10 Biggest Security Breaches Of 2011

Hacker Heists

In 2011, hackers caused mayhem at banks, online gaming networks, universities and healthcare insurers, stealing the personal data of millions of customers. Sometimes the hacks were politically motivated. More often, cybercriminals were after data that could be used in phishing and identity scams or credit-card fraud.

Armed with viruses, Trojans and worms, hackers penetrated the defenses of Citigroup and brought down Sony's PlayStation Network. And while money remained the number one motive, ideology drove extremists to raise havoc with San Francisco's subway system.

The Ponemon Institute calculates the average time for a corporation to restore its reputation following a headline-grabbing security breach is one year, with the loss to the value of its brand ranging from $184 million to $330 million. So lockdown those computers and keep a close eye on network traffic, as hackers are unlikely to be less determined in 2012.

10. Anonymous Retaliates

In August, the Internet activist group Anonymous attacked the web site of San Francisco's subway system, spilling on the web the contact information of hundreds of the site's users.

The hack drew national attention because Anonymous was retaliating against BART shutting down cell phone service during protest against police shootings. Critics accused the agency of violating free speech, while BART officials claimed it was necessary to prevent protesters from communicating police locations. The data stolen from the BART database included names, addresses, phone numbers and e-mail accounts. Anonymous also inserted its own logo on the agency's web site. BART officials said the web site was separate from the computer systems that run the subway. Those systems were not affected.

9. Health Net's Disappearing Medical Records

In May, Health Net reported a security breach that compromised the personal information of more than 2.7 million current and past policy holders. The problem was reported two months after IBM, which manages the insurer's IT systems, told the company nine server drivers were missing from its data center.

At the time, the medical information breach was the third largest in the Privacy Rights Clearinghouse database, which tracks breaches across the nation. The incident was the second time since May 2009 the Woodland Hills, Calif.-based company could not account for customer medical and financial information. In the prior case, a portable disk drive with medical and financial data on 1.5 million customers went missing.

8. University Of Wisconsin Catches A Virus

The University of Wisconsin, Milwaukee, reported in August that a computer virus may have exposed the names and social security numbers of 75,000 students and staff. The university's IT staff discovered the malware in May. University officials said the virus was most likely planted in an attempt to steal research documents, not personal information that could be used in identity scams. The infected server ran software for managing confidential information for several departments. The system was shut down immediately after the discovery and local and federal police were called. The university says it has put additional security measures in place as a result of the hack.

7. Massachusetts Jobless Get Additional Worries

As if being unemployed wasn't bad enough, up to 210,000 Massachusetts jobless also had to contend with having their personal data exposed. The state's Executive Office of Labor and Workforce Development reported in May that a virus had been discovered in the department's computers, exposing names, addresses and social security numbers to thieves. State officials acknowledged that although the virus was discovered shortly after it entered the department's computer systems, engineers failed to completely eradicate the malware. The data breach also affected about 1,200 Massachusetts employers who filed quarterly reports using the agency's computers. The virus infected 1,500 computers in the agency's unemployment office.

6. Hackers Take The Fun Out Of Vacationland

In September, Vacationland Vendors, a Wisconsin Dells, Wis.-based supplier of arcade equipment and vending machines, reported that a hacker stole credit and debit card numbers from card-processing systems. The Privacy Rights Clearinghouse said 40,000 people were affected by the break-in. Vacationland said the hacker had gained access to credit and debit card transactions from Dec. 12, 2008, to May 25, 2011, at Wilderness Resorts in Wisconsin and Tennessee. The intrusion occurred through Vacationland's point-of-sale systems.

The theft was not an inside job, according to Vacationland, which hired an outside consultant to help prevent future hacks. Vacationland apologized for the security breach and advised people affected by the hack to notify card issuers and call a major credit agency, such as Equifax, Experian or TransUnion, to have a fraud alert placed on their files.

5. Subscribers Of Newsletter Publisher Kiplinger Make Headlines

In July, Kiplinger Washington Editors reported that a hacker had stolen the user names, passwords and encrypted credit card numbers of as many as 142,000 subscribers of the publishers various newsletters, including the Kiplinger Letter. The company acknowledged a two-week delay in notifying customers, saying that it took that long to determine the extent of the damage. The Washington, D.C.-based company said at the time that it wasn't sure whether other data was stolen. While the credit-card numbers were encrypted, Kiplinger said the protection wasn't foolproof and recommended subscribers request new cards. The company believed the risk of identity theft was small because of the type of data available to the criminal.

4. Sega Not All Fun And Games

In June, a cyber-attack that compromised the personal information of 1.3 million subscribers of Sega's online gaming network forced the Japanese video-game maker to shut down the service. Thieves stole names, birth dates, e-mail addresses and encrypted passwords before the intrusion was detected. No credit card numbers or other payment data were stolen, according to Sega. The company said it was "deeply sorry" for failing to prevent the breach of its Sega Pass network and promised to strengthen security. Because video-game companies hold a large amount of financial and personal data from customers, they have become a prime target for hackers, experts say.

3. Hacker Make Withdrawal At Citigroup

Citigroup was one of several high-profile companies that failed to turn back a cyber-attack in 2011. The bank reported in June that 1 percent, or 210,000, of its 21 million card holders had their personal data compromised by hackers. The stolen information included names, account numbers and e-mail addresses.

The banks said other identifying information, such as birth dates and social security numbers, was untouched. While the data stolen was limited, security experts said it was enough to be used in phishing attacks and other social-engineering schemes. Citigroup did not release details on how the breach occurred. The attack brought increased scrutiny from the FDIC and other federal regulators who were considering a systemic overhaul of the banking industry's security and data protection systems.

2. Fidelity National Learns $13 Million Lesson

In May, Fidelity National Information Services reported that profits had taken a hit from a $13 million loss due to "unauthorized activities." While the prepaid debit card processor provided few details, media reports said a group of criminals had hacked the company's network and gained access to its central database where card balances are kept.

The criminals then obtained 22 legitimate prepaid cards, and made copies that were shipped to conspirators in Greece, Russia, Spain, Sweden, Ukraine and the United Kingdom. Having penetrated Jacksonville, Fla.-based, Fidelity's systems, the crooks were able to increase the balances of the cards, making it possible for their partners to withdraw cash from dozens of ATMs during a 24-hour period. No arrests have been made in the sophisticated heist.

1. Sony Number One -- Again

Sony had the dishonor this year of topping CRN's list of Biggest Security Stories Of 2011, as well as the list of top security breaches. In April, a massive cyber-attack on the entertainment Sony's PlayStation Network and Qriocity services led to the compromise of 77 million user accounts. In hacking the Japanese company's database, thieves made off with scads of personally identifying user information, including date of birth, e-mail and home addresses and login credentials.

While credit-card data appeared to be safe at first, the company later acknowledged that 12 million credit card numbers were unencrypted and could easily be read. After restoring the services, Sony had to take down the PlayStation Network in May, because of a snafu in the password reset system that hackers had started to exploit. Sony expected the breach to lower operating profit by $178 million. Dozens of class-action lawsuits were filed against the company.