The Privacy Rights Clearinghouse (PRC), in its annual Chronology of Data Breaches report, recently noted that there have been 535 data breaches made public this year, affecting a total of 30.4 million records. While the number of breaches is down from the 604 reported in 2010, the total number of records compromised is significantly higher, increasing by more than 18 million year over year.
The reason for this is that 2011 saw some of the biggest data breaches in history, coming in a number of different forms and affecting a wide range of industries.
According to the PRC's report, three of the top six breaches involved healthcare organizations. The largest of these befell Sutter Physicians Services and the Sutter Medical Foundation in October. The breach, which affected more than 4.2 million patients, occurred when a company-issued computer was stolen from the medical foundation's administrative office in Sacramento, California.
The computer contained the names, addresses, birth dates, email addresses, phone numbers, medical record numbers and health insurance plan names of 3.3 million patients, and dates of services and medical procedure details for an additional 934,000 patients. In November, 944,000 of those affected by the breach sued Sutter Health for $1 billion, claiming the healthcare organization was negligent in protecting patient information and slow to notify the victims.
The other two healthcare breaches involved Health Net and Tricare Management Activity. The latter occurred in September, when it was discovered that tapes containing medical records of military personnel and their families were stolen from a data contractor in San Antonio. Though it is unclear whether the medical records were actually the target of the theft, Tricare said the tapes included the Social Security numbers, addresses, phone numbers and other personal data of some 4.9 million.
Ironically, the tapes were reportedly being transported to a secure storage facility, and the transfer process was in compliance with the terms of the contractor's service agreement.
The two biggest data breaches of the year both occurred within a few weeks of each other and received a great deal of attention from the data security industry as well as the mainstream media.
The second-largest breach hit email service provider Epsilon in the spring and affected roughly 75 of its clients, who saw their own customers' names and email addresses stolen from Epsilon's databases. Epsilon did not disclose which clients were involved, but the list of its accounts includes several high-profile companies, like JPMorgan Chase, Best Buy and Walgreens, among others.
Though the number of clients directly involved in the breach is relatively low, the sheer size of these companies means that as many as 250 million people may have been affected by the breach, PCR noted. The main danger with this type of breach is that it opens victims to spear phishing attacks, in which cybercriminals send seemingly legitimate emails that lead to malicious websites or include harmful attachments.
In response to the breach, Epsilon announced in late June that it was implementing new data security enhancements to offset the chance of similar incidents from occurring again. Among the steps taken was the introduction of a two-factor authentication process that requires users to provide two forms of identification to access its email platform.
The video game industry had a rough year in 2011. Not only were sales uncharacteristically low, but several of the industry's biggest companies, including Nintendo, Sega and others, had to deal with the effects of data breaches.
The big breach, however, impacted Sony and its online gaming service the PlayStation Network (PSN). Sony discovered an unauthorized intruder on its PSN and Qriocity music service in mid-April. According to report, the hackers had gained access to more than 100 million records, which included names, email addresses, birth dates, passwords, user names and possibly some billing information.
The incident dominated discussion in the data security world for some time and forced Sony to take its online gaming service down for several weeks. Following the breach, Sony made a number of significant changes to its data security practices, including the appointment of a new chief information security officer, the relocation of its data center and improvements to its data encryption levels, among other moves.
While the security industry praised Sony for taking real initiative following the breach, it is estimated the company spent $171 million dealing with the incident, which still serves as something of a black eye.
These and other incidents serve to highlight the importance of data security practices going into the new year. Not only can a data breach result in fines and expensive repairs, the damage to a company's reputation can be detrimental. In 2012, companies will have a new set of data protection challenges that need to be addressed. Many businesses would be wise to look at these examples in order to determine where improvements in their security practices can be improved.
Security News from SimplySecurity.com by Trend Micro