A new report from the Privacy Rights Clearinghouse (PRC) notes 535 breaches during 2011, involving 30.4 million sensitive records. But that's just a conservative estimate, since not all data breaches see the light of day. "Because many states do not require companies to report data breaches to a central clearinghouse, data breaches occur that we never hear about," said PRC director Beth Givens in the report.
Even so, 2011 saw some of the biggest or most significant breaches in history, PRC says:
1. Sony. Sony suffered over a dozen data breaches, stemming from attacks that compromised Sony PlayStation Network, Sony Online Entertainment, and Sony Pictures, among other Sony-owned websites. Notably, these breaches occurred after Sony had laid off many of its security personnel in the months preceding the attacks. Ultimately, Sony faced an ongoing customer relations fallout--as well as class-action lawsuits--over its failure to protect over 100 million user records. Owing to the frequency with which users reuse passwords, many Sony customers are now at risk from attackers using the stolen password data to access their accounts on other sites.
2. Epsilon. When companies outsource business processes, who's ultimately responsible for the security of any shared customer data? Answer: the company that outsourced the job. That's the lesson from the April breach of cloud-based email service provider Epsilon, which fell to a spear-phishing attack. The breach affected data from 75 of Epsilon's clients--meaning, businesses that had trusted Epsilon with their customers' data. "Epsilon has not disclosed the names of the companies affected or the total number of names stolen," according to the PRC report. "However, millions of customers received notices from a growing list of companies, making this the largest security breach ever." Conservative estimates are that 60 million customer emails addresses were breached.
3. RSA. One of the most high-profile breaches of 2011 didn't involve consumer information, but rather one of the world's most-used two-factor authentication systems. After attackers breached the systems of EMC's RSA in April, stealing information relating to its SecurID system, the company drew fire for failing to detail exactly what had been stolen, or exactly how the attack put customers at risk of being exploited. RSA ultimately traced the attack to an unnamed nation state, and revealed that the exploit had relied on a very low-tech spear-phishing attack. One significant result of the attack has been that many companies are now retooling their security and training processes to help prevent these types of low-cost, easy-to-execute social-engeineering attacks from succeeding.
4. Sutter Physicians Services. Data from both Sutter Physicians Services and Sutter Medical Foundation was breached in November when a thief stole a desktop computer from the organization, which contained about 3.3 million patients' medical details--including name, address, phone number, email address and health insurance plan name--stored in encrypted format. "The security lapse occurred on two levels: both the data itself (being unencrypted) and the physical location (stored in an unsecure location)," according to the PRC report. A class-action lawsuit lodged against the companies alleged that they also failed to inform affected patients about the breach in a timely manner.
5. Tricare and SAIC. In September, backup tapes containing SAIC (Science Applications International Corporation) data were stolen from the car of a Tricare employee. Much of that data related to current and retired members of the armed services, as well as their families. The breach led to a $4.9 billion lawsuit being filed, which aims to award $1,000 to each of the 5.1 million people affected by the breach. "The Tricare/SAIC breach is significant because not only are the victims at risk of medical identity theft, but financial identity theft as well. The breach begs several questions: Why were the backup tapes being transported in an employee's personal vehicle? And why were those records not encrypted?" according to the PRC report.
6. Nasdaq. Not all breaches target massive quantities of customer data. Notably, attackers breached Directors Desk, a cloud-based Nasdaq system designed to facilitate boardroom-level communications for 10,000 senior executives and company directors. By monitoring Directors Desk, attackers may have had access to inside information, which they could have sold to competitors or perhaps used to make beneficial stock market trades.
Prepare For Breaches What's the takeaway from the above six breaches? First, data breaches are a fact of life, and in all industries. Accordingly, security experts recommend that businesses have a data breach response plan formulated in advance. You should also have the right processes and technology in place to spot a breach.
But it's important to proactively stop data breaches too. To help, the PRC report highlighted the importance that companies must place on creating "strict privacy and security policies," as well as data retention policies. Furthermore, businesses could avoid "breaches" simply by properly encrypting all sensitive information. Notably, if encrypted data gets lost or stolen, it doesn't count as a data breach or trigger consumer notification requirements.