I gathered some notable data breaches in preparation for my presentation on the Massachusetts Data Privacy Law as part of my webinar on Wednesday: Preparing for the strictest privacy law in the nation: MA Privacy Law 201 CMR 17. If you wondered why there are so many state laws on data breaches, just take a look at some of these embarrassing data breaches.
Royal Navy
Imagine losing information on everyone who had applied to join the armed forces including passport numbers, medical histories, and bank details. Of course, it was not encrypted. It was just sitting in a laptop in the back of a car. That’s what happened Jan. 9, 2008, in Birmingham, U.K., when a Royal Navy Officer left the laptop in his car and it was promptly stolen.
BBC: Police probe theft of MoD laptop
UK’s Child Benefits Records
Her Majesty’s Revenue and Customs sent discs containing the entire child benefit database unregistered and unencrypted to the National Audit Office. There was no evidence that the discs fell into the wrong hands, but millions of families were told to be on alert for attempts to fraudulently use their details, which include addresses, bank account and National Insurance numbers, as well as children’s names and dates of birth.
BBC: Discs ‘worth £1.5bn’ to criminals
Veteran’s Affairs
The computer and hard drive was stolen from the home of an employee of the Department of Veterans Affairs. It contained details on no less than 26.5 million veterans. The laptop was stolen May 3rd and turned up two months later on the black market only four miles away. The purchaser bought both the laptop and the hard drive off the back of a truck.
New York Times: V.A. Laptop Is Recovered, Its Data Intact
TJX
The retailer had over 45 million customer records compromised. The current theory is that the thieves sat in the company parking lot and tapped into an unsecured wireless router.
Boston Globe: TJX faces scrutiny by FTC
Ameriprise
Lists containing the personal information of about 230,000 customers and advisers were compromised after a company laptop was stolen from an employee’s parked car. The laptop contained a list of reassigned customer accounts that were unencrypted.
New York Times: Ameriprise Says Stolen Laptop Had Data on 230,000 People
Verisign
Digital certificate issuing company VeriSign suffered a data breach when an employee’s laptop was stolen from their car last month. The laptop contained names, social security numbers, dates of birth, salary details, phone numbers and addresses of of VeriSign employees.
The Gap
A laptop containing unencrypted personal information for 800,000 people who applied for jobs with clothing retailer Gap Inc. was stolen. The laptop was stolen from the offices of a third-party vendor the Gap hired to manage applicant data.
The Register: Data for 800,000 job applicants stolen
Boston Globe
Instead of reporting on data breaches, the Boston Globe and The Worcester Telegram & Gazette suffered their own credit card breach. The credit card information for as many as 240,000 subscribers might have been inadvertently released.
The New York Times: Credit Data Breach at Two Newspapers
Hannaford Supermarkets
Unauthorized software that was secretly installed on servers in Hannaford Bros. Co.’s supermarkets enabled a massive data breach that compromised up to 4.2 million credit and debit cards.
Forbes: Malware cited in supermarket data breach
IBM
A vendor lost lost tapes containing sensitive information on IBM employees. The tapes contained sensitive information including dates of birth, Social Security numbers, and addresses. Some of the tapes were not encrypted
InfoWorld: IBM contractor loses employee data
Any others that you think should be on this list? Join the webinar and let us know.
Image is by d70focus: Credit Card Theft http://www.flickr.com/photos/23905174@N00/ / CC BY 2.0
Let’s not forget the “what were they thinking” paper breaches with boxes of government documents left next to dumpsters waiting to be picked up, in an open parking lot.
Is TJX still the biggest credit card breach at 100 million? I read this article in Computer World that Heartland may have displaced that title:
http://www.computerworld.com/s/article/9126379/Heartland_data_breach_could_be_bigger_than_TJX_s?taxonomyId=17&intsrc=it_bloglines&taxonomyName=security
I have not been tracking by size. There are too many. I think Heartland is currently the largest.
Some of these are older (the Verisign laptop thing was in 2007, not last month) but this is a better roundup than a few others I’ve seen this week. I totally forgot about the Gap one…and my cousin was actually victimized in the TJX hit (with those numbers I’m guessing a lot of cousins probably were).
Also, don’t forget about the HP/Symantec laptop thefts, or the FAA breach:
http://www.computerworld.com/s/article/9127707/FAA_says_info_on_45_000_workers_stolen_in_data_breach?intsrc=hm_list
I was also reading about the network solution credit card data loss earlier this week.
http://www.internetretailer.com/dailyNews.asp?id=31264