04:17 PM

6 Worst Data Breaches Of 2011

Historically speaking, these 2011 data breaches rate among the biggest or most significant data-loss incidents to date.

When it comes to data breaches, how does 2011 compare with previous years?

A new report from the Privacy Rights Clearinghouse (PRC) notes 535 breaches during 2011, involving 30.4 million sensitive records. But that's just a conservative estimate, since not all data breaches see the light of day. "Because many states do not require companies to report data breaches to a central clearinghouse, data breaches occur that we never hear about," said PRC director Beth Givens in the report.

Even so, 2011 saw some of the biggest or most significant breaches in history, PRC says:

1. Sony. Sony suffered over a dozen data breaches, stemming from attacks that compromised Sony PlayStation Network, Sony Online Entertainment, and Sony Pictures, among other Sony-owned websites. Notably, these breaches occurred after Sony had laid off many of its security personnel in the months preceding the attacks. Ultimately, Sony faced an ongoing customer relations fallout--as well as class-action lawsuits--over its failure to protect over 100 million user records. Owing to the frequency with which users reuse passwords, many Sony customers are now at risk from attackers using the stolen password data to access their accounts on other sites.

2. Epsilon. When companies outsource business processes, who's ultimately responsible for the security of any shared customer data? Answer: the company that outsourced the job. That's the lesson from the April breach of cloud-based email service provider Epsilon, which fell to a spear-phishing attack. The breach affected data from 75 of Epsilon's clients--meaning, businesses that had trusted Epsilon with their customers' data. "Epsilon has not disclosed the names of the companies affected or the total number of names stolen," according to the PRC report. "However, millions of customers received notices from a growing list of companies, making this the largest security breach ever." Conservative estimates are that 60 million customer emails addresses were breached.

3. RSA. One of the most high-profile breaches of 2011 didn't involve consumer information, but rather one of the world's most-used two-factor authentication systems. After attackers breached the systems of EMC's RSA in April, stealing information relating to its SecurID system, the company drew fire for failing to detail exactly what had been stolen, or exactly how the attack put customers at risk of being exploited. RSA ultimately traced the attack to an unnamed nation state, and revealed that the exploit had relied on a very low-tech spear-phishing attack. One significant result of the attack has been that many companies are now retooling their security and training processes to help prevent these types of low-cost, easy-to-execute social-engeineering attacks from succeeding.

4. Sutter Physicians Services. Data from both Sutter Physicians Services and Sutter Medical Foundation was breached in November when a thief stole a desktop computer from the organization, which contained about 3.3 million patients' medical details--including name, address, phone number, email address and health insurance plan name--stored in encrypted format. "The security lapse occurred on two levels: both the data itself (being unencrypted) and the physical location (stored in an unsecure location)," according to the PRC report. A class-action lawsuit lodged against the companies alleged that they also failed to inform affected patients about the breach in a timely manner.

5. Tricare and SAIC. In September, backup tapes containing SAIC (Science Applications International Corporation) data were stolen from the car of a Tricare employee. Much of that data related to current and retired members of the armed services, as well as their families. The breach led to a $4.9 billion lawsuit being filed, which aims to award $1,000 to each of the 5.1 million people affected by the breach. "The Tricare/SAIC breach is significant because not only are the victims at risk of medical identity theft, but financial identity theft as well. The breach begs several questions: Why were the backup tapes being transported in an employee's personal vehicle? And why were those records not encrypted?" according to the PRC report.

6. Nasdaq. Not all breaches target massive quantities of customer data. Notably, attackers breached Directors Desk, a cloud-based Nasdaq system designed to facilitate boardroom-level communications for 10,000 senior executives and company directors. By monitoring Directors Desk, attackers may have had access to inside information, which they could have sold to competitors or perhaps used to make beneficial stock market trades.

Prepare For Breaches What's the takeaway from the above six breaches? First, data breaches are a fact of life, and in all industries. Accordingly, security experts recommend that businesses have a data breach response plan formulated in advance. You should also have the right processes and technology in place to spot a breach.

But it's important to proactively stop data breaches too. To help, the PRC report highlighted the importance that companies must place on creating "strict privacy and security policies," as well as data retention policies. Furthermore, businesses could avoid "breaches" simply by properly encrypting all sensitive information. Notably, if encrypted data gets lost or stolen, it doesn't count as a data breach or trigger consumer notification requirements.

Comment  | 
Print  | 
More Insights
Threaded  |  Newest First  |  Oldest First
User Rank: Ninja
12/31/2011 | 2:50:38 PM
re: 6 Worst Data Breaches Of 2011
I would also say that this shows the importance of both physical and IT security being viewed together for a more holistic view of enterprise security. In two of these cases the data was stolen by a thief using non-technical means.
Brian Prince, InformationWeek/Dark Reading Comment Moderator
User Rank: Apprentice
11/21/2013 | 7:01:22 PM
Don't spot a breach - STOP the breach!
There is plenty of technology out there to stop breaches. Businesses just need to start taking IT Security serious and move on from outdated passwords and look new technologies - such as biometrics! It is scary to imagine that 10,000 Nasdaq directors communicate in a portal that was and probably still is password protected! Any decent hacker or any coworker or family member that can read a yellow sticky note has access to insider trading information! See the difference in this technical presentation. Especially if you work with SAP and security you should take a look:
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.