Jump to content

Data breach

From Wikipedia, the free encyclopedia

This is an old revision of this page, as edited by Nbdubya (talk | contribs) at 18:21, 12 December 2011 (2008). The present address (URL) is a permanent link to this revision, which may differ significantly from the current revision.

A data breach is the intentional or unintentional release of secure information to an untrusted environment. Other terms for this phenomenon include unintentional information disclosure, data leak and also data spill. Incidents range from concerted attack by black hats with the backing of organized crime or national governments to careless disposal of used computer equipment or data storage media. Definition "A data breach is a security incident in which sensitive, protected or confidential data is copied, transmitted, viewed, stolen or used by an individual unauthorized to do so." Data breaches may involve financial information such as credit card or bank details, personal health information (PHI), Personally identifiable information (PII), trade secrets of corporations or intellectual property. According to the nonprofit consumer organization Privacy Rights Clearinghouse, a total of 227,052,199 individual records containing sensitive personal information were involved in security breaches in the United States between January 2005 and May 2008, excluding incidents where sensitive data was apparently not actually exposed.[1]

Definition

This may include incidents such as theft or loss of digital media such as computer tapes, hard drives, or laptop computers containing such media upon which such information is stored unencrypted, posting such information on the world wide web or on a computer otherwise accessible from the Internet without proper information security precautions, transfer of such information to a system which is not completely open but is not appropriately or formally accredited for security at the approved level, such as unencrypted e-mail, or transfer of such information to the information systems of a possibly hostile agency, such as a competing corporation or a foreign nation, where it may be exposed to more intensive decryption techniques.[2]

Trusted environment

The notion of a trusted environment is somewhat fluid. The departure of a trusted staff member with access to sensitive information can become a data breach if the staff member retains access to the data subsequent to termination of the trust relationship. In distributed systems, this can also occur with a breakdown in a web of trust.

Data privacy

Most such incidents publicized in the media involve private information on individuals, i.e. social security numbers, etc.. Loss of corporate information such as trade secrets, sensitive corporate information, details of contracts, etc. or of government information is frequently unreported, as there is no compelling reason to do so in the absence of potential damage to private citizens, and the publicity around such an event may be more damaging than the loss of the data itself.

Consequences

Although such incidents pose the risk of identity theft or other serious consequences, in most cases there is no lasting damage; either the breach in security is remedied before the information is accessed by unscrupulous people, or the thief is only interested in the hardware stolen, not the data it contains. Nevertheless, when such incidents become publicly known, it is customary for the offending party to attempt to mitigate damages by providing to the victims subscription to a credit reporting agency, for instance.

Major incidents

Well known incidents include:

2011

  • In April 2011, Sony experienced a data breach within their Playstation Network. It is estimated that the information of 100 million users was compromised.
  • In June 2011, Citigroup disclosed a data breach within their credit card operation, affecting approximately 210,000 or 1% of their customers' accounts.[3][4]

2009

  • In December 2009 a RockYou! password database was breached containing 32 million user names and plaintext passwords, further compromising the use of weak passwords for any purpose.
  • In January 2009 Heartland Payment Systems announced that it had been "the victim of a security breach within its processing system", possibly part of a "global cyber fraud operation".[5] The intrusion has been called the largest criminal breach of card data ever, with estimates of up to 100 million cards from more than 650 financial services companies compromised.[6]

2008

  • In January 2008, GE Money, a division of General Electric, disclosed that a magnetic tape containing 150,000 social security numbers and in-store credit card information from 650,000 retail customers is known to be missing from an Iron Mountain Incorporated storage facility. J.C. Penney is among 230 retailers affected.[7]
  • Horizon Blue Cross and Blue Shield of New Jersey, January, 300,000 members [1]
  • Lifeblood, February, 321,000 blood donors [1]
  • British National Party membership list leak,[8]
  • In Early 2008, Countrywide Financial (since acquired by Bank of America) allegedly fell victim to a data breach when, according to news reports and court documents, employee Rene L. Rebollo Jr. stole and sold up to 2.5 million customers' personal information including social security numbers.[9][10] According to the legal complaint: "Beginning in 2008 - coincidentally after they sold their mortgage portfolios under wrongful and fraudulent 'securitization pools,' and coincidentally after their mortgage portfolio went into massive default as a result thereof - Countrywide learned that the financial information of potentially millions of customers had been stolen by certain Countrywide agents, employees or other individuals."[11][12] In July 2010, Bank of America settled more than 30 related class-action lawsuits by offering free credit monitoring, identity theft insurance and reimbursement for losses to as many as 17 million consumers impacted by the alleged data breach. The settlement was estimated at $56.5 million not including court costs.[13]

2007

2006

2005

References

  1. ^ a b c d e f g h i j k "A Chronology of Data Breaches", Privacy Rights Clearinghouse
  2. ^ When we discuss incidents occurring on NSSs, are we using commonly defined terms?, "Frequently Asked Questions on Incidents and Spills", National Archives Information Security Oversight Office
  3. ^ [1]
  4. ^ [2]]
  5. ^ Heartland Payment Systems Uncovers Malicious Software In Its Processing System
  6. ^ Lessons from the Data Breach at Heartland, MSNBC, July 7, 2009
  7. ^ GE Money Backup Tape With 650,000 Records Missing At Iron Mountain - Iron Mountain
  8. ^ BNP activists' details published - BBC News
  9. ^ "Bank of America settles Countrywide data theft suits"
  10. ^ "Countrywide Sued For Data Breach, Class Action Suit Seeks $20 Million in Damages", Bank Info Security, April 9, 2010
  11. ^ Cite error: The named reference courthousenews was invoked but never defined (see the help page).
  12. ^ "Countrywide Sold Private Info, Class Claims", Courthouse News, April 05, 2010
  13. ^ "The Convergence of Data, Identity, and Regulatory Risks", Making Business a Little Less Risky Blog
  14. ^ "T.J. Maxx data theft worse than first reported". msnbc.com. 2007-03-29. Retrieved 2009-02-16.
  15. ^ data Valdez Doubletongued dictionary
  16. ^ AOL's Massive Data Leak, Electronic Frontier Foundation
  17. ^ data Valdez, Net Lingo
  18. ^ "Active-duty troop information part of stolen VA data", Network World, June 6, 2006