Data Breaches: A Year in Review
Printer-friendly version
Send by email
By Amber Yoo
Privacy Rights Clearinghouse
There are hundreds of ways that a consumer's personal information may be lost, stolen or exposed. An employee may lose a laptop, hackers may download credit card numbers or sensitive personal data may be accidentally exposed online.
Privacy Rights Clearinghouse has been tracking breaches since 2005 and publishes a Chronology of Data Breaches. The Chronology counts the number of records leaked that contain information useful to identity thieves, such as Social Security numbers, financial account numbers, driver's license numbers – and in some states, medical information.
2011 was a significant year for data security, with some of the biggest data breaches in our history reported. So far in 2011, we’ve tracked 535 breaches involving 30.4 million sensitive records. This brings the total reported records breached in the U.S. since 2005 to the alarming number of 543 million.
"This is a conservative number," says Director Beth Givens, "We generally learn about breaches that garner media attention. Unfortunately, many do not. And, because many states do not require companies to report data breaches to a central clearinghouse, data breaches occur that we never hear about. Our Chronology is only a sampling."
Data breaches of sensitive information, especially Social Security and credit card numbers, make consumers vulnerable to identity theft. According to a 2009 report by Javelin Research & Strategy, individuals are four times more likely to be the victim of identity theft in the year after receiving a data breach notification letter. But even breaches that contain data as seemingly innocuous as names and email address can be used by fraudsters to trick consumers into revealing information that can lead to identity theft.
Unfortunately, it is virtually impossible for individuals to protect themselves from a data breach. It is up to organizations that collect data on consumers to take the steps to ensure the privacy and security of the data they collect and maintain.
The following half dozen are our top picks for the most significant data breaches in 2011:
1. Sony PlayStation (April 27) – Sony discovered an external intrusion on PlayStation Network (PSN) and its Qriocity music service around April 19. Sony blocked users from playing online games or accessing services like Netflix and Hulu Plus on April 22. The blockage lasted for seven days. Sony believes criminal hacker(s) obtained names, addresses, email addresses, dates of birth, PSN/Qriocity password and login, and online IDs for multiple users. The attacker may have also stolen users' purchase history, billing address, and password security questions. Over the course of the next several months, Sony discovered that the hackers gained access to 101.6 million records, including 12 million unencrypted credit card numbers. A concise history of the Sony hacks can be found here.
2. The Sony breach highlights the importance of password hygiene. Passwords are frequently the only thing protecting our private information from prying eyes. Many websites that store your personal information (for example web mail, photo or document storage sites, and money management sites) require just a user name and password for protection. Password-protected web sites are becoming more vulnerable because often people use the same passwords on numerous sites. One study by Sophos, a security firm, found that more than 30% of users recycle the same password for every site that they access. In this case, the stolen passwords were unencrypted, meaning the criminal could potentially "break in" to other sites if the victims used the same password more than once.
3. Epsilon (April 2) – Epsilon, an email service provider for companies, reported a breach that affected approximately 75 client companies. Email addresses and customer names were affected. Epsilon has not disclosed the names of the companies affected or the total number of names stolen. However, millions of customers received notices from a growing list of companies, making this the largest security breach ever. Conservative estimates place the number of customer email addresses breached at 50 to 60 million. The number of customer emails exposed may have reached 250 million.
4. Compromised email addresses and names may seem innocuous to some, but victims may fall prey to spear phishing. Spear phishing occurs when a criminal sends an email that sounds and looks like it’s from a company the recipient has an account with because it addresses him or her by name. A spear-phishing message might say, "Hello Mr. Anderson, Because of the recent hacking incident affecting some Acme customers, we are asking you to visit this website [URL provided] and update your security settings.” The email tries to convince trusting readers to “bite” on the bait and go to that website, and then divulge other information like Social Security numbers and credit card numbers. The result could be as serious as identity theft.
5. The Epsilon breach is also significant because it highlights the risk of cloud-based computing systems and the need for greater cloud security measures.
6. Sutter Physicians Services (SPS) and Sutter Medical Foundation (SMF) (Nov. 16) - A company-issued desktop computer was stolen from SMF's administrative offices in Sacramento, California, during the weekend of October 15th. Although the data was password protected, it was not encrypted. Approximately 3.3 million patients whose health care provider is supported by SPS had their names, addresses, dates of birth, phone numbers, email addresses, medical record numbers and health insurance plan name exposed. An additional 934,000 SMF patients had dates of services and description of medical diagnoses and/or procedures used for business operations, bringing the total to 4.2 million patients. At least two lawsuits have been filed against Sutter Health. One class-action suit alleges that Sutter Health was negligent in safeguarding its computers and data, and then did not notify the millions of patients whose data went missing within the time required by state law.
