Lessons Learned From Five Big Database Breaches In 2010

Second half of 2010 featured some major mess-ups that led to the exposure of sensitive data
4. Silverpop Systems
Breach Details: The ripple effects of a breach involving Atlanta-based Silverpop Systems are still being felt. An e-mail marketing firm with a long list of high-powered corporate clients, Silverpop singlehandedly exposed client lists owned by McDonald's, deviantART, and potentially others when a contractor's server containing the databases was breached by a hacker.

Database Security Lessons Learned: While details about the technological elements of the actual attack are still being kept under wraps pending an FBI investigation, one lesson is crystal clear. Blame for breaches caused by third-party bungling of sensitive databases ultimately will always be placed at the feet of the business to which the customer first entrusted its data. Organizations have to do a better job vetting their vendors about how they handle databases and sensitive information.

5. Triple-S Management
Breach Details: The account details of more than 400,000 customers Triple-S Management, a Puerto Rico-based managed healthcare company, were pored over by employees at a competitor organization, Medical Card System. These employees had somehow acquired active user ID and password combinations for Triple-S databases in order to gain unauthorized access.

Database Security Lessons Learned: Poor account provisioning and access management issues are an Achilles' heel for even those organizations that have put a lot of investment in detecting external attacks. After all, the attacker already has sanctioned entree into the database. Organizations need to do a better job eliminating shared passwords, closing accounts of former employees, and monitoring existing accounts for anomalous behavior.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.