Data spill
Encyclopedia
A data breach is the intentional or unintentional release of secure information to an untrusted environment. Other terms for this phenomenon include unintentional information disclosure, data leak and also data spill. Incidents range from concerted attack by black hat
Black hat
A black hat is the villain or bad guy, especially in a western movie in which such a character would stereotypically wear a black hat in contrast to the hero's white hat, especially in black and white movies....

s with the backing of organized crime
Organized crime
Organized crime or criminal organizations are transnational, national, or local groupings of highly centralized enterprises run by criminals for the purpose of engaging in illegal activity, most commonly for monetary profit. Some criminal organizations, such as terrorist organizations, are...

 or national governments
Central government
A central government also known as a national government, union government and in federal states, the federal government, is the government at the level of the nation-state. The structure of central governments varies from institution to institution...

 to careless disposal of used computer equipment or data storage media.
Definition "A data breach is a security incident in which sensitive, protected or confidential data is copied, transmitted, viewed, stolen or used by an individual unauthorized to do so."
Data breaches may involve financial information such as credit card or bank details, personal health information (PHI), Personally identifiable information (PII), trade secrets of corporations or intellectual property.
According to the nonprofit consumer organization
Consumer organization
Consumer organizations are advocacy groups that seek to protect people from corporate abuse like unsafe products, predatory lending, false advertising, astroturfing and pollution.Consumer organizations may operate via protests, campaigning or lobbying...

  Privacy Rights Clearinghouse
Privacy Rights Clearinghouse
Privacy Rights Clearinghouse is a project of the , an American 501 non-profit consumer advocacy organization. The Privacy Rights Clearinghouse is devoted to upholding the right to privacy and protecting consumers against identity theft and other privacy crimes.It was established in 1992 by Beth...

, a total of 227,052,199 individual records containing sensitive personal information were involved in security breaches in the United States between January 2005 and May 2008, excluding incidents where sensitive data was apparently not actually exposed.

Definition

This may include incidents such as theft or loss of digital media
Digital media
Digital media is a form of electronic media where data is stored in digital form. It can refer to the technical aspect of storage and transmission Digital media is a form of electronic media where data is stored in digital (as opposed to analog) form. It can refer to the technical aspect of...

 such as computer tapes
Magnetic tape data storage
Magnetic tape data storage uses digital recording on to magnetic tape to store digital information. Modern magnetic tape is most commonly packaged in cartridges and cassettes. The device that performs actual writing or reading of data is a tape drive...

, hard drives, or laptop computers containing such media upon which such information is stored unencrypted
Encryption
In cryptography, encryption is the process of transforming information using an algorithm to make it unreadable to anyone except those possessing special knowledge, usually referred to as a key. The result of the process is encrypted information...

, posting such information on the world wide web
World Wide Web
The World Wide Web is a system of interlinked hypertext documents accessed via the Internet...

 or on a computer otherwise accessible from the Internet
Internet
The Internet is a global system of interconnected computer networks that use the standard Internet protocol suite to serve billions of users worldwide...

 without proper information security
Information security
Information security means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction....

 precautions, transfer of such information to a system which is not completely open but is not appropriately or formally accredited
Accreditation
Accreditation is a process in which certification of competency, authority, or credibility is presented.Organizations that issue credentials or certify third parties against official standards are themselves formally accredited by accreditation bodies ; hence they are sometimes known as "accredited...

 for security at the approved level, such as unencrypted e-mail
E-mail
Electronic mail, commonly known as email or e-mail, is a method of exchanging digital messages from an author to one or more recipients. Modern email operates across the Internet or other computer networks. Some early email systems required that the author and the recipient both be online at the...

, or transfer of such information to the information system
Information system
An information system - or application landscape - is any combination of information technology and people's activities that support operations, management, and decision making. In a very broad sense, the term information system is frequently used to refer to the interaction between people,...

s of a possibly hostile agency, such as a competing corporation or a foreign nation, where it may be exposed to more intensive decryption techniques.

