Sunday, December 27, 2009

Strange that only two cases made the top 10 this year.

http://www.databreaches.net/?p=7691

Top 10 Worst Data Losses or Breaches, updated

December 26, 2009 by admin Filed under Breach Incidents, Of Note

It’s been a while since I last revised my list of the largest breaches or data loss incidents worldwide, and the end of the year seems like a good time to look back at what may have been the worst incidents ever in terms of numbers.

Remember when the stolen V.A. laptop made headlines in May 2006 as the biggest breach ever? Now they’re down at #7 on my list.


Rank

# of Records or People

Entity

Date of Incident or Report

Type of Incident

1

130,000,000

Heartland Payment Systems

2009-01-20

Hack, Malware

2

94,000,000

TJX, Inc.

2007-01-17

Hack, Malware

3

90,000,0001

TRW/Sears Roebuck

1984-06-22

Hack

4

70,000,0002

National Archives and Records Administration

2009-10-01

Disposal

5

40,000,000

CardSystems Solutions

2005-06-17

Hack

6

30,000,0003

Deutsche Telekom

2008-11-01

Exposure

7

26,500,000

U.S. Department of Veterans Affairs

2006-05-22

Stolen Laptop

8

25,000,000

HM Revenue and Customs / TNT

2007-10-18

Lost Tapes

9

18,000,0004

Auction.co.kr

2008-02-17

Hack

9

18,000,0005

National Personnel Records Center

1973-07-12

Fire

10

17,000,000

Countrywide Financial

2008-08-01

Insider

10

17,000,000

T-Mobile

2008-10-06

Lost or Stolen Disk

Notes:

1 TRW’s database held credit information on 90,000,000 and was being accessed for over a year before the company became aware of the problem. The number of records actually accessed is unknown.

2 NARA does not consider this a breach (.doc)

3 The number of records actually accessed is unknown.

4 Auction.co.kr said their number is 10.8 million and not 18 million as reported by other sources.

5 This incident, involving the loss of paper records in a fire, affected many veterans who were unable to establish their right to receive benefits. Fifteen years later, duplicates of some of the records were located elsewhere and some veterans were first able to get benefits. I’m including it on my list because NPRC was warned about fire concerns during the building’s design and planning stages, but did not implement sufficient precautions to protect the data.

Notice what incidents the list doesn’t include. It doesn’t include:

  • A Taiwanese hacking ring that affected over 50,000,000 people by hacks involving a number of organizations or databases,

  • The recent RockYou.com hack where a hacker gained access to login details including 32,603,388 passwords in plain text, and

  • An AOL incident where names and email addresses of 30,000,000 customers were stolen and sold for spamming purposes.

Have I missed any really large data loss incidents or breaches involving personal information that should have made the Top 10 list, or did I include something that you think shouldn’t be included? If so, let me know.


(Related)

http://www.pogowasright.org/?p=6614

Ca: Information and Privacy Cases of the Year

December 26, 2009 by Dissent Filed under Court, Non-U.S.

Dan Michaluk writes:

I’ve always loved year-end lists. Here’s a Canada-centric top ten “information management and privacy cases” list for 2009. Endorsement and criticism invited!

#1 Grant v. Torstar. The Supreme Court of Canada recognizes a new defamation defence – the “responsible communication on matters of public interest” defence. Truly novel and highly relevant. Is the dialog on the kind of information that must flow in the name of the public interest also a building block for the privacy tort? From just days ago.

#2 R. v. McNeil. This unanimous Supreme Court of Canada judgement broadens the scope of the Crown’s duty of disclosure to an accused person and facilitates an accused person’s right to third-party production. Significant changes to critical criminal procedure doctrine. From January.

Read more on Slaw.


(Related) Another list to keep close.

http://www.pogowasright.org/?p=6605

Resolve to Be A Privacy Advocate in 2010

December 26, 2009 by Dissent Filed under Other

From the good folks over at the Privacy Rights Clearinghouse:

We at the Privacy Rights Clearinghouse wish you a happy, prosperous and private new year. For 2010, resolve to be a privacy advocate. Use our 10 tips below to minimize your risk of identity theft, protect your personal information and assert your rights to privacy.

1. Be assertive in guarding your privacy when you are asked to provide sensitive information that you do not feel is necessary. If someone (including healthcare providers, government agencies and employers) asks for your personal information, ask these 5 questions:

A) Is providing my information required or voluntary? (Provide only the minimum information necessary.)

B) Why do you need this information and how will it be used?

C) Do you have a written policy regarding the request for information?

D) Who will have access to my information and how will it be protected from unauthorized access? (Remember to ask about third parties!)

E) If, when and how will the records be discarded when they are no longer needed?

If you are not satisfied with how your information is handled or the answers that you receive, take your business elsewhere. If you are concerned about a government agency’s use of your personal information, contact your city council-member, state legislator or Congressperson to voice your concern.

