A Few of the Major Incidents of Data Breachs

Major incidents From Wikipedia, the free encyclopedia

Well known incidents include:

2013[edit]

• In October 2013, Adobe Systems revealed that their corporate data base was hacked and some 130 million user records were stolen. According to Adobe, "For more than a year, Adobe’s authentication system has cryptographically hashed customer passwords using the SHA-256 algorithm, including salting the passwords and iterating the hash more than 1,000 times. This system was not the subject of the attack we publicly disclosed on October 3, 2013. The authentication system involved in the attack was a backup system and was designated to be decommissioned. The system involved in the attack used Triple DES encryption to protect all password information stored."^[7]
  Further information: Adobe Systems#Source code and customer data breach

2012[edit]

• In the Summer of 2012, Wired.com Senior Writer Mat Honan claims that "hackers destroyed my entire digital life in the span of an hour” by hacking his Apple, Twitter, and Gmail passwords in order to gain access to his Twitter handle and in the process, claims the hackers wiped out every one of his devices, deleting all of his messages and documents, including every picture he had ever taken of his 18-month-old daughter.^[8] The exploit was achieved with a combination of information provided to the hackers by Amazon's tech support through social engineering, and the password recovery system of Apple which used this information.^[9] Related to his experience, Mat Honan wrote a piece outlining why passwords cannot keep users safe.^[10]

2011[edit]

• In April 2011, Sony experienced a data breach within their PlayStation Network. It is estimated that the information of 77 million users was compromised.
• In March 2011, RSA suffered a breach of their SecurID token system seed-key warehouse, where the seed keys for their 2-Factor authentication system were stolen, allowing the attackers to replicate the hardware tokens used for secure access in corporate and government environments.
• In June 2011, Citigroup disclosed a data breach within their credit card operation, affecting approximately 210,000 or 1% of their customers' accounts.^[11][12]

2009[edit]

• In December 2009 a RockYou! password database was breached containing 32 million user names and plaintext passwords, further compromising the use of weak passwords for any purpose.
• In May 2009 the United Kingdom parliamentary expenses scandal was revealed by The Daily Telegraph. A hard disk containing scanned receipts of UK Members of Parliament and Peers in the House of Lords was offered to various UK newspapers in late April, with The Daily Telegraph finally acquiring it. They published details in installments from 8 May onwards. Although it was intended by Parliament that the data was to be published, this was to be in redacted form, with details the individual members considered "sensitive" blanked out. The newspaper published unredacted scans which showed details of the claims, many of which appeared to be in breach of the rules and suggested widespread abuse of the generous expenses system. The resulting media storm led to the resignation of the Speaker of the House of Commons and the prosecution and imprisonment of several MPs and Lords for fraud. The expenses system was overhauled and tightened up, being put more on a par with private industry schemes. The Metropolitan Police Service continues to investigate possible frauds, and the Crown Prosecution Service is considering further prosecutions. Several MPs and Lords apologised and made whole, partial or no restitution, and retained their seats. Others who had been shamed in the media did not offer themselves for re-election at the United Kingdom general election, 2010. Although numbering less than 1,500 individuals, the affair received the largest global media coverage of any data breach (as at February 2012).
• In January 2009 Heartland Payment Systems announced that it had been "the victim of a security breach within its processing system", possibly part of a "global cyber fraud operation".^[13] The intrusion has been called the largest criminal breach of card data ever, with estimates of up to 100 million cards from more than 650 financial services companies compromised.^[14]

2008[edit]

• In January 2008, GE Money, a division of General Electric, disclosed that a magnetic tape containing 150,000 social security numbers and in-store credit cardinformation from 650,000 retail customers is known to be missing from an Iron Mountain Incorporated storage facility. J.C. Penney is among 230 retailers affected.^[15]
• Horizon Blue Cross and Blue Shield of New Jersey, January, 300,000 members ^[1]
• Lifeblood, February, 321,000 blood donors ^[1]
• British National Party membership list leak,^[16]
• In Early 2008, Countrywide Financial (since acquired by Bank of America) allegedly fell victim to a data breach when, according to news reports and court documents, employee Rene L. Rebollo Jr. stole and sold up to 2.5 million customers' personal information including social security numbers.^[17][18] According to the legal complaint: "Beginning in 2008 - coincidentally after they sold their mortgage portfolios under wrongful and fraudulent 'securitization pools,' and coincidentally after their mortgage portfolio went into massive default as a result thereof - Countrywide learned that the financial information of potentially millions of customers had been stolen by certain Countrywide agents, employees or other individuals."^[19] In July 2010, Bank of America settled more than 30 related class-action lawsuits by offering free credit monitoring, identity theft insurance and reimbursement for losses to as many as 17 million consumers impacted by the alleged data breach. The settlement was estimated at $56.5 million not including court costs.^[20]

2007[edit]

• D. A. Davidson & Co. 192,000 clients' names, customer account and social security numbers, addresses and dates of birth^[21]
• The 2007 loss of Ohio and Connecticut state data by Accenture
• TJ Maxx, data for 45 million credit and debit accounts^[22]
• 2007 UK child benefit data scandal
• CGI Group, August, 283,000 retirees from New York City ^[1]
• The Gap, September, 800,000 job applicants ^[1]
• Memorial Blood Center, December, 268,000 blood donors ^[1]
• Davidson County Election Commission, December, 337,000 voters ^[1]

