Five Big Database Breaches Of 2011's Second Half

Healthcare breaches dominate since the summer, with plenty of lessons learned

Dark Reading Staff, Dark Reading

December 14, 2011

4 Min Read

Though the second half of the year has been comparably calmer than the first half's excitement over database breaches at RSA, Sony, and Epsilon, the breach numbers continued to roll in -- especially at healthcare organizations, which made up a disproportionate number of exposed records. Here are some of the biggest breaches that went down in the second half of the year, along with a few database security lessons learned.

1. The Breach Victim: Nemours
Assets Stolen/Affected: Names, addresses, dates of birth, Social Security numbers, insurance data, medical treatment data, and bank account information for 1.6 million patients, vendors, and employees.

Three unencrypted tapes containing a mother lode of personal information on patients, vendors, and employees were lost amid the dust of a facility remodel project when a cabinet that held them since 2004 went missing.

Lessons Learned: Database backups are often the Achilles' heel in enterprise database security. Because of their portability and longevity, database backup tapes are frequently lost in transit or in these types of relocation scenarios. Encryption of data is key to ensuring security even when tapes can't be physically secured.

[ From healthcare to game companies to trusted third-party security companies, a number of significant breaches were reported in 2011. See Slide Show: The Year In Data Theft. ]

2. The Breach Victim: Tricare/SAIC
Assets Stolen/Affected: Protected health information from 5.1 million patients of U.S. military hospitals and clinics.

Another day, another backup tape gone missing. In September, Tricare announced that an employee for one of its contractors, Science Applications International Corp. (SAIC), was driving around with a backup tape containing patient data from 1992 all the way through 2011 for San Antonio-area military treatment facilities. The tapes were stolen from the car, exposing Social Security numbers, addresses, phone numbers, clinical notes, lab test results, prescriptions, and other medical information.

Lessons Learned: In addition to the lessons about backup tape protection, this case shows how important third-party contractor security procedures are to an organization. Enterprises and government agencies alike must be aware of how contractors are touching database information and whether they're employing best practices with regard to how that data is handled.

Next Page: Sutter Physicians Services and Sutter Medical Foundation 3. The Breach Victim: Sutter Physicians Services and Sutter Medical Foundation
Assets Stolen/Affected: Personally identifiable information of 3.3 million patients supported by Sutter Physicians Services and medical information of another 934,000 Sutter Medical Foundation patients.

The data in question was stolen from Sutter Medical Foundation offices when a thief made away with an unencrypted desktop computer over one weekend in October. Sutter Health is currently being sued not only for negligence in safeguarding computers and data, but also for failing to notify patients according to California state mandates.

Lessons Learned: Physical security is obviously paramount in ensuring that desktops aren't made away with by cat burglars. But there are other lessons here, namely in the fact that the data was not encrypted and that such a sizable chunk was sitting on a desktop in the first place. Many enterprises today get into trouble when huge repositories of data are taken out of the database and transferred to unsecured endpoints.

4. The Breach Victim: SK Communications
Assets Stolen/Affected: Thirty-five million names, email addresses, phone numbers, and resident registration numbers of social media users at South Korean sites Cyworld and Nate.

In mid-July, hackers working from IP addresses originated in China infected 60 of SK Communications' computers and used that foothold to hack the company's database stores. The infections allowed them to gather enough access credentials to hack and exfiltrate data from the databases. The loot they made off with was personal information of about 90 percent of South Korean Internet users.

Lessons Learned: This case shows how critical layered security, effective network segmentation, and database monitoring are to both preventing and detecting large-scale database leaks. Hackers often use malicious infections on other network devices to begin the multistep process of cracking even the most strongly fortified database infrastructure.

5. The Breach Victim: Valve, Inc.
Assets Stolen/Affected: Personally identifiable information for 35 million users of Valve's online gaming site.

Steam, the back-end database that runs the online video distribution site run by Valve, was compromised in November, coughing up encrypted credit card numbers and other personally identifiable information for its 35 million users.

Lessons Learned: Public details of how exactly the hackers busted into Steam's database are limited, but what is interesting in this case is the bit of silver lining it offers compared to other similar breaches during the past 18 months. Though hackers did have their way with Steam's databases, risks were hugely mitigated because credit card numbers were encrypted and user passwords were salted and hashed, minimizing the impact hackers could make with the information available through their theft.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

About the Author(s)

Dark Reading Staff

Dark Reading

Dark Reading is a leading cybersecurity media site.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights