Lock

Data Point: The six worst data leaks of 2011

Shares

Anonymous dominated hacker news this year. From challenging the Mexican drug cartels to its work with Occupy Wall Street, the hacktivist collective took its motley brand of Web vigilance to another level, striking anywhere and everywhere it seemed fit.

Outside the realm of Anonymous, however, it was a banner year for high-profile data leaks and information theft. Just ask anyone responsible for keeping secrets—big or small. From the darkly comical to the conspiracy theory-inducing, these are the moments that kept security professionals for some of the world’s most influential organizations awake at night and reaching for Mylanta.

Sony

Easily the highest profile breach of consumer data this year, the theft of personal data belonging to 77 million users of Sony’s PlayStation Network made headlines worldwide for several weeks in April. Widely reported as a hactivist retaliation for Sony’s legal pursuit of George Hotz, the 22-year-old hacker who was responsible for jail-breaking the PlayStation 3 hardware, which allowed non-approved software to run on Sony’s popular gaming platform.

The breach of Sony servers has been called the largest theft of personal information in history.

RSA

The information security division of EMC—whose current motto is ironically “The Leader in Cloud, Big Data, and Trust”—suffered a catastrophic loss of trust when essential secrets behind RSA’s SecureID were stolen. RSA called the loss of security an Advanced Persistent Threat—industry speak which indicates the breach was highly sophisticated, the type of compromise carried out by a rogue government or agency with huge resources. Loosely translated, "Somebody's shoved a red-hot poker up our ass, and I want to know whose name is on the handle,” as Mr. Pink commented in “Reservoir Dogs.”

SecureID tokens are widely used (70% market share as reported in 2004) by corporations and governments to provide an additional layer of security for log-ins coming from remote systems. The two-factor authentication scheme requires that a user posses a small device that displays a constantly changing token, in addition to the user’s own password, to gain remote access.

Several breaches have been linked to the RSA token vulnerability, most notably breaches at  defense contractor Lockheed Martin and Homeland Security contractor L3 Commuications.

Epsilon

Customer email addresses and other data belonging to more than 20 companies—including major retailers like Best Buy and Kroger, as well as financial services firms JP Morgan Chase and Capital One—were stolen from marketing services firm Epsilon in March. Previously known primarily to marketers, Epsilon, who claims to have sent more than 40 billion emails on behalf of over 2,500 companies in 2010, learned what it’s like to go from relative obscurity to the center of a Secret Service investigation, practically overnight.

The New York Yankees

April was a month of mayhem, and that certainly proved true for one Yankees’ employee who—on a day where he or she wasn’t exactly batting .500—inadvertently emailed the personal information of more than 17,000 “non-premium” season ticket holders to a small subset of the same group. More than 1500 ticket holders received an email with an attached Excel spreadsheet containing the personal details of their peers.

Given that no credit card information was included in the leaked data, this ranks among the funniest breaches of 2011. In fact, loving statistics as all baseball fans do, one enterprising fan in possession of the spreadsheet went so far as to extrapolate some interesting statistics and share them with NYstadiuminsider.com.

  • The Yankees' total non-premium ticket revenue for 2011 is approximately $131,978,910 (plus or minus 1% accuracy due to possible discounting).
  • 2,179,237 total subscriber tickets were sold.

Texas Office of the Comptroller

The Social Security numbers and other personal information—in some cases, drivers license numbers, dates of birth, and home addresses—of 3.5 million people were left lying around on a public web server run by the state comptroller’s office. Having owned up to the loss of data, Texas Comptroller of Public Accounts Susan Combs fired an undisclosed number of employees thought to be responsible and opened a special website to offer information for those affected.

The Office of the Texas Comptroller is currently facing a $3.5 billion lawsuit, which amounts to  $1,000 for each individual whose privacy was potentially violated.

Health care, et al.

This week the Privacy Rights Clearinghouse, a San Diego based advocacy group, declared that nearly 11 million Americans were victims in three separate health care-related data leaks.

The PRC’s list of the most significant data breaches of 2011 cites three major events.

Sutter Health, a northern California based physicians group, lost 4.2 million records including diagnosis and medical history details of nearly 1 million people. 1.9 million patients, and customers of Health Net, whose data went missing along with the nine physical servers on which they were stored. And, perhaps most troubling, more than 5 million records belonging to former and active duty members of the U.S. military went missing, most including personal financial details and diagnosis records, from Science Applications International Corporation(SAIC) when backup tapes were stolen from an employee’s car.

All told, this year presented a 32% increase in health care-related data leaks.

Pardon me; I think I feel sick.