Trusted environment

The notion of a trusted environment is somewhat fluid. The departure of a trusted staff member with access to sensitive information can become a data breach if the staff member retains access to the data subsequent to termination of the trust relationship. In distributed systems, this can also occur with a breakdown in a web of trust
Web of trust
In cryptography, a web of trust is a concept used in PGP, GnuPG, and other OpenPGP-compatible systems to establish the authenticity of the binding between a public key and its owner. Its decentralized trust model is an alternative to the centralized trust model of a public key infrastructure ,...

.

Data privacy

Most such incidents publicized in the media involve private information on individuals, i.e. social security number
Social Security number
In the United States, a Social Security number is a nine-digit number issued to U.S. citizens, permanent residents, and temporary residents under section 205 of the Social Security Act, codified as . The number is issued to an individual by the Social Security Administration, an independent...

s, etc.. Loss of corporate information such as trade secret
Trade secret
A trade secret is a formula, practice, process, design, instrument, pattern, or compilation of information which is not generally known or reasonably ascertainable, by which a business can obtain an economic advantage over competitors or customers...

s, sensitive corporate information, details of contract
Contract
A contract is an agreement entered into by two parties or more with the intention of creating a legal obligation, which may have elements in writing. Contracts can be made orally. The remedy for breach of contract can be "damages" or compensation of money. In equity, the remedy can be specific...

s, etc. or of government information is frequently unreported, as there is no compelling reason to do so in the absence of potential damage to private citizens, and the publicity around such an event may be more damaging than the loss of the data itself.

Consequences

Although such incidents pose the risk of identity theft
Identity theft
Identity theft is a form of stealing another person's identity in which someone pretends to be someone else by assuming that person's identity, typically in order to access resources or obtain credit and other benefits in that person's name...

 or other serious consequences, in most cases there is no lasting damage; either the breach in security is remedied before the information is accessed by unscrupulous people, or the thief is only interested in the hardware stolen, not the data it contains. Nevertheless, when such incidents become publicly known, it is customary for the offending party to attempt to mitigate damages
Damages
In law, damages is an award, typically of money, to be paid to a person as compensation for loss or injury; grammatically, it is a singular noun, not plural.- Compensatory damages :...

 by providing to the victims subscription to a credit reporting agency, for instance.

2011

  • In April 2011, Sony
    Sony
    , commonly referred to as Sony, is a Japanese multinational conglomerate corporation headquartered in Minato, Tokyo, Japan and the world's fifth largest media conglomerate measured by revenues....

     experienced a data breach within their Playstation Network. It is estimated that the information of 100 million users was compromised.

2009

  • In December 2009 a RockYou! password database was breached containing 32 million user names and plaintext passwords, further compromising the use of weak passwords for any purpose.
  • In January 2009 Heartland Payment Systems
    Heartland Payment Systems
    Heartland Payment Systems, Inc. provides debit, prepaid, and credit card processing, online payments, check processing, payroll services and a growing line of industry solutions for small to mid-sized merchants. Heartland Payment Systems is currently the fifth largest credit card processor in the...

     announced that it had been "the victim of a security breach within its processing system", possibly part of a "global cyber fraud operation". The intrusion has been called the largest criminal breach of card data ever, with estimates of up to 100 million cards from more than 650 financial services companies compromised.

2008

  • In January 2008, GE Money, a division of General Electric
    General Electric
    General Electric Company , or GE, is an American multinational conglomerate corporation incorporated in Schenectady, New York and headquartered in Fairfield, Connecticut, United States...

