In today’s interconnected world, being worried about who has access to your information is par for the course. While you may be able to live with the NSA warehousing your phone records (not that you have a choice) and with Google knowing more about you than your spouse does, bigger problems can occur when your information falls into the wrong hands.
Unfortunately, security breaches happen and your financial and personal data can be a casualty. Check out these ten terrible data breaches to see how grave the consequences of a security breach can be in the information age.
1. The Department of Veterans Affairs
Lest you think it is only the UK government that can’t be trusted with private data, just look at the security breach that happened in 2006 in the Department of Veterans’ Affairs. An unencrypted national database containing the personal identifying information on 26.5 million veterans was temporarily lost. The database was on a laptop and an external drive that a VA data analyst misplaced. It contained names, Social Security numbers, birth dates and other identifying information.
Although the database was eventually found, the VA paid out around US$20 million in damages according to Boston.com. The fact that veterans were not told of the potential loss of their data until around three weeks after officials knew the risk, only added to anger over the carelessness that put private data at risk.
The VA didn’t really learn its lesson after this costly incident, as Wired reports that a hard drive containing private records of 70 million vets was subsequently sent out to a vendor for repair in 2009 without protecting the data on it. The drive was then recycled with the data not erased or destroyed - so anyone could potentially have accessed the info. Fortunately, the sensitive information didn’t end up in the hands of criminals…this time.
2. The Target Data Breach
Target became a target for data thieves, who accessed customer information over the holiday season. NBC News estimates that thieves stole credit and debit card information from as many as 40 million accounts over the three weeks spanning Black Friday to December 15, 2013.
USA Today warns that the breach may have affected around 70 million people, many of whom had more than just their credit card number stolen. Hackers also accessed home addresses, names, email addresses and phone numbers of Target customers. The store immediately started doing damage control, offering free credit monitoring and emailing customers to alert them to the risks. The breach ranks among the biggest in history and is being investigated by the Department of Justice.
3. TJ Maxx and Marshalls
Shoppers looking for a bargain at TJ Maxx and Marshalls got more than just that in February of 2007 when thieves stole information on tens of millions of debit and credit cards. The systems of parent company TJX may have been compromised for more than a year, and TXJ ended up paying millions to banks, consumers, credit card companies and the Federal Trade Commission (FTC) for the breach.
Back in 2007, NBC News reported that the TJ Maxx data theft was believed to the biggest hack ever. Drivers’ license data from customers who had returned merchandise was also compromised along with the debit and credit card information, and experts began labelling the TJX case as an incident likely to “serve as a case study for computer security and business students for years to come.”
4. Epsilon
Epsilon is an email marketing company that had contact lists for powerful clients including Citibank, Best Buy, the Walt Disney Company and the College Board. Unfortunately, the company didn’t safeguard those lists, and customer data from around 75 major companies was stolen. This data mainly consisted of customer email addresses and other basic personal information.
The theft of an email address might not seem like such a big deal, but the breach forced the major companies that had hired Epsilon to change marketing strategies and notify customers. Each of Epsilon’s clients affected by the breach was expected to face about US$5.5 million in costs…which of course would be passed onto Epsilon. As a result, eWeek reported that Epsilon faced US$225 million in liabilities and US$45 million in lost businesses.
If hackers and phishers were able to use the pilfered email addresses to get access to sites with personal information, the costs could rise exponentially to between US$3 and US$4 billion. The cost of a stolen email address, in other words, could be unimaginably high, and this data breach ranks up there with the other big ones, earnings its place on a list that no company wants to be on.
5. The Sony PlayStation Incident
For 100 million PlayStation users who had their private credit card information made public by a hacker, the breach was no game. The incident occurred in 2011 and Sony earned itself a lot of criticism for the delay in alerting the public about the data theft. As The Guardian reported, Sony first discovered an intrusion into its network a full seven days before it let users know that a breach had happened. The company earned even more criticism when it came out that email and password information was being stored in an unencrypted form.
When emails and passwords are stolen, this can potentially give the criminals access to a whole host of different accounts since many people reuse passwords. Of course, incidents like this one are a perfect illustration of why security experts tell you to pick a unique password for all of your different accounts. If a thief gets a hold of your data, at least he won’t get everything if you’ve varied your passwords.
6. CardSystems Solutions
Another company that got itself into some trouble by storing unencrypted data was CardSystems Solutions. As a third-party processor of credit card transactions, you’d think CardSystems would have known better than to put people’s credit card information at risk. Unfortunately, the company was out of compliance and improperly holding credit card data on transactions that failed to receive authorization.
The result was that more than 40 million accounts were exposed to hackers in 2005, including 100,000 Visa accounts and 30,000 accounts from other banks. Names, card numbers and card security codes were all taken according to CNN. Visa and Amex later cut ties with CardSystems over the incident and a failure to correct conditions that led to the breach.
7. Heartland Payment Systems
In 2009, Heartland Payment systems showed yet again that even credit card payment processors can’t figure out how to stop card data from falling into the wrong hands. This time, around 130 million credit card and debit cards were compromised after the company’s computer was infected with malware. Thieves could use the stolen information to produce counterfeit cards with real data.
Computer World reports that the costs of the breach exceeded US$140 million as Heartland paid out damages for class action lawsuits, and compensated Visa and American Express for losses.
8. HM Revenue & Customs
Private companies don’t have a monopoly on security breaches. HM Revenue & Customs had more than 1,000 security incidents in its Wales offices from April 2011 to August 2012. According to BBC News Wales, official vehicles were stolen, building passes and phones lost and consumer material was disclosed improperly.
Although a lot of security breaches at HMRC were pretty small scale, some were much bigger mistakes; the HMRC lost discs with details about 25-million people’s child benefit information. The pension details of more than 6,500 pensioners were subject to a data breach shortly thereafter, leading the Conservative Party to ask the European Commission to investigate HRMC for a possible lapse in fulfilling obligations under EU’s Data Prevention Directives.
9. AOL
AOL’s mistake earned it a place on CNN Money’s list of the 101 Dumbest Moments in Business in 2007. The data breach happened when AOL tried to reach out to the academic community by providing new research tools, but accidentally released the search queries of 657,000 Internet users in their misguided efforts.
It turned out that these queries could actually be matched with specific users, even though AOL said they couldn’t. Not only that, but the data released included financial information. Compounding the terrible error was that the file wasn’t just released to researchers but to the public at large. The CEO resigned over the security breach and a half-billion dollar class action was filed against the company by customers who were understandably aggrieved.
10. Certegy Check Services Breach
Certegy Check Services should have checked out its staff a little more carefully before hiring. The company revealed in 2007 that one of its employees had stolen the records of as many as 8.5 million customers and passed on personal information to a data broker. Records that were sold by this enterprising criminal included personal information, credit card and bank account data.
BankInfoSecurity.com reports that Certegy settled with Florida’s Attorney General, agreeing to pay US$850,000 in court costs following the incident. The company also agreed to put better safeguards in place in the future so one rogue employee couldn’t put so many at risk.
No comments:
Post a Comment
Please adhere to proper blog etiquette when posting your comments. This blog owner will exercise his absolution discretion in allowing or rejecting any comments that are deemed seditious, defamatory, libelous, racist, vulgar, insulting, and other remarks that exhibit similar characteristics. If you insist on using anonymous comments, please write your name or other IDs at the end of your message.