BreachExchange mailing list archives
Is your personal data ever truly safe?
From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Wed, 4 Feb 2015 19:50:57 -0700
http://www.cbronline.com/news/security/is-your-personal-data-ever-truly-safe-4502027 Data collection has been going on for years and for almost as long people have raised concerns over how it should be used and what can be collected. Currently the EU is discussing data protection laws that could either create a free for all on data collection and usage, or far more likely - severely restrict it. Sometimes however, it doesn't matter what laws are in place, as data breaches caused by hacking, oversights or stupidity can happen to even the biggest organisations. CBR has compiled a list of the top ways Big Data has been breached . Retail In 2014, Home Depot suffered a data breach, due to malware installed on cash register systems, across 2,200 stores which siphoned credit card details of up to 56 million customers. Although the details hacked did not reveal password, payment information or other sensitive personal information, it did leave millions vulnerable to phishing scams. Target had a similar credit data breach, around 70 million individuals had their names, mailing addresses, phone numbers and emails stolen. The company attempted to argue over semantics, whether it was a theft or a breach, but in the end a vast amount of data was taken from the company. Other data that was taken included account data, including credit and debit card numbers, expiration dates, the three-digit CVV security code, and even PIN data for 40 million account holders. It has been reported that Target may be liable for up to $3.6 billion. Banking In 2007, the personal data of approximately 2.6 million current and former holders of Chase-Circuit credit cards was thrown out, mistaken as trash. The data was found in rubbish bags outside 5 of their New York branches. Then in 2014, JP Morgan suffered a large scale hack which affected 76 million households and 7 million small businesses. The data revealed names, addresses, phone numbers and emails of account holders. The breach came as a result of a neglected server which had not had a simple security fix which implemented a two-factor authentication. JP Morgan aren't alone in breaches though, Heartland Payment Systems had a huge data breach in 2008, which resulted in an estimated 130 million customer accounts being compromised. Heartland had to pay $110 million to Visa, Mastercard, American Express and others in order to settle claims against them. Politcs Perhaps one of the biggest political events in the past 20 years - Wikileaks. There has been numerous leaks from the organisation, some of the most notable included the Iraqi war logs, where 400,000 confidential documents were released, and the Afghanistan war logs where 76,900 documents released. Wikileaks was criticised for potentially putting national security and armed forces at risk and one of those responsible, Chelsea Manning, is now serving a 35 year jail sentence under the Espionage Act. The Snowden leaks are potentially the biggest data breaches in history, detailing vast amounts of spying by GCHQ and the NSA, some of which was directly aimed at spying on political leaders, such as Germany Chancellor Angela Merkel. Despite the magnitude, these revelations were not a complete surprise, Duncan Campbell and his team revealed mass surveillance of telephone conversations within the Echelon project, an extension of the UKUSA Agreement on global signals intelligence. The way the data was accessed was through Edward Snowden, he worked as an NSA contractor and had access to everything, all the data that the NSA had. Snowdon began mining the data and slowly released it through public channels. It is estimated that a potential 1.7 million files were hacked. Internet Companies In 2004 a former America Online software engineer, Jason Smathers, stole 92 million screen names and email addresses and sold them to spammers who sent out up to 7bn unsolicited emails. Smathers was sentenced to 1 year and 4 months in jail for the crime. The breach cost AOL somewhere in the region of $400,000, but this clearly didn't improve AOL's data security. Only 2 years later and AOL had another massive data breach, this time they only had themselves to blame as they released 20 million web queries from 650,000 AOL users. The data which was supposed to be used for research purposes, was instead released to everyone on the internet, for which they apologised profusely. Although no released financial loss, it is unlikely that business will have picked up after such a PR catastrophe. Sports Before a pre-World Cup friendly in 2014, in a blunder caused by an unknown person or persons, the passport numbers, accurate pictures of signatures, dates of birth and full names for the entire England squad were all provided to the press along with the team sheet details. To add to the extremity of the blunder, Vauxhall, the corporate sponsor also tweeted this in full. Despite running a quick retraction of the tweet, the data had already been shared and duplicated too many times. Although most sources have been tracked down, the data is still out there, representing a significant risk to all those named.
_______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) Archived at http://seclists.org/dataloss/ Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss For inquiries regarding use or licensing of data, e-mail sales () riskbasedsecurity com Supporters: Risk Based Security (http://www.riskbasedsecurity.com/) YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus on the right security. If you need security help or want to provide real risk reduction for your clients contact us!
Current thread:
- Is your personal data ever truly safe? Audrey McNeil (Feb 10)