Sunday, December 20, 2009

The 2009 data breach hall of shame


If there was anything even vaguely comforting about the data breaches that were announced this year, it was that many of them stemmed from familiar and downright mundane security failures.

Companies continued to be felled more by usual issues such as lost laptops, un-patched or poorly coded software, inadvertent disclosures and rogue insiders, rather than by sneaky new attack techniques or devastating new hacker tools.

Here's a look back at five of the more notable breaches of the year:

TSA: Lessons in redaction
In what must arguably rank as one of the biggest security gaffes of this year, the Transportation Security Administration (TSA) accidentally posted on a public Web site a manual that contained complete details on its airport screening procedures.

The TSA manual included details for screening passengers, checking for explosives devices, special rules for handling the CIA, diplomats and law enforcement officials, and the technical settings and tolerances used by metal and explosive detectors used at airports.

The leak occurred when an improperly redacted TSA Standard Operations Procedures manual was posted on a federal Web site as part of a a contract bid solicitation process. Lawmakers called the gaffe "shocking" and "reckless," as wells as a threat to national security.

Heartland Payment Systems: 2009's breach poster child
Heartland makes the list simply by virtue of the spectacular size and scope of the data breach it disclosed in January.

The compromise stemmed from SQL injection errors that allowed hackers to break into the payment processor's networks and steal data on approximately 130 million credit and debit cards over several months.

That number easily eclipsed the 94 million or so cards that were believed to have been compromised in the hack at TJX Companies Inc in 2007. It gave Heartland the dubious distinction of having announced the largest ever data breach in history.

Health Net: Delayed disclosure
It was bad enough that Health Net of the Northeast Inc. lost a hard drive containing seven years worth of unencrypted personal, financial and medical information on about 1.5 million customers. What made the loss worse was that the company did not disclose it for nearly six months after the drive went missing.

Along with medical records, the hard drive contained names, addresses and Social Security numbers of Health Net customers from Arizona, Connecticut, New Jersey and New York.

A new healthcare breach notification law that went into effect in November is designed to force companies to disclose such breaches sooner. But few are likely to do so because of a controversial "harm threshold" clause entered into the bill at the last moment. Continue article -> Computerworld

No comments:

Post a Comment