The Error Of Your Ways: Top 10 Data Breaches Of 2014

Data Breaches Tell Only Part Of The Story

Many of the high-profile data breaches of 2014 are associated with the loss, exposure or theft of personally identifiable information. Businesses rarely report breaches involving intellectual property, but they happen frequently, say computer forensics experts involved in investigating incidents. The Verizon Data Breach Investigations Report, released last month, analyzed more than 1,300 data breaches in 2013 and 63,400 security incidents. It found basic lapses at the heart of many of them -- including employee mistakes, the use of weak and default passwords, system configuration issues and inadequate system monitoring. The trend is continuing in 2014. CRN pulled together 10 of the top data breaches of the year so far that shed light on the security best practices that could reduce risk.

10. North Carolina Computer Mailing Error Impacts Thousands

The North Carolina Department of Health and Human Services blamed a computer programming error for the mailing out of more than 48,000 Medicaid cards for children to the wrong addresses. In a statement issued in January, the agency said software was developed to extract information from an eligibility database to generate the mailing, but it identified the incorrect name and address to mail the cards. The incorrect card shows the child's name, Medicaid identification number, date of birth and primary care physician's name and physician's address, the agency said.

9. AOL Mail, Yahoo Mail Breaches Highlight Phishing Threat

Attacks targeting Yahoo and AOL webmail impacted tens of thousands of users. Yahoo took measures to contain a coordinated attack against its webmail account holders in January, saying that attackers used a list of user names and passwords compromised from a third-party database. The company reset passwords on impacted accounts. AOL, meanwhile, acknowledged a breach of its systems Monday that it said enabled attackers to hijack the AOL Mail accounts of hundreds of thousands of users of its service. In both attacks the criminals used the names and email addresses from the affected accounts to send spoofed emails to support spam and phishing campaigns.

8. Healthcare System Hack Nets 405,000 Patient Files

Bryan, Texas-based health-care provider St. Joseph Health Systems said a server containing information on 405,000 former and current patients, employees and some employees’ beneficiaries was accessed in an attack against its computer network. The organization said in a notice on its website in February that personally identifiable information, including Social Security numbers and patient medical information, could have been accessed in the attack. The security incident took place between Dec. 16 and Dec. 18, when the attack was detected and the server was taken offline, the organization said. A similar breach revealed in April by Tulsa, Okla.-based health-care provider Patient Care Services at Saint Francis exposed the data on 84,000 patients.

7. Computer Theft Prompts LA-Area Medical Breach

A break-in at a Los Angeles area medical billing and collections firm resulted in a data breach affecting 338,700 California residents. Sutherland Healthcare Solutions said the computers at one of its offices contained names, Social Security numbers and billing information. Birth dates, addresses and medical diagnosis also may have been included, city officials told the Los Angeles Times in April. The newspaper said the firm is offering a $25,000 reward for information leading to the return of the stolen equipment or the arrest and conviction of those responsible. Dell SecureWorks issued a report last year highlighting the value of stolen medical data for use by identity thieves.

6. Coca-Cola Company Breach And Proper Device Disposal

Security experts said a lapse in device destruction policy enforcement is at the heart of a January laptop data breach at the Coca-Cola Company. The incident, which involved the theft of laptops that were due to be properly disposed, was first reported by The Wall Street Journal. The laptops were not encrypted and contained the names, Social Security numbers and addresses of individuals and included other details, such as driver's license numbers, compensation and ethnicity. Coca-Cola said the laptops were recovered from a former employee who had been assigned to properly dispose of the laptops.

5. Variable Annuity Life Insurance Company

A former financial adviser at Variable Annuity Life Insurance Company allegedly stole a thumb drive containing data on more than 774,000 people that participate in the firm's insurance programs. The Amarillo, Texas-based subsidiary of American International Group said the information included customer names and full or partial Social Security numbers. The breach was first reported in October, but the firm sent an update in February to state Attorneys General about the status of the security incident. The company said it needed time to cull through the data stored on the drive to accurately notify impacted customers. Breach notifications were sent out in April and indicated that the employee had left the insurance company in 2007. The firm didn't indicate how it was alerted to the stolen drive.

4. Deltek Breach Highlights Defense Industry Threat

In a breach that experts said highlights a sustained cyberespionage campaign against U.S. defense contractors, Herndon, Va.-based enterprise software maker Deltek said the account credentials of 80,000 employees of federal contractors were stolen in a breach of its Web application. As many as 25,000 credit and debit cards may have been exposed in the security incident, Deltek said. The breach was discovered in March, months after the attack took place, according to an email to vendors obtained by Federal News Radio. Deltek confirmed the breach, indicating that the attack was against its GovWin IQ Web application, which is designed to track federal, state and local contracting opportunities. Deltek said it fixed the vulnerability targeted in the attack and bolstered its user name and password processes.

3. 2014 University Breaches Pile Up

CRN has pulled together five high-profile university data breaches that have resulted of the theft or loss of information on nearly 900,000 people in 2014. A breach at the University of Maryland compromised more than 300,000 student, faculty and staff records. The university's student ID database was accessed, and it contained data on every student that had received an ID since 1998. The North Dakota University System, meanwhile, said it detected suspicious activity on a database server containing more than 291,000 current and former students and about 780 faculty and staff. The attacker used an existing login account to access the server, but the incident was contained before data was removed. At Indiana University, a breach impacted more than 146,000 students and recent graduates after data was improperly stored in a server exposed to the Internet. It was accessed by automated webcrawlers. In addition, breaches at Iowa State University and the University of Pittsburgh Medical Center exposed the information on tens of thousands of people.

2. Retail Breaches Impact Millions

A number of high-profile retail breaches rattled the security landscape at the end of 2013 and into this year.

Retail giant Target, which revealed a data breach at the end of 2013, recently hired a new CIO and is the first major U.S. retailer to unveil the adoption of chip-and-pin technology to bolster the security of its systems. Texas-based liquor store chain Spec's, for its part, said more than 550,000 credit and debit cards at 34 of its locations were stolen in an attack against its systems through March 2014. Neiman Marcus said attackers bilked 350,000 credit and debit cards.

Meanwhile, Michaels Stores said on April 17 that attackers had infiltrated its point-of-sale systems and stole 2.6 million credit and debit cards. Art and framing retailer Aaron Brothers, a subsidiary of Michaels Stores, said its breach involved 400,000 credit and debit cards and acknowledged that some cards were used to make fraudulent transactions.

1. Veterans Of Foreign Wars Breach Tied To APT Attacks

In one of the clearest examples of nation-state-sponsored cyberespionage activity, a targeted attack against the website of the U.S. Veterans of Foreign Wars in March resulted in the inadvertent exposure of names, addresses and Social Security numbers of 55,000 veterans. The attackers infiltrated the underlying Web server containing the data to support an attack campaign against veterans visiting the site, according to the breach notification letter issued by the VFW. The ultimate goal of the attack was to gain access to military plans or contracts and not the personally identifiable information, the organization said. The cybercriminal group suspected of carrying out the attack targeted an Internet Explorer zero-day vulnerability against visitors. The organized attack is believed to have come from a China-based group with ties to the attackers responsible for the data security breach at whitelisting and endpoint security firm Bit9 last year.