Is your personal data ever truly safe?

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.cbronline.com/news/security/is-your-personal-data-ever-truly-safe-4502027

Data collection has been going on for years and for almost as long people
have raised concerns over how it should be used and what can be collected.
Currently the EU is discussing data protection laws that could either
create a free for all on data collection and usage, or far more likely -
severely restrict it. Sometimes however, it doesn't matter what laws are in
place, as data breaches caused by hacking, oversights or stupidity can
happen to even the biggest organisations.

CBR has compiled a list of the top ways Big Data has been breached .

Retail

In 2014, Home Depot suffered a data breach, due to malware installed on
cash register systems, across 2,200 stores which siphoned credit card
details of up to 56 million customers. Although the details hacked did not
reveal password, payment information or other sensitive personal
information, it did leave millions vulnerable to phishing scams.

Target had a similar credit data breach, around 70 million individuals had
their names, mailing addresses, phone numbers and emails stolen. The
company attempted to argue over semantics, whether it was a theft or a
breach, but in the end a vast amount of data was taken from the company.
Other data that was taken included account data, including credit and debit
card numbers, expiration dates, the three-digit CVV security code, and even
PIN data for 40 million account holders. It has been reported that Target
may be liable for up to $3.6 billion.

Banking

In 2007, the personal data of approximately 2.6 million current and former
holders of Chase-Circuit credit cards was thrown out, mistaken as trash.
The data was found in rubbish bags outside 5 of their New York branches.
Then in 2014, JP Morgan suffered a large scale hack which affected 76
million households and 7 million small businesses. The data revealed names,
addresses, phone numbers and emails of account holders.

The breach came as a result of a neglected server which had not had a
simple security fix which implemented a two-factor authentication.

JP Morgan aren't alone in breaches though, Heartland Payment Systems had a
huge data breach in 2008, which resulted in an estimated 130 million
customer accounts being compromised. Heartland had to pay $110 million to
Visa, Mastercard, American Express and others in order to settle claims
against them.

Politcs

Perhaps one of the biggest political events in the past 20 years -
Wikileaks. There has been numerous leaks from the organisation, some of the
most notable included the Iraqi war logs, where 400,000 confidential
documents were released, and the Afghanistan war logs where 76,900
documents released. Wikileaks was criticised for potentially putting
national security and armed forces at risk and one of those responsible,
Chelsea Manning, is now serving a 35 year jail sentence under the Espionage
Act.

The Snowden leaks are potentially the biggest data breaches in history,
detailing vast amounts of spying by GCHQ and the NSA, some of which was
directly aimed at spying on political leaders, such as Germany Chancellor
Angela Merkel.

Despite the magnitude, these revelations were not a complete surprise,
Duncan Campbell and his team revealed mass surveillance of telephone
conversations within the Echelon project, an extension of the UKUSA
Agreement on global signals intelligence.

The way the data was accessed was through Edward Snowden, he worked as an
NSA contractor and had access to everything, all the data that the NSA had.
Snowdon began mining the data and slowly released it through public
channels. It is estimated that a potential 1.7 million files were hacked.

Internet Companies

In 2004 a former America Online software engineer, Jason Smathers, stole 92
million screen names and email addresses and sold them to spammers who sent
out up to 7bn unsolicited emails. Smathers was sentenced to 1 year and 4
months in jail for the crime.

The breach cost AOL somewhere in the region of $400,000, but this clearly
didn't improve AOL's data security.

Only 2 years later and AOL had another massive data breach, this time they
only had themselves to blame as they released 20 million web queries from
650,000 AOL users. The data which was supposed to be used for research
purposes, was instead released to everyone on the internet, for which they
apologised profusely. Although no released financial loss, it is unlikely
that business will have picked up after such a PR catastrophe.

Sports

Before a pre-World Cup friendly in 2014, in a blunder caused by an unknown
person or persons, the passport numbers, accurate pictures of signatures,
dates of birth and full names for the entire England squad were all
provided to the press along with the team sheet details.

To add to the extremity of the blunder, Vauxhall, the corporate sponsor
also tweeted this in full. Despite running a quick retraction of the tweet,
the data had already been shared and duplicated too many times. Although
most sources have been tracked down, the data is still out there,
representing a significant risk to all those named.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!