7. The security lapse occurred on two levels: both the data itself (being unencrypted) and the physical location (stored in an unsecure location). Although no Social Security numbers or financial information were apparently exposed, all the data elements needed for medical identity theft were included in the stolen records.
8. Texas Comptroller's Office (April 11) – Information from three Texas agencies was discovered to be accessible on a public server. Sometime between January and May of 2010, unencrypted data was transferred from the Teacher Retirement Center of Texas, the Texas Workforce Commission (TWC) and the Employees Retirement System of Texas. It ended up on a state-controlled public server as early as April 2010 and was not discovered until March 31, 2011. Sensitive information such as names, Social Security numbers, addresses, dates of birth and driver's license numbers could have been exposed.
9. A spokesperson from the Texas Comptroller's Office claims that the breach occurred because numerous procedures were not followed. Some employees were fired for their roles in the incident. Approximately two million of the 3.5 million individuals possibly affected were unemployed insurance claimants who may have had their names, Social Security numbers and mailing addresses exposed. The birth dates and driver's license numbers of some of these people were also exposed. Two class action lawsuits have been filed on behalf of the 3.5 million Texans affected by the breach. One such lawsuit seeks a $1,000 statutory penalty for each individual.
10. Although all breaches of sensitive personal information are serious, the Texas Comptroller breach is particularly significant because individuals generally do not have a choice when providing personal information to a government agency. It is therefore vitally important that government agencies act as responsible stewards of personal data.
11. Health Net (March 15) - Nine data servers containing sensitive health information went missing from Health Net's data center in Rancho Cordova, California. The servers contained the personal information of 1.9 million current and former policyholders, compromising their names, addresses, health information, Social Security numbers and financial information.
12. Not only was Health Net the first massive medical breach of the year, but the company waited three months before notifying affected individuals. The servers were discovered missing in January, but policyholders were not notified until March. The breach highlights the importance of timely notification.
13. Tricare Management Activity, Science Applications International Corporation (SAIC) (Sept. 30) - The car theft of backup tapes resulted in the exposure of protected health information from patients of military hospitals and clinics. Uniformed Service members, retirees and their families were affected. Patient data from the military health system dating from 1992 to September 2011 could have been compromised. It included Social Security numbers, addresses, phone numbers, clinical notes, laboratory tests, prescriptions, and other medical information. Four people have filed a $4.9 billion lawsuit over the improper disclosure of active and retired military personnel and family data. The lawsuit would give $1000 to each of the affected individuals. SAIC reported that 5,117,799 people were affected by the breach.
14. The Tricare/SAIC breach is significant because not only are the victims at risk of medical identity theft, but financial identity theft as well. The breach begs several questions: Why were the backup tapes being transported in an employee’s personal vehicle? And why were those records not encrypted? This breach also illustrates the triple impact of medical breaches. Victims not only suffer the exposure of their sensitive health information; they also are vulnerable to financial identity theft as well as medical identity theft.
It is also significant that two out of six of our top breaches are medical breaches. Data breaches in the healthcare industry are up 32 percent over last year, according to one report. Medical breaches are particularly significant and harmful because of the sensitivity of personal information exposed, in addition to, often, Social Security numbers and dates of birth.
These breaches highlight some important lessons, among them: The need for strict privacy and security policies; the importance of data retention policies; and the need for data to be encrypted. Most data breach notification laws have exceptions for encrypted data because stolen data is generally unreadable by prying eyes if encrypted.
California was the first state to implement a data breach notice law in 2003. Now, all but four states have passed such laws. In January 2012, Senator Joe Simitian's amendments to this landmark law will go into effect, requiring breached entities to submit their notice letters to the California Attorney General. The AG's office will post the letters on its website, joining at least a dozen states that require centralized notice. Of these, a handful of states post that information on their websites.
For more information, read:
· PRC's Alert: Data Breaches: Why You Should Care and What You Should Do
· PRC's Fact Sheet 17b: How to Deal with a Security Breach
· PRC's Fact Sheet 17: Coping with Identity Theft: Reducing the Risk of Fraud
You can also see this email on our website at www.privacyrights.org/top-data-breach-list-2011
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Amber Yoo works for the Privacy Rights Clearinghouse.
XYZZXSJ02 of(Baker v WCAB, XS; aka Duncan v WCAB, XS)
""This is a conservative number," says Director Beth Givens, "We generally learn about breaches that garner media attention. Unfortunately, many do not. And, because many states do not require companies to report data breaches to a central clearinghouse, data breaches occur that we never hear about. "
The statement above is certainly true. "DATA BREACHES OCCUR that WE NEVER HEAR ABOUT" is particularly the ONE that I am interested in.