    , discloses that a magnetic tape containing 150,000 social security number
    Social Security number
    In the United States, a Social Security number is a nine-digit number issued to U.S. citizens, permanent residents, and temporary residents under section 205 of the Social Security Act, codified as . The number is issued to an individual by the Social Security Administration, an independent...

    s and in-store credit card
    Credit card
    A credit card is a small plastic card issued to users as a system of payment. It allows its holder to buy goods and services based on the holder's promise to pay for these goods and services...

     information from 650,000 retail customers is known to be missing from an Iron Mountain Incorporated
    Iron Mountain Incorporated
    Iron Mountain Inc , founded in 1951, is a company whose headquarters are located in Boston, Massachusetts. It offers records management, information destruction and data backup services to more than 120,000 customers throughout North America, Europe, Latin America and Asia...

     storage facility. J.C. Penney
    J.C. Penney
    J. C. Penney Company, Inc. is a chain of American mid-range department stores based in Plano, Texas, a suburb north of Dallas. The company operates 1,107 department stores in all 50 U.S. states and Puerto Rico. JCPenney also operates catalog sales merchant offices nationwide in many...

     is among 230 retailers affected.
  • Horizon Blue Cross and Blue Shield of New Jersey
    Horizon Blue Cross and Blue Shield of New Jersey
    Horizon Blue Cross Blue Shield of New Jersey, headquartered in Newark, New Jersey is the only licensed Blue Cross and Blue Shield Association plan in New Jersey, providing health insurance coverage to over 3.2 million people throughout all of North, Central, and South Jersey.It is a not-for-profit,...

    , January, 300,000 members
  • Lifeblood, February, 321,000 blood donors
  • British National Party membership list leak,

2007

  • The 2007 loss of Ohio and Connecticut state data by Accenture
  • TJ Maxx, data for 45 million credit and debit accounts

  • 2007 UK child benefit data scandal
    2007 UK child benefit data scandal
    The loss of United Kingdom child benefit data was a data breach incident in October 2007, when two computer discs owned by Her Majesty's Revenue and Customs containing data relating to child benefit went missing. The incident was announced by the Chancellor of the Exchequer, Alistair Darling, on...

  • CGI Group
    CGI Group
    CGI Group Inc. is an information technology management and business process services company. Founded in 1976 and headquartered in Montreal, Canada, CGI employs approximately 31,000 professionals in over 125 offices in 16 countries. As of September 2010, CGI had an annual revenue of CA $3.7...

    , August, 283,000 retirees from New York City
    New York City
    New York is the most populous city in the United States and the center of the New York Metropolitan Area, one of the most populous metropolitan areas in the world. New York exerts a significant impact upon global commerce, finance, media, art, fashion, research, technology, education, and...

  • The Gap
    Gap (clothing retailer)
    The Gap, Inc. is an American clothing and accessories retailer based in San Francisco, California, and founded in 1969 by Donald G. Fisher and Doris F. Fisher. The company has five primary brands: the namesake Gap banner, Banana Republic, Old Navy, Piperlime and Athleta. As of September 2008,...

    , September, 800,000 job applicants
  • Memorial Blood Center, December, 268,000 blood donors
  • Davidson County Election Commission, December, 337,000 voters

2006

  • AOL search data scandal (sometimes referred to as a "Data Valdez
    Exxon Valdez oil spill
    The Exxon Valdez oil spill occurred in Prince William Sound, Alaska, on March 24, 1989, when the Exxon Valdez, an oil tanker bound for Long Beach, California, struck Prince William Sound's Bligh Reef and spilled of crude oil. It is considered to be one of the most devastating human-caused...

    ", due to its size)
  • Department of Veterans Affairs
    United States Department of Veterans Affairs
    The United States Department of Veterans Affairs is a government-run military veteran benefit system with Cabinet-level status. It is the United States government’s second largest department, after the United States Department of Defense...

    , May, 28,600,000 veterans, reserves, and active duty military personnel,
  • Ernst & Young
    Ernst & Young
    Ernst & Young is one of the largest professional services networks in the world and one of the "Big Four" accountancy firms, along with Deloitte, KPMG and PricewaterhouseCoopers ....

    , May, 234,000 customers of Hotels.com
    Hotels.com
    Hotels.com is an operating company of Expedia, Inc. that provides reservation services for hotel rooms and other places to stay.The company was founded in Dallas, TX in 1991 as Hotel Reservations Network by Dave Litman and Bob Diener as a toll-free telephone service, offering consumers a one-stop...

