If you’re looking for the biggest breaches of the year in terms of numbers affected, you can find them over on DataLossDB.org or in others’ reviews. Certainly there were some really big breaches this year, but those were not necessarily the worst, in my opinion. So here’s my short list of the year’s worst breaches involving personally identifiable information. In chronological order:
1. The HBGary Federal hack.
I don’t claim to be a security expert, but if you’re making the claim, then having your server successfully attacked and all your professional correspondence exposed on the web should be seriously embarrassing. Not only should HBGary Federal have been embarrassed, but the February attack also exposed – and brought into negative public light – a well-known law firm. From a public relations standpoint, this breach was an in-your-face and up-your-left nostril attack that should have put everyone on notice that both data security and the collective known as Anonymous needed to be taken more seriously. In terms of immediate impact, after the firm’s emails became public, the Chamber of Commerce and Bank of America cut all ties with HBGary. Two other firms that had collaborated with them – Berico Technologies and Palantir – also cut ties with them. By the end of the year, however, HBGary CEO Gary Hoglund said that the breach had actually helped their business. Good for them, but not so good for others, perhaps?
2. Texas Comptroller’s Office web exposure incident.
In April, Texas Comptroller Susan Combs reported that the personal information of 3.5 million people had been accidentally disclosed on the web for quite a while – including Social Security numbers, dates of birth and other personal information. No hack necessary to get a goldmine of information for identity theft. Talk about shooting yourself in the foot…
3. The Arizona Department of Public Safety hack.
A hack by LulzSec in June also makes my list of worst breaches of the year. In a politically motivated attack that presaged other “AntiSec” or political attacks, the hackers released personal information on members of Arizona law enforcement and their families. For the rest of the year, releasing personal information on employees and their families became almost routine, despite the fact that the hackers occasionally recognized that calling the exposure of innocent uninvolved people “collateral damage” was not particularly acceptable to many members of the public.
4. The stolen SAIC/TRICARE backup tapes.
There were some massive health care sector breaches this year, but the SAIC breach was particularly bad for a few reasons. Unencrypted backup tapes with medical data on 5.1 million members of the military and their dependents were left in an employee’s car for 8 hours and were stolen. This was not the first time SAIC had unencrypted backup tapes stolen. In fact, it was the second time since 2010. Despite that and other breaches they have had in recent years, they continue to get huge government contracts. Members of Congress have now asked why.
5. Insurance Corporation of British Columbia insider breach.
There’s a lot we don’t know about this breach as yet, but it seems that an employee of the insurance company accessed and then disclosed information on 13 people who were later either shot at or were the victims of arson. Scarily, the employee also accessed information on 52 other people. Will they become victims, too? The RCMP are investigating, but this appears to be one of those breaches where there can be real and serious harm that has nothing to do with ID theft.
6. Hemmelig.com hack.
Hackers downloaded the entire database of over 26,000 users of Hemmelig.com, a Norwegian site that includes the sex trade. The downloaded material, which includes images and very personal messages, was dumped on the web. It seems only a matter of time before we start seeing embarrassing revelations about public figures as well as private citizens.
So that’s my short list. Did I leave out your candidate for worst of the year? If so, what was it?