As we begin a new year, I thought it would be a good time to reflect upon some major information security breaches of 2009. \u00a0 The list of the organizations involved makes this list very \u00a0interesting. What makes this list even more interesting is the analysis of the \u00a0breach- which indicates that the incidents could have been averted by adopting some fundamental security best practices.<\/p>\n
<\/p>\n
Organisation \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 Analysis of Breach \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 Impact<\/strong><\/p>\n More than 130 million credit and debit card numbers from Heartland and Hannaford.<\/td>\n<\/tr>\n As we begin a new year, I thought it would be a good time to reflect upon some major information security breaches of 2009. \u00a0 The list of the organizations involved makes this list very \u00a0interesting. What makes this list even more interesting is the analysis of the \u00a0breach- which indicates that the incidents could … <\/p>\n\n\n
\n Heartland Payment Systems<\/strong><\/td>\n For Heartland, a Princeton, N.J.-based payment systems company, the initial warnings came from Visa and MasterCard. Their concern: Suspicious processed credit card activity. Turns out that Heartland was the target of one of the biggest cyber-fraud schemes ever, one allegedly carried out by a former Secret Service informant and Russian hackers. Almost three-dozen separate lawsuits on behalf of consumers, investors, banks and credit unions have been filed against Heartland.<\/td>\n Number of records affected:<\/em><\/p>\n \n Metro<\/strong> Nashville School<\/strong> <\/strong><\/td>\n Public Consulting Group, a private contractor, unintentionally put student data on a computer Web server that wasn\u2019t secure, and the data was available online for three months.<\/td>\n Number of records affected:<\/em> 18,000<\/td>\n<\/tr>\n \n Federal Reserve Bank of New York<\/strong><\/td>\n A former employee of the New York Fed and his brother were arrested on suspicion of obtaining loans using stolen identities. The ex-employee previously worked as an IT analyst at the bank and had access to sensitive employee information, including names, birthdates, Social Security numbers and photographs. A thumb drive attached to his computer was found to have applications for $73,000 in student loans using two stolen identities.<\/td>\n Number of records affected:<\/em> Unknown<\/td>\n<\/tr>\n \n Virginia<\/strong> Department<\/strong> of Health Professions<\/strong><\/td>\n \u201cGive us $10 million, and we\u2019ll return the millions of personal pharmaceutical records we stole from your prescription drug database.\u201d That\u2019s essentially what hackers told the state of Virginia in May. Did they have the goods? A notice posted on the Virginia DHP Web site acknowledged that the site \u201cis currently experiencing technical difficulties which affect computer and e-mail systems.\u201d<\/td>\n Number of records affected:<\/em> Potentially 531,400<\/td>\n<\/tr>\n \n University<\/strong> of California<\/strong>, Berkeley<\/strong><\/td>\n Hackers infiltrated Berkeley\u2019s restricted computer databases, possibly stealing personal information of 160,000 current and former students and alumni. The university said Social Security numbers, health insurance information and non-treatment medical records dating back to 1999 were accessed. The breach was discovered April 21, when administrators performing routine maintenance identified messages left by the hackers and found that restricted electronic databases had been illegally accessed from Oct. 9, 2008 to April 6, 2009. All of the exposed databases were removed from service to prevent further attacks.<\/td>\n Number of records affected:<\/em> 180,000<\/td>\n<\/tr>\n \n Internal Revenue Service<\/strong><\/td>\n The IRS dumped old tax returns \u00a0at a dozen disposal facilities, old returns were tossed out in regular waste containers and dust bins. This work was being conducted by contract employees who, of course, have access to sensitive taxpayer documents but who, the IRS admitted, may or may not have passed background checks. Another problem: the agency wasn\u2019t sure who was supposedly responsible for overseeing the burning or shredding of tax documents at the 12 IRS offices involved.<\/td>\n Number of records affected:<\/em> unknown<\/td>\n<\/tr>\n \n Aetna<\/strong> <\/strong><\/td>\n Current and former Aetna employees\u2019 Social Security numbers may have been compromised as the result of a Web site data breach. This was the result of a spam campaign in which intruders obtained email address and possible SSNs from the Aetna Web site. Aetna notified the 65,000 people whose SSNs were on the site and was subsequently sued in a class action suit demanding credit monitoring, punitive damages, cost and other relief for former and potential employees.<\/td>\n Number of records affected:<\/em> 573,000<\/td>\n<\/tr>\n \n Network Solutions<\/strong><\/td>\n Those damn hackers. Breaking into Web servers provided by e-commerce hosting provider Network Solutions, hackers were able to plant a rogue code that ended up compromising almost 600,000 debit and credit card accounts over a three-month interval. The hackers were able to intercept personal and financial data from customers purchasing goods and services from Network Solutions\u2019 4,343 clients. Most were SMBs selling online.<\/td>\n Number of records affected:<\/em> 573,000<\/td>\n<\/tr>\n \n National Archives<\/strong><\/td>\n When a hard drive used for eVetRecs, the system through which veterans request copies of their health records and discharge papers, failed late last year, the National Archives and Records Administration sent it to GMRI, the contractor that sold it to the agency, to be fixed. GMRI decided it was beyond repair and sent it to another vendor to be recycled. The only problem? National Archives didn\u2019t destroy the data on the disk before sending it out to its contractor.<\/td>\n Number of records affected:<\/em> 76 million<\/td>\n<\/tr>\n \n Universal American Action Network<\/strong><\/td>\n Universal Action Network, a subsidiary of Universal American Insurance, sent out postcards to 80,000 Universal clients earlier this month. The problem was that each of the cards included the Social Security numbers of the recipients. Identity theft anyone? Universal blamed the inclusion of the SSNs on a printing error and said it has terminated its contract with the printer.<\/td>\n Number of records affected:<\/em> 80,000<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n","protected":false},"excerpt":{"rendered":"