Tracking Major Data Breaches

Top 10 Incidents from Recent Months Howard Anderson (ismg_editor) • December 20, 2011

A string of data breaches in recent months has put the spotlight on the need to take adequate precautions to protect sensitive information. From hackers issuing phony digital certificates to million of patients having their records potentially exposed as a result of lost or stolen backup files, breaches point to the value of preventive measures, ranging from encryption to intrusion detection.

The slide show below offers a quick guide to some of the headline-grabbing incidents from recent months, complete with links to all the details.

Breaches Offer Lessons

The following are summaries of the Top 10 major data breach incidents in recent months. Each incident illustrates threats and vulnerabilities and emphasizes the need for various prevention measures, from expanded use of encryption to intrusion detection.

Breach #10: Michaels Stores

Point-of-Sale Devices Swapped

Michaels Stores in May 2011 identified a scheme that targeted its point-of-sale devices in nearly 90 U.S. stores. Legitimate PIN pads were swapped for PIN pads manipulated to skim and collect card details, such as personal identification numbers. The breach was first identified by card issuers, which quickly found Michaels purchases to be the common denominator among all of the cardholders who were reporting debit and credit fraud.

Breach #9: NYC Health & Hospitals Corp.

Backup Tapes Stolen, 1.7 Million Affected

This breach, which affected 1.7 million individuals, stemmed from computer backup tapes that were stolen in December 2010 from a business associate's unlocked truck. An employee of the business associate, GRM Information Management Services, was transporting the unencrypted tapes to a secure storage location, according to New York City Health and Hospitals Corp.

Breach #8: Health Net

1.9 Million Affected by Missing Drives

This health insurance company notified 1.9 million individuals nationwide that their healthcare and personal information may have been breached as a result of nine server drives that were discovered to be missing from a California data center managed by IBM. Health Net said IBM, the vendor responsible for managing the insurer's IT infrastructure, notified the company in January 2011 that the drives were missing.

Breach #7: Pentagon

Unidentified Nation Obtains 24,000 Files

Hackers believed to be backed by an unidentified nation obtained 24,000 Pentagon files related to systems being developed for the Defense Department during a single intrusion in March 2011, one of the worst digital attacks against the DoD. "It was done, we think, by a foreign intelligence service," said then Deputy Secretary of Defense William Lynn. "In other words, a nation-state was behind it."

Breach #6: UBS

Unauthorized Trades Total $2.3 Billion

Switzerland-based UBS, a global financial services firm, reported in September 2011 a $2.3 billion loss linked to unauthorized trades conducted by a trader in its Global Synthetic Equity business in London. As a result of the rogue trader's actions, UBS said it would likely post a third-quarter loss for fiscal year 2011, one of the biggest losses linked to bad trading ever reported.

Breach #5: TRICARE

Stolen Tapes Contain Data on 4.9 Million

About 4.9 million individuals enrolled in the military's TRICARE health program were affected in this breach, reported in September 2011. The incident involved backup tapes stolen from the car of an employee of a TRICARE business associate, Science Applications International Corp. It's the largest healthcare information breach reported since the HIPAA breach notification rule took effect in September 2009.

Breach #4: Hacktivists

Virtual Vandalism on Websites

With regularity throughout 2011, members of the so-called "hacktivist" groups Anonymous and LulzSec performed a virtual version of vandalism on well-known private and government websites. They did not cause major damage, but exposed personally identifiable information and, at times, embarrassing details about individuals' computer hygiene (such as using the same passwords for multiple accounts). Among their victims: Fox, Infragard, PBS, the U.S. Senate and Sony.

Breach #3: Sony

77 Million Customer Accounts Affected

Distributed denial of service attacks in April 2011 that crippled Sony Corp.'s PlayStation gaming network and Qriocity music service camouflaged simultaneous intrusions that resulted in the exposure of personally identifiable information, including credit card information, from as many as 77 million customer accounts. The sophistication of the intrusion, and the attackers' exploitation of a software vulnerability, made detection difficult, Sony Computer Entertainment Chairman Kazuo Hirai said.

Breach #2: RSA

SecurID Authentication Targeted

A well-crafted e-mail with the subject line "2011 Recruitment Plan" tricked an RSA employee to retrieve from a junk-mail folder and open a message containing a virus that led to a sophisticated attack on the security company's information systems. In the March 2011 incident, the attacker targeted RSA's SecurID two-factor authentication product in what the security vendor termed an "advanced persistent threat" breach.

Breach #1: DigiNotar

Hackers Issue Counterfeit Certificates

The September 2011 breach of certificate authority DigiNotar could prove to be among the worst Internet security events ever. Hackers stole the private key used by the Dutch company to assure the trustworthiness of the digital certificates it issued to website operators. Employing the stolen private key, the hackers issued counterfeit certificates aimed at fooling visitors into believing that sham websites they mistakenly accessed were the ones they actually intended to visit.