2. Guard your mail. Your mailbox often may contain letters which if lost or stolen can result in identity theft. Try to pick up your mail as soon as possible after delivery. If this is not possible, purchase a locking mailbox. Open all your mail including envelopes that include only a P.O. Box as a return address. Credit card companies that send you replacement cards or convenience checks may try to disguise the mailing by including only a limited return address. For additional tips on how to avoid identity theft, read our guide “Coping with Identity Theft: Reducing the Risk of Fraud” at www.privacyrights.org/fs/fs17-it.htm.

3. Check your credit reports. You are entitled to a free report from each of the three national credit bureaus once every 12 months. For more information, see the Federal Trade Commission’s Facts for Consumers at www.ftc.gov/freereports. PRC's guide to credit reporting is another source of useful information at www.privacyrights.org/fs/fs6-crdt.htm.

4. Find out what?s in your consumer specialty reports. You have the right to free copies of numerous so-called specialty consumer reports which report on such matters as your medical conditions, insurance claims, check writing history, rental history, and employment history. You can find out more by reading our guide to specialty reports at www.privacyrights.org/fs/fs6b-SpecReports.htm.

5. Check your Social Security Earnings Statement for any signs of fraud. You should receive one from the Social Security Administration every year about 3 months before your birthday. Look for earnings that exceed the amount you earned. It could be a sign that someone is using your SSN for employment. Also make sure that your employer has correctly reported your earnings. If you did not receive an earnings statement in 2009, contact the Social Security Administration to request one. You may do this online at www.ssa.gov/online/ssa-7004.html.

6. Avoid using debit or check cards. Credit cards provide better consumer protections, and help protect your bank account from fraudulent activity. Ask your bank to replace your debit card with an ATM card. Our guide “Paper or Plastic: What’s the Best Way to Pay?” explains the advantages and disadvantages of paying by debit card (check card) and credit card. Read it at www.privacyrights.org/fs/fs32-paperplastic.htm.

7. Shred any unnecessary documents that contain personal information. Always use a cross-cut, diamond or confetti shredder. Never use a strip shredder. It’s too easy for a crook to piece the strips together. Before you shred anything that you might need, double check with your accountant, attorney, or tax preparer. For a guide to tax recordkeeping, see IRS Publication 552, Recordkeeping for Individuals at www.irs.gov/pub/irs-pdf/p552.pdf or call 1-800-TAX-FORM (800-829-3676) to obtain a free paper copy.

8. Sign up for the National Do-Not-Call List to limit unwanted telephone solicitations. (888) 382-1222 or www.donotcall.gov. Read our guide at www.privacyrights.org/fs/fs5-tmkt.htm#part1.

9. Stop pre-approved credit and insurance offers in the mail. Call (888) 5-OPT-OUT / (888) 567-8688, or opt out online at www.optoutprescreen.com. You can choose to opt out of credit offers for 5 years by phone through the website. Or you can opt out permanently by mailing the Permanent Opt-Out form, available on the website.

10. Understand the benefits and risks of social networking. When you post information or pictures on a social networking site, understand who might see it without your permission. Ask yourself “Would I give this information to a stranger over the phone?” If the answer is “no,” think twice about posting it online. Read website privacy policies to find out how your information may be shared. For security tips on social networking read http://us.trendmicro.com/imperia/md/content/us/trendwatch/researchandanalysis/security_guide_to_social_networks.pdf

For more tips on preserving your privacy and protecting your identity in 2010 please read our guides:

– PRC Fact Sheet 1, Privacy Survival Guide, www.privacyrights.org/fs/fs1-surv.htm

– PRC Fact Sheet 1(a), Privacy Basics and Opt-Out Strategies, www.privacyrights.org/fs/fs1a-basics.htm



Knee-jerk regulation? Sure sounds like the commenters don't like it (and I suspect it won't last.)

http://tech.slashdot.org/story/09/12/27/0635254/TSA-Wants-You-To-Keep-Your-Seat-and-Your-Hands-In-Sight?from=rss&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot+%28Slashdot%29

TSA Wants You To Keep Your Seat, and Your Hands In Sight

Posted by timothy on Sunday December 27, @02:30AM from the ex-post-facto dept.

An anonymous reader excerpts from an AP story as carried by Yahoo News about changes stemming from yesterday's foiled bombing attempt of a Northwest Airlines flight:

"Some airlines were telling passengers on Saturday that new government security regulations prohibit them from leaving their seats beginning an hour before landing. The regulations are a response to a suspected terrorism incident on Christmas Day. Air Canada said in a statement that new rules imposed by the Transportation Security Administration limit on-board activities by passengers and crew in US airspace. ... Flight attendants on some domestic flights are informing passengers of similar rules. Passengers on a flight from New York to Tampa Saturday morning were also told they must remain in their seats and couldn't have items in their laps, including laptops and pillows."

The TSA's list of prohibited items doesn't seem to have changed in the last day, though.


(Related) Or perhaps Rupert Murdock has been lobbying again.

http://www.techcrunch.com/2009/12/26/airplane-electronics-ban/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Techcrunch+%28TechCrunch%29

TSA To Save Print Media? No Electronics On International Flights? What A Joke.

by MG Siegler on December 26, 2009

No comments: