The year is only half over, but there have been some doozies of security breaches. If the constant news stories haven’t scared you into stepping up your security testing, maybe this Dark Reading list will.
6 Biggest Breaches of 2012 So Far
Records Breached: 24 million records, including names, email addresses, phone numbers, last four digits of credit card numbers, and encrypted passwords
Incident: A hacker gained access through a Zappos server into the company’s internal network to snag personal information that could be used to phish Zappos customers.
Lessons Learned: While there may be no such thing as a good breach, many experts believe Zappos stands as a role model in reducing risk factors following a breach. For one, the encryption the company used for its passwords passed muster. Second, the company clearly had an incident response and notification plan in place and used it.
University of North Carolina
Records Breached: 350,000 records
Incident: Two separate incidents, one going back a decade, exposed Social Security numbers and financial information online.
Lessons Learned: System misconfigurations caused back-end university systems to be exposed on the Internet for public consumption. This is an increasingly familiar breach scenario these days
Global Payment Systems
Records Breached: 7 million consumer records, including 1.5 million credit cards
Incident: The credit card processor found in March that 1.5 million credit card records had been exported from its North American processing system. In its investigation, it most recently found that a database of new and past processing applicants had also been hit.
Lessons Learned: Without a doubt the most impactful breach of the year so far, this massive exposure offers a valuable lesson in the folly of point-in-time, check-box compliance.
South Carolina Health and Human Services
Records Breached: 228,435 records
Incident: An employee was caught after emailing himself hundreds of thousands of patient records during the course of several months, including Medicaid ID numbers for more than 22,000 patients.
Lessons Learned: Sometimes it is the authorized users who can steal the most valuable and sensitive records.
University of Nebraska
Records Breached: 654,000 student records
Incident: Social Security numbers, addresses, grades, and more were stolen from the Nebraska Student Information System (NeSIS) database. Details of how the breach occurred are still under wraps, but a suspect has been identified and law enforcement is involved.
Lessons Learned: Putting one’s eggs in a single basket makes it prudent to make sure that basket is made out of Kevlar.
Records Breached: 6.5 million user passwords
Incident: The appearance of a password dump on an online forum prompted responses from the security community, which confirmed that the information was from LinkedIn. After some scrambling, LinkedIn confirmed the breach.
Lessons Learned: Just slapping any old encryption scheme onto sensitive data is not good enough these days.
Visit Dark Reading to read more about each breach and get more “lessons learned.”
There are some companies, some government agencies and way more schools than there should be on that list – which should just serve as further proof that no matter what industry you’re in, you can’t afford to be caviler with your security (or your members’ information).