Top 10 Data Breaches of 2010: Page 2
5. Lincoln National Financial Securities: Password management counts. Not only did Lincoln National mistakenly print a username and password in a brochure posted on a public website, but it let employees and affiliates share usernames and passwords. Unfortunately, those credentials belonged to a portfolio information system housing data for 1.2 million customers. This single incident accounts for nearly all of the records breached by insider access during 2010 but most other insider breaches were reported as having unknown record impact. According to the ITRC, just 51 percent of all breaches report number of records exposed, making it hard to assess their severity.
4. AvMed Health Plans: Two laptops were reportedly stolen from AvMed corporate offices in February 2010. Upon investigation, it was found that one laptop may not have been protected properly, putting current and former subscribers and their dependents at risk for identity theft. This breach was first estimated at 200,000 records then revised to 1.2 million. This case is an excellent illustration for the value of laptop encryption and the ability to provide proof thereof. In fact, nearly 7 million records were breached last year due to lost, stolen, or discarded portable devices.
3. Gawker: In December, Gawker's database was hacked by Gnosis, exposing up to 1.3 million user email addresses and passwords. Not only were over 250,000 cracked passwords posted on on-line, but Gnosis published a link to Gawker's entire MD5 hashed password database. Shortly thereafter, HD Moore posted instructions on how to check whether any password was included in the posted database, and stats emerged about commonly used passwords. (The winner: "123456") Although no SSNs or financial data were specifically breached in this case, impact could be far broader due to the common practice of user login reuse across websites.
Finally, first place on our 2010 breach list goes to...
1. Netflix: According a class action suit filed in January 2010, Netflix perpetrated the largest voluntary privacy breach to date when it supplied data sets containing over 100 million subscriber movie ratings and preferences to contest participants.
Netflix argues that the data sets were anonymized and did not contain subscriber names or other personal information. However, the suit alleges that researchers have been able to crack Netflixs anonymization process to identify individual subscribers.
ITRC does not consider this incident to be a breach due to the nature of the records involved. However, the Privacy Rights Clearinghouse does. This incident demonstrates that sensitive personal data comes in many forms. Victims may have different perspectives on risk; this further complicates breach reporting.
So what can we learn from this year's list? Surprisingly few of these big breaches are associated with trendy new technologies. Instead, many can be attributed to either old fashioned hacks, basic omissions in security best practices, or errors in security policies and processes. Case in point: Paper breaches account for nearly 20 percent of this year's complete list. When you hear hoof beats, think horses, not zebras.
New technologies offer opportunities to build data security into networks, devices, and applications from the very start. But we still need to get those old familiar security fundamentals right to avoid data breaches and exposures reported or otherwise.
Lisa Phifer owns Core Competence, a consulting firm focused on business use of emerging network and security technologies. Since 1997, Lisa has been involved in mobile workforce policy development and best practices, ranging from wireless/VPN security to portable data defenses.
Keep up with security news; Follow eSecurityPlanet on Twitter: @eSecurityP.