The breach of Heartland Payment Systems grabbed the headlines for much of the year and the entire population of Belize had their birth details stolen when a government employee left a laptop in a car, but what else went on?
Your details, my friend, were blowing in the wind
Although the number of breaches involving paper records does not appear to have increased from 2008 to 2009, by the end of the third quarter, paper breaches comprised more than one quarter of U.S. breaches reported in the media this year. The federal government sent a strong message when it fined CVS $2.25 million for violating HIPAA by improperly disposing of pharmacy records, but was anyone else listening?
Doctor, doctor, give me the news
Almost a year after it first reported receiving an extortion attempt with evidence that the extortionist had acquired members’ prescription records, pharmacy benefit management firm Express Scripts reported that the extortionist had acquired much more data than they originally believed. In April, the Virginia Prescription Monitoring Program database was hacked and they, too, received an extortion demand.
As in past years, we saw some large breaches involving health insurers. Blue Cross Blue Shield reported two major breaches – one involving a stolen laptop and one involving stolen hard drives. To the irritation of a number of states attorney general, Health Net belatedly reported the loss of a hard drive with many members’ insurance or health-related information.
Over in the U.K., it seemed that every month we were reading about yet another NHS unit that had breached the Data Protection Act and was now required to sign an “Undertaking” with the Information Commissioner’s Office. We also learned that an outsource transcription service in India was selling patient information.
If the healthcare sector doesn’t make you ill, the malware will
2009’s “new math” was that hacking + malware = big trouble. The Heartland Payment Systems breach grabbed the spotlight on that in January, only ceding it temporarily when a 2008 RBS WorldPay resulted in a coordinated attack on over 2000 ATMs to the tune of $9 million in a few hours. Protesting their PCI-DSS compliance, the two processors were banished from card brands’ approved list, but within months, were restored to approved status.
Malware also started rearing its head more in social media networks and online banking, and a number of small businesses found themselves taking their banks to court over funds that were stolen from their accounts. And of course, despite all of the scam alerts, some people fell for phishing attempts. That would be bad enough, but when you read that 46% of all Brits use the same login/pass for all of their accounts, the problems are magnified.
On a positive note, several master cybercriminals such as Ehud Tenenbaum and Albert Gonzalez pleaded guilty to involvement in numerous large breaches, but not all of their accomplices have been apprehended and we have not been told about other payment processors that were under attack. In October, we started getting reports about a major breach in Spain that is affecting cardholders in Europe and beyond, but we have not yet been told whether it is a card processor or other entity that is the source of the breach and whether or not it involved malware.
And as we struggled to learn names from Russia, Estonia, Romania, and Latvia, each week seemed to bring new headlines of ID theft rings that had been broken up by law enforcement. Many of the local rings did not involve malware, however, but used much more low tech approaches.
2009 was a “fine year”
Among the most publicized fines for inadequate security or breaches: TJX paid almost $9 million to settle with 41 states attorney general, Heartland Payment Systems paid American Express $3.6M over its 2008 data breach and claimed that it is fighting MasterCard‘s more than $6 million fine. Over in the U.K., the Financial Services Authority (FSA) fined HSBC Life UK, HSBC Actuaries and Consultants, and HSBC Insurance Brokers more than £3m. The FSA also fined UBS £8 million.
The U.S. Commodity Futures Trading Commission fined Interbank FX, LLC (Interbank) $200,000, the Financial Industry Regulatory Authority (FINRA) fined Centaurus Financial (CFI) $175,000, and the Securities and Exchange Commission fined Commonwealth Financial Network $100,000.
It was also a busy year for states attorney general. In addition to the TJX settlement, CVS and Walgreens settled with Indiana’s Attorney General, while Payment Resources International paid a fine to the Vermont Attorney General. BNY Mellon was fined by the Connecticut Attorney General and Blue Cross was fined by the Delaware Insurance Commissioner. Kaiser Permanente was also socked with a few fines by California over employees snooping in celebrity patients’ files.
That settles that!
In 2009, the FTC settled charges against ChoicePoint, James B. Nutter, Comp Geeks/Genica (Compgeeks), and Rental Research Services, while the Texas Attorney General settled charges against Cornerstone Fitness and the Florida Attorney General settled charges against VICI Marketing.
Class-action lawsuits in response to breaches generally continue to disappoint irate consumers, who seem to keep trying anyway. In 2009, most of the Hannaford Bros. breach lawsuit was dismissed, and an attempt to file a class-action lawsuit against Express Scripts was dismissed. Among the breach-related lawsuits that settled during the year were the 2006 stolen V.A. laptop lawsuit, D.A. Davidson lawsuit, a Heartland Payment Systems class action suit by consumers, and TJX settlements with some banks and 41 states attorney general. Other lawsuit settlements either received preliminary approval or were rejected: Countrywide Financial (approved), TD Ameritrade (rejected), and the Olive Garden FACTA lawsuit (approved). But consumers weren’t the only ones disappointed by lawsuit outcomes in 2009. Cumis was dealt a blow when the Massachusetts Supreme Court ruled that BJ’s Wholesalers and Fifth Third Bank were not liable to Cumis for the costs it incurred after the BJ’s breach.
Also new in 2009: two groups of restauranteurs filed lawsuits against Radiant Systems, alleging that the vendor’s software was not compliant and was responsible for the hacks they suffered in 2007 and 2008.
New laws delayed, watered down, nonexistent
This year, the FTC introduced new Red Flag Rules in the hope of reducing identity theft. The effective date was delayed and delayed…. and groups successfully sued to be exempt from the rules. Similarly, Massachusetts’ new data security regulations were amended and are now slated to go into effect in March 2010, but I’m not holding my breath on that. Of course, we still have no federal data breach notification law, and some of the proposed laws don’t even include mandatory notification of paper breaches. The new HITECH Act which sounded pretty good when Congress passed it got watered down by HHS to include a “harm” threshold that Congress had rejected. The law has been in effect since September, and to date, the public web page where reported breaches are to be posted is…. empty.
And to add further insult to injury, Governor Schwarzenegger vetoed a privacy protection bill that would have made California’s protections even stronger.
So what will you remember about 2009 breaches? You can use the comments section below to add your memories or commentary.