From stolen devices and phishing attacks to buggy apps and human blunders, 2009 was another banner year for data breaches. According to the Privacy Rights Clearinghouse, over 345 million records containing sensitive data have been involved in incidents within the United States since January 2005. But last year, one single breach compromised 130 million records. In an effort to do better this year, let’s recount some of the worst data breaches reported in 2009.
10) Los Alamos National Labs (LANL)
This facility makes our list due to its history and sensitivity rather than the (unspecified) size of its February 2009 breach. This nuclear research complex continues to make headlines—this time by reporting that nearly 70 computers had gone missing from the labs, including at least 13 PCs verified lost or stolen, and one BlackBerry left in an undisclosed “sensitive” country. Although this incident did not expose classified data, LANL’s apparently lax asset management practices could pose a national security concern.
9) Virginia Department of Health Professions (DHP)
This agency, responsible for licensing health care professionals and enforcing standards of practice, reported that its database of prescription drug records for 530,000 patients was hacked in April 2009. The thief posted a ransom message on DHP’s Website, attempting to extort $10M for the safe return of stolen data. Fortunately, his claim to have destroyed both the live database and its backups turned out to be false; DHP restored online services by recovering data from verified backups. Nonetheless, over half a million social security numbers and 35 million prescription records may have been exposed.
8) Network Solutions
In July 2009, this domain name registrar and Web hosting provider reported a breach affecting over 573,000 debit and credit card accounts. Hackers broke into a Network Solutions server in March, planting malware with the ability to intercept all transactions processed by over four thousand hosted e-commerce merchants over a three-month period. According to news reports, the firm had passed PCI DSS compliance audits in October 2008—a program designed to protect cardholder data from breaches like this one.
Read the rest at eSecurityPlanet.