PRIVACY is a very important public issue that affects the fundamental right gauranteed to every citizens under the State and US Constitution. Under our Constitution, many subsequent Laws have been passed to protect that privacy. Often times such laws were created by Legislature due to the concerns of their constituents, from the increasing number of complaints, and generally LAWSUITS that have been successfully litigated and prosecuted. Unfortunately, litigant that have celebrity status are more likely to succeed from a BREACH that those who are among the common people of our society. Access to justice SHOULD be gauranteed under the Constitution but more often than not, common people may have a difficult time ahead if they are not financially equiped for the legal battle.
Sometimes even if the victim has all the evidence to prosecute; the Legal system may hinder JUSTICE to victims, through cronism within the Judicial system. One particular obstruction of justice to Civil Rights is the issue of "Statute of Limitation." If you think this is not a serious matter, think again. The most vulnerable of our society are often the victim in this situation.
Consider a disabled person who is rendered impaired; physically and/or mentally. Or a person's rights to Privacy may have been breached but the victim is unaware of his or her rights to legal due process, or how to navigate through the legal system, or may not even aware of the Laws that govern Statute of Limitation or how to file for petition for reconsiderations when such limitation was untimely met.
Such constraint are pitted against every vulnerable individual citizens and contradict the fundamental Civil Rights that is gauranteed under our Constitution. Even when such an option is available, as filing for petition or reconsideration why we should be exempt from statute of limitation, when filing a complaint of violation at Office of Civil Right, such option is rendered ineffective. It is designed as another hurdle designed to make it difficult for or to delay claims by the Victims of Civil Rights Act long enough so that the Statute of limitation will lapse, rendering the victim with no other means for Justice.
These may be you, your significant other, your family member, or your friend. Catastrophic events may happen and your only means of advocacy is through the help of your attorney (that is, if you can get one). Sometimes if you can get one, the attorney may sincere or may be unscrupulous. Regardless Attorneys are basically out for their own gains (meaning if your case is worth their time--that means MONEY). Respect for the LAW means-how much MONEY can the judicial system gain from litigation and/or criminal prosecution. HONOR for the rule of LAW and JUDICIAL INTEGRITY has been LOST unless there is MONEY to be gained.
What happens if our government fail to obey or willfully disobey LAWS that were passed by Legislature--LAWS that were established and are there to protect our citizens? What happens when our government who the people entrusted to enforce such laws willfully disobey it? Who do we go to for justice?
Often times our government have us people think that they operate under the LAW and that many activities are operated at the utmost efficiencies and integrity untarnished by bad actors within without serious consequences if found guilty. We automatically think in the past that our government have all the laws in place that prevent them from overreaching and abusing their power until we face ADVERSITIES.
99% KNOWS NOW that government are generally NOT there for us when we need them and that many of the LAWS were actually designed to be imperfect to create legal loopholes, limits, or make it difficult to get justice when WE seek for them.
The second Greatest Recession/Depression should not have happened if WE have learned anything from the First. Housing crisis and debt crisis may not have happen had WE been paying attention. As Consumers we generally take everything with a grain of salt and believed that WE have LAWS that are there that protects all of us, until WE realize that those LAWS were in fact a false sense of security.
THAT IS THE REALITY that WE THE PEOPLE have come to realized in recent decades. That is the reality that I faced as I exercise my Rights and test the LAW from the day I became a victim of crime in an Elementary School that rendered me permanently disabled. Such a tragedy could have been prevented had DIR CAL-OSHA conducted an on-site Safety Compliance Audit of such exposure, when such issues were brought up by parent at the PTA and at the school superintendent meetings, and such complaints were taken seriously, this event may have been prevented such a risk from happening. Unfortunately, governments is in a unique position to ignore the LAWS because they LAWS that make it difficult and challenging for anyone to initiate a lawsuit and if so, make it even more difficult for anyone to win because they have created many laws that were designed to block individuals from initiating a LAWSUITS.
The ONLY means for individual to get justice is to fulfill THAT duty of our Citizens to come forward with their story and go public with the problems. Whistle-blower hotline are only effective when government actually ACT on the TIPS it receives. Often times even THAT has become politicized by Government officials that are in a hot seat. It becomes just a means of collecting information used to "stonewall" public justices and accountability, and a way to delay such action long enough for the bad-actors to resign escaping legal action against them or from any form of accountability (at least that is what the bad actors have us think).
The LAWS were "engineered" unfortunately to shield many of the wealthy bad actors and Corporation, and the corrupt government officials from litigations according to my former lawyers. These public issues must be brought to bare. And the only means left when all else fails is to go PUBLIC. And that is what I intend to do for the good of my fellow Americans. The editorial above is just the right opening for me to discuss my experiences regarding the subject of PRIVACY LAWS. PRIVACY LAWS is suppose to exist to protect and preserve the rights of individual's PRIVACY. That includes protection of personal identifiable information (PII), Bank Accounts and Confidential Medical Information, to name a few.
