Header graphic for print
Privacy Compliance & Data Security Information on Data Breach Prevention and the Appropriate Response

2011 Data Breach Summary

Posted in Data Security Breach Response

Smart Money just ran a story about the top five data breaches of 2011.  While I do not necessarily agree that these are the top five (students, students, NYC hospital patients, not to mention the Stratfor breach), the takeaway is interesting: none of them have the same source for the breach:

1.  Epsilon.  What more needs to be said to keep contract attorneys up at night than "Epsilon"?  This data breach involved a third party losing data about its customers’ customers.  Stated another way, the owner of the information did nothing wrong…other than hiring a contractor that mishandled information.  Indemnification mean more to you now?  The takeaway from this breach: come clean, come clean, come clean.  

2.  Sony.  Massive breach of the online gaming network.  Lots of data lost, lots of downtime for pasty, sun-adverse gamers.  Hackers targeting the network to blame.  The takeaway from this breach: do not handle it the way Sony handled it.

3.  Tricare.  A Science Applications International Corp. has data backup tapes stolen from a car.  SAIC is a defense contractor for the military.  Approximately 4.9 million veterans affected.  Hackers targeting lax security to blame.  The takeaway from this breach: don’t leave the data tapes in the car (come on, people!).

4.  Sutter.  A simple stolen desktop computer containing information about possibly 3.3 million patients goes missing.  The takeaway from this breach: encrypt!  Chances are they had zero intention to stealing the actual information, but you can be sure it was still a breach notification scenario.

5.  Texas Comptroller.  This is number three in my book.  Personal information of 3.5 million people left publicly available for over one year.  Information about persons required to hand over that information, not information voluntarily handed over.  Total disaster.  Anyone could have found this information, given its availability.  The takeaway from this breach: hire IT staff that is security conscious and, more importantly, give those people the budget to do their jobs.

BONUS: not a data breach, but a significant ruling this year.  Corporations have no right to privacy.  This Supreme Court ruling impacts corporate decisions on so many levels…or it should.

Happy New Year to our readers.