst Data Breaches Of 2011
I would also say that this shows the importance of both physical and IT security being viewed together for a more holistic view of enterprise security. In two of these cases the data was stolen by a thief using non-technical means.
Brian Prince, InformationWeek/Dark Reading Comment Moderator
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Must Reads - September 25, 2014
Dark Reading's new Must Reads is a compendium of our best recent coverage of identity and access management. Learn about access control in the age of HTML5, how to improve authentication, why Active Directory is dead, and more.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2003-1598
Published: 2014-10-01
SQL injection vulnerability in log.header.php in WordPress 0.7 and earlier allows remote attackers to execute arbitrary SQL commands via the posts variable.

CVE-2011-4624
Published: 2014-10-01
Cross-site scripting (XSS) vulnerability in facebook.php in the GRAND FlAGallery plugin (flash-album-gallery) before 1.57 for WordPress allows remote attackers to inject arbitrary web script or HTML via the i parameter.

CVE-2012-0811
Published: 2014-10-01
Multiple SQL injection vulnerabilities in Postfix Admin (aka postfixadmin) before 2.3.5 allow remote authenticated users to execute arbitrary SQL commands via (1) the pw parameter to the pacrypt function, when mysql_encrypt is configured, or (2) unspecified vectors that are used in backup files gene...

CVE-2012-5485
Published: 2014-09-30
registerConfiglet.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to execute Python code via unspecified vectors, related to the admin interface.

CVE-2012-5486
Published: 2014-09-30
ZPublisher.HTTPRequest._scrubHeader in Zope 2 before 2.13.19, as used in Plone before 4.3 beta 1, allows remote attackers to inject arbitrary HTTP headers via a linefeed (LF) character.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Chris Hadnagy, who hosts the annual Social Engineering Capture the Flag Contest at DEF CON, will discuss the latest trends attackers are using.