2006[edit]

• AOL search data scandal (sometimes referred to as a "Data Valdez",^[23][24][25] due to its size)
• Department of Veterans Affairs, May, 28,600,000 veterans, reserves, and active duty military personnel,^[1][26]
• Ernst & Young, May, 234,000 customers of Hotels.com (after a similar loss of data on 38,000 employees of Ernst & Young clients in February) ^[1]
• Boeing, December, 382,000 employees (after similar losses of data on 3,600 employees in April and 161,000 employees in November, 2005) ^[1]

2005[edit]

• Ameriprise Financial, stolen laptop, December 24, 260,000 customer records ^[1]

Great Information on Business and Commerical Identity Theft

Business Identity Theft

ShareThis  Print   E-Mail   Comment

By Dan Jones November 15, 2013

Click to enlarge.

Business identity theft: Is your company's EIN safe?

To combat identify theft, most of us have learned to be very careful with our personal information. We are protective of our individual bank statements, credit card information and Social Security numbers.

Similarly, most businesses are aware of the need to thoroughly protect their customers' personal information. Televised stories of misplaced laptop computers and hacked databases from banks, government agencies and merchants remind us all of the need to protect information that can subject clients to identity-theft concerns. Security failures pose threats not only to clients, but also to the reputation of any business from which such information is obtained.

It is critical that businesses not forget that they too can have their identities stolen. Business identity theft is an increasingly common development, one which can take several forms. Even relatively "small" cases of business identity theft can have potentially catastrophic results for businesses. Online searches for the phrase "business identity theft" pull up pages of stories.

For example, a couple's business was a victim of identity theft when a criminal wrote fraudulent checks where the name and address of the couple's business appeared on some of the checks possessed and passed by the criminal. The account number on the checks actually did not belong to the business, and the bank account of the business had not actually been attacked.

While relieved to find that their business's bank account had not been drained, the couple soon found that because fraudulent checks totaling in excess of $12,000 had been written in the name of their business, check verification companies such as Telecheck had blacklisted their business. They were required to fill out countless forms and police reports detailing each forged check before they could get their business removed from the blacklists. The potential harm to reputation and the time required to make things right could be a devastating blow to a fledgling or otherwise struggling business.

Other criminals may attempt to obtain credit by stealing the Employer Identification Number of a business, creating and even recording false corporate documents such as authorizations to act on behalf of the business, and then using that information to obtain merchandise, credit cards or lines of credit in the victim company's name. Small businesses can be a great avenue to realize criminal gains. Business owners can have access to larger credit lines than individuals, and can be slower to realize and resolve a problem.

For example, a law firm in San Diego found that criminals had moved into its building, ordered and received $70,000 worth of computers and furniture in its name, hired a moving truck and disappeared before the law firm actually received the bill. In a different extreme case in 2006, authorities overseas discovered a sophisticated ring of criminals who had established a complete counterfeit NEC-branded company, including more than 50 factories producing a full line of counterfeit NEC products. The factories even boldly displayed the NEC name. Thankfully for NEC, the counterfeit products were not so inferior as to create havoc for their reputation, but the counterfeit operation certainly succeeded in stealing a great deal of income from the legitimate company. Had the counterfeit products been substantially inferior, it could have been disastrous for NEC.

Colorado's secretary of state and attorney general have worked to warn businesses about identity theft risks. Together with the ID Theft Unit from the Colorado Bureau of Investigation, they also have prepared the "Business Identify Theft Resource Guide – A Guide to Protecting Your Business and Recovering from Business Identity Theft." This guide can be found online at www.sos.state.co.us/pubs/business/ProtectYourBusiness/BITresourceguide.html.

A particular area of concern for all business owners that I wish to highlight here involves the secretary of state's system for receiving business records. Nearly all of the business-related forms required by the secretary of state now are submitted online. The secretary of state's office has warned that since the system relies on the honesty of those submitting documents it can be abused by criminals who enter false records for existing businesses to give themselves the appearance of propriety when applying for credit or completing other transactions with unsuspecting third parties.

Because most business owners check the accuracy of their records at the secretary of state's office only rarely (for example, perhaps only once each year when submitting an Annual Report), a business record revised by a criminal might go unnoticed for months. Additionally, such revised records might create problems for the actual business owners if clients or lenders check the site.

Fortunately, business owners may monitor any changes made to their online records by receiving automatic email notification whenever any change is made to a business's record. The system does not limit the number of persons who can be notified in the event of a change to your business's online records. Additionally, the secretary of state's office also now permits businesses to set up "Secure Business Filing" accounts, where the online business record is password-protected, providing additional control over who is able to make changes.

To subscribe to the email notification system or to set up a Secure Business Filing account, there are links to do so within the Business Identity Theft Resource Guide described above.

In any event, I encourage you to educate yourself further about the threats identity thieves pose to businesses, and to review the resource guide to become familiar with ways to prevent suffering the untold harms identity thieves can cause you.

Dan Jones has been an attorney at the Greeley office of Otis, Coan & Peters, LLC. He can be reached at djones@nocolegal.com or 970-330-6700.

Our plan can help you with Business Identity Theft, we believe every business should have access to Business Id Theft and legal coverage and every business should be able to afford it. Check out business plan at:

https://sites.legalshield.com/aasites/Multisite?site=biz&assoc=taylor_ra