1) It limits our government to search our homes unless they have a search warrants. It limits search of our persons without provable cause. President Nixon knew that it was wrong to wiretap our phones.
2) Entering a private property is a violation of rights to privacy.
3) Tampering with mail and illegally entering an apartment post office without permission is a federal offense and may be subject to federal prosecution.
4) Hospitals, care givers, physicians and insurances are impacted by HIPAA regulation that protects our confidential medical information. Ordinary medical information are treated differently to "super confidential" medical information and the disclosures are limited.
5) Taking photo without permission in retail stores or place of business without their permission may be considered illegal. Taking photos of someone in a place of business and misleading the person as to the purpose for which the photo is taken may be an invasion of privacy.
6) Police brutality or abuse of government officers entering a private residence coming to my door without cause.
6) Using someones information in order to profit from without the "permission" of the person may also be considered an invasion of privacy. (This holds true for those who have gained celebrity status--whether in entertainment; in sports; in law; in sin; in achievements; or in politics, etc.).
From the day I was injured at work; I personally have experienced those 6 items above. All incidences were serious offence that are so overwhelming that I still continue to suffer from the damages that's been done. It was a life changing experience that no individual should ever have to face. The most injurious done to me with regards to PRIVACY are those committed by the California Justice System.
My story began in January 20, 2004 (the day President Bush was inagurated for his second term and during California Governor Arnold Schwarzenegger tenure). That is when the nighmare began and never stopped ever since. I never fully recovered from that incident and continue endure the devestation of the aftermath of that crime.
I never in my wildest imagination that our government would be the one that would actually breaks the LAW, tries to hide it; and BREACH MY PRIVACY.
Often we see breaking news of Private Corporation; Hospitals; Or individuals invading the privacy of individuals but we hardly hear of any occurances where Justice Department, particularly the State Supreme Court Breaching a Victims Privacy and Confidential Medical Information ( medical information which are protected by Strict LAWS) at it's World-Wide-Web Site. THAT is what actually happened to me.
According to State amd Federal Constitution that PRIVACY is an inalienable rights. State Agency (Department of Industrial Relation Director John C. Duncan, appointed by Governor Schwarzenegger and his LEGAL team broke the law by failing and at times willfully disobeyed disobeyed the Court-Order to protect me. Presiding Judge of the Workers Compensation Appeal Board issued issued the Court-Order to make ensure that my PRIVACIES were protected, as my case goes through the legal system.
It was particularly important to me because I was a victim of crime. My criminal case file remain open intil pending criminal and police investigation is completed and because the assailants remain at large.
In addition, I was issued an alias name due to the nature of my case, and that I have super-confidential medical information that are protected by other LAWS. My given name and identity was supposed to be protected and redacted from public record as my case goes to Court. No one in the system volunteer to inform me when my Privacy was Breached. No one in the judicial systems were even held accountable to the public for such misconduct. The Attorneys responsible for the Breach never contacted me about it and was completely silent when I made it known to the California Supreme Court through my Attorney. It is a complete failure of Justice when the crime is committed by those individuals that should know the LAW and Constitution in our government.
To avoid public embarassment and public scrutiny the California Justice System kept this fundamental Civil Rights issue "silent" in order to save face. That is the hypocracy of the California Justice System THAT is so appalling. There is a concerted effort in this system from the Lawyers to Judges to California Bar Association to Local Media and to various special Law Foundations to hold me back from attaining the necessary legal representation necessary to bring my Civil Rights issue to bare.
That is why I took my former Civil Rights Attorney advise to go public since the damages is done and is irreversible and that at some point in time I will have to go public.
I didn't realize that he was advising me to do that because until he actually confessed to me that he was afraid that I may sue him after I find out that he 'also' breached my name, when he filed my claim at the Victims Compensation and Government Claims Board (VCGCB). Subsequently, that Attorney resigned and terminated our agreement and kept the retainer fees I gave to him after the defendant attorney threatened him with violation of professional ethics.
My last hope was the Office of Civil Rights. But that Agency again is just another hurdle for me. I will have to wait and see what they will do for me.
FOR NOW I will continue my effort and seek help and continue to write about my experiences and go public so that my fellow AMERICANS are AWARE. If death come prematurely my way, I wish for the public to know what I have gone through and still battling with for the GOOD of my fellow Americans and to preserve and protect our Civil Rights and Constitution.
As long as I alive, this system won't break my will. I will persevere along with the Occupy Wall Street Movement.
XYZZXSJ02