     (after a similar loss of data on 38,000 employees of Ernst & Young clients in February)
  • Boeing
    Boeing
    The Boeing Company is an American multinational aerospace and defense corporation, founded in 1916 by William E. Boeing in Seattle, Washington. Boeing has expanded over the years, merging with McDonnell Douglas in 1997. Boeing Corporate headquarters has been in Chicago, Illinois since 2001...

    , December, 382,000 employees (after similar losses of data on 3,600 employees in April and 161,000 employees in November, 2005)

External links

  • "Most Recent Data Breaches", TeamSHATTER, updated regularly
  • "A Chronology of Data Breaches", Privacy Rights Clearinghouse
    Privacy Rights Clearinghouse
    Privacy Rights Clearinghouse is a project of the , an American 501 non-profit consumer advocacy organization. The Privacy Rights Clearinghouse is devoted to upholding the right to privacy and protecting consumers against identity theft and other privacy crimes.It was established in 1992 by Beth...

    , updated twice a week
  • "Identity Theft Resource Center - Data Breaches", Updated weekly with statistical analyses
  • "Data Loss Database Open Security Foundation's research project documenting data loss incidents worldwide.
  • "Office of Inadequate Security", Breach incidents reported in the media and from primary sources, worldwide.
  • "Personal Health Information Privacy", Breach incidents from the health care sector, worldwide.
  • "Notices of Security Breaches", New Hampshire
    New Hampshire
    New Hampshire is a state in the New England region of the northeastern United States of America. The state was named after the southern English county of Hampshire. It is bordered by Massachusetts to the south, Vermont to the west, Maine and the Atlantic Ocean to the east, and the Canadian...

     Department of Justice
  • "Maryland Notice of Information Security Breaches", Maryland
    Maryland
    Maryland is a U.S. state located in the Mid Atlantic region of the United States, bordering Virginia, West Virginia, and the District of Columbia to its south and west; Pennsylvania to its north; and Delaware to its east...

     Attorney General's Office
  • "Breaches Affecting 500 or More Individuals", Breaches reported to the United States Department of Health and Human Services
    United States Department of Health and Human Services
    The United States Department of Health and Human Services is a Cabinet department of the United States government with the goal of protecting the health of all Americans and providing essential human services. Its motto is "Improving the health, safety, and well-being of America"...

     by HIPAA-covered (Health Insurance Portability and Accountability Act
    Health Insurance Portability and Accountability Act
    The Health Insurance Portability and Accountability Act of 1996 was enacted by the U.S. Congress and signed by President Bill Clinton in 1996. It was originally sponsored by Sen. Edward Kennedy and Sen. Nancy Kassebaum . Title I of HIPAA protects health insurance coverage for workers and their...

    ) entities.
  • "Information That Matter", A data breach responsible disclosure
    Responsible disclosure
    Responsible disclosure is a computer security term describing a vulnerability disclosure model. It is like full disclosure, with the addition that all stakeholders agree to allow a period of time for the vulnerability to be patched before publishing the details. Developers of hardware and software...

     project associated with OWASP
    OWASP
    The Open Web Application Security Project is an open-source application security project. The OWASP community includes corporations, educational organizations, and individuals from around the world. This community works to create freely-available articles, methodologies, documentation, tools, and...

     Singapore
    Singapore
    Singapore , officially the Republic of Singapore, is a Southeast Asian city-state off the southern tip of the Malay Peninsula, north of the equator. An island country made up of 63 islands, it is separated from Malaysia by the Straits of Johor to its north and from Indonesia's Riau Islands by the...

    .
  • "The Breach Blog", Data breach commentary and analysis.
  • "SC Magazine Data Breach Blog", The SC Magazine Data Breach Blog.

The source of this article is wikipedia, the free encyclopedia.  The text of this article is licensed under the GFDL.
 
x
OK