Top Ten Data Breaches and Blunders of 2009
As we strive to improve data security in 2010, we can learn from some of the biggest data mistakes made last year--including one single breach that compromised 130 million records (this means you Heartland).
From stolen devices and phishing attacks to buggy apps and human blunders, 2009 was another banner year for data breaches. According to the Privacy Rights Clearinghouse, over 345 million records containing sensitive data have been involved in incidents within the United States since January 2005. But last year, one single breach compromised 130 million records. In an effort to do better this year, let's recount some of the worst data breaches reported in 2009.
10) Los Alamos National Labs (LANL)
This facility makes our list due to its history and sensitivity rather than the (unspecified) size of its February 2009 breach. This nuclear research complex continues to make headlinesthis time by reporting that nearly 70 computers had gone missing from the labs, including at least 13 PCs verified lost or stolen, and one BlackBerry left in an undisclosed "sensitive" country. Although this incident did not expose classified data, LANL's apparently lax asset management practices could pose a national security concern.
9) Virginia Department of Health Professions (DHP)
This agency, responsible for licensing health care professionals and enforcing standards of practice, reported that its database of prescription drug records for 530,000 patients was hacked in April 2009. The thief posted a ransom message on DHP's Website, attempting to extort $10M for the safe return of stolen data. Fortunately, his claim to have destroyed both the live database and its backups turned out to be false; DHP restored online services by recovering data from verified backups. Nonetheless, over half a million social security numbers and 35 million prescription records may have been exposed.
8) Network Solutions
In July 2009, this domain name registrar and Web hosting provider reported a breach affecting over 573,000 debit and credit card accounts. Hackers broke into a Network Solutions server in March, planting malware with the ability to intercept all transactions processed by over four thousand hosted e-commerce merchants over a three-month period. According to news reports, the firm had passed PCI DSS compliance audits in October 2008a program designed to protect cardholder data from breaches like this one.
7) Arkansas Department of Information Systems
Sometimes it doesn't pay to save. In February 2009, this department reported loss of an archive tape containing 807,000 records associated with criminal background checks conducted over a 12-year period. The tape had gone missing from a vault operated by Information Vaulting Services, where it had been placed for safe-keeping. Reports did not indicate whether the lost tape had been encrypted.
6) Oklahoma Department of Human Services (DHS)
In April, this DHS reported a smash-and-grab laptop theft that exposed the names, social security numbers, and birthdates of an estimated one million clients. Additional data at risk on the unencrypted laptop, stolen from a parked car, included child abuse investigation details. Laptop thefts are rampant, but what makes this breach noteworthy is its size. Why let anyone carry around one million (unencrypted!) client records around on a laptop?
When you make a mistake, 'fess up promptly. This Connecticut regional health plan provider put 1.5 million member records in jeopardy when a compressed but apparently unencrypted portable storage drive went missing. Not only did the lost drive contain a wealth of unencrypted protected health information, but the provider waited a full six months before issuing a breach notificationcausing the CT attorney general to bring suit against HealthNet for HIPAA violations.
This electronic bill payment service first reported a DNS hijack attack in late 2008, but was forced to amend the number of potentially affected customer records to a whopping five million in January 2009. According to breach reports, hackers managed to hijack CheckFree.com and MyCheckFree.com, probably by initiating malicious domain name transfers, then using DNS to redirect customers to a fraudulent look-alike Website in the Ukraine. Although the phony site was taken down five hours later, the breach size was increased because the hijack could have exposed many more customers during the unknown period prior to discovery.
Social networking advertiser RockYou managed to expose 32 million user e-mail addresses and clear text passwords in December when a hacker exploited a SQL Injection flaw to access the company's online user database. Once RockYou was advised of the bug, it worked quickly to fix it, but this enormous breach of its entire customer account list can really be attributed to failure to apply basic security best practices like storing hashed rather than clear text passwords.
2) National Archives and Records Administration
Approximately 76 million U.S. veterans had their records breached once again when a disk drive used by eVetRecan online health record and discharge paper systemwas recycled without being wiped clean. The disk drive, one of six in an Oracle database RAID array, had failed and was shipped to a contractor for repair. When the contractor could not repair the drive, it was recycled without being degaussed or even purgedleaving unencrypted data behind.
And [drumroll please] the winner of last year's top-ten data blunders is:
1) Heartland Payment Systems
This payment processing firm experienced the largest reported cardholder data breach in history when hackers exploited a SQL injection vulnerability to break into systems and install sniffer software. In August 2009, a federal grand jury indicted a former Secret Service informant and two Russian conspirators on charges of hacking into Heartland, Hannaford, and three other retailers to steal over 130 million credit and debit card numbers. Last month, Heartland agreed to pay VISA over $60M to cover losses experienced by cardholders put at risk by this breach.
Like Network Solutions, Heartland had passed numerous PCI DSS compliance audits before the break-in. But Heartland CEO Bob Carr believes that additional measures are needed to avoid similar data breaches in the future, including better dissemination of security threat information among financial services providers and more robust techniques, such as end-to-end-encryption and tokenization. You can read more about the Heartland breach and the company's recommendations here: [PDF].
While these breaches all involved technology, many could have been prevented with a bit more common sense and adherence to security best practices. To be sure, there's room for improvement in security measures themselves. But all too often, data breaches are caused by omissions and errors in policies and processes. In the end, a list like this shouldn't simply make us shake our heads or shudderit should teach about blunders that we can and should avoid ourselves.
Lisa Phifer owns Core Competence, a consulting firm focused on business use of emerging network and security technologies. A 28-year industry veteran, Lisa enjoys helping companies large and small to assess, mitigate, and prevent Internet security threats through sound policies, effective technologies, best practices, and user education.