E-CommerceALERT.com is part of the Bennett Gold LLP web site network.
LINK TO: Bennett Gold LLP, Chartered Professional Accountants, home page.
LINK TO: E-CommerceALERT.com Home Page.
CLICK to GO BACK to Main Page.

Research and retrieval of news articles by:
Bennett Gold LLP, Chartered Professional Accountants

Effective December 31 2012, articles are no longer being updated on this web site.
The site is now maintained as an historical archive, covering notable e-commerce news articles from the period 1999 to 2012.


Source: Storage & Destruction Business Magazine

Posted on December 31, 2011

The Privacy Rights Clearinghouse, San Diego, has tracked 535 breaches involving 30.4 million sensitive records as of mid-December of 2011. This brings the total reported records breached in the United States since 2005 to 543 million, the organization says.

"This is a conservative number," says Privacy Rights Clearinghouse Director Beth Givens. "We generally learn about breaches that garner media attention. Unfortunately, many do not. And, because many states do not require companies to report data breaches to a central clearinghouse, data breaches occur that we never hear about. Our chronology is only a sampling."

Privacy Rights Clearinghouse has been tracking breaches since 2005 and publishes a Chronology of Data Breaches. The Chronology counts the number of records leaked that contain information useful to identity thieves, such as Social Security numbers, financial account numbers, drivers' license numbers-and in some states, medical information.

Data breaches of sensitive information, especially Social Security and credit card numbers, make consumers vulnerable to identity theft. According to a 2009 report by Javelin Research & Strategy, individuals are four times more likely to be the victim of identity theft in the year after receiving a data breach notification letter. But even breaches that contain data as seemingly innocuous as names and email address can be used by fraudsters to trick consumers into revealing information that can lead to identity theft.

According to the Privacy Rights Clearinghouse, the most significant data breaches in 2011 were:

• Sony PlayStation, April 27 - Sony discovered an external intrusion on PlayStation Network (PSN) and its Qriocity music service around April 19. On April 22, Sony blocked users from playing online games and accessing services like Netflix and Hulu Plus. The blockage lasted for seven days. Sony says it believes criminal hacker(s) obtained names, addresses, email addresses, dates of birth, PSN/Qriocity password and login and online IDs for multiple users. The attacker may also have stolen users' purchase history, billing address and password security questions. During the next several months, Sony discovered that the hackers gained access to 101.6 million records, including 12 million unencrypted credit card numbers.

• Epsilon, April 2 - Epsilon, an email service provider for companies, reported a breach that affected about 75 client companies. Email addresses and customer names were affected. Epsilon has not disclosed the names of the companies affected or the total number of names stolen. However, millions of customers received notices companies, making this the largest security breach ever. Conservative estimates place the number of customer email addresses breached at 50 to 60 million. The number of customer emails exposed may have reached 250 million.

• Sutter Physicians Services (SPS) and Sutter Medical Foundation (SMF), Nov. 16 - A company-issued desktop computer was stolen from SMF's administrative offices in Sacramento, Calif., during the weekend of Oct. 15. Although the data was password protected, it was not encrypted. About 3.3 million patients whose health care provider is supported by SPS had their names, addresses, dates of birth, phone numbers, email addresses, medical record numbers and health insurance plan name exposed. An additional 934,000 SMF patients had dates of services and description of medical diagnoses and procedures used for business operations, bringing the total to 4.2 million patients. At least two lawsuits have been filed against Sutter Health. One class-action suit alleges that Sutter Health was negligent in safeguarding its computers and data, and then did not notify the millions of patients whose data went missing within the time required by state law.

• Texas Comptroller's Office, April 11 - Information from three Texas agencies was discovered to be accessible on a public server. Sometime between January and May of 2010, unencrypted data was transferred from the Teacher Retirement Center of Texas, the Texas Workforce Commission (TWC) and the Employees Retirement System of Texas. It ended up on a state-controlled public server as early as April 2010 and was not discovered until March 31, 2011. Sensitive information such as names, Social Security numbers, addresses, dates of birth and drivers' license numbers could have been exposed.

A spokesperson from the Texas Comptroller's Office claims that the breach occurred because numerous procedures were not followed. Some employees were fired for their roles in the incident. Approximately 2 million of the 3.5 million individuals possibly affected were unemployed insurance claimants who may have had their names, Social Security numbers and mailing addresses exposed. The birth dates and drivers' license numbers of some people also were exposed. Two class action lawsuits have been filed on behalf of the 3.5 million Texans affected by the breach. One lawsuit seeks a $1,000 statutory penalty for each individual.

• Health Net, March 15 - Nine data servers containing sensitive health information went missing from Health Net's data center in Rancho Cordova, Calif. The servers contained the personal information of 1.9 million current and former policyholders, compromising their names, addresses, health information, Social Security numbers and financial information.

Not only was Health Net the first massive medical breach of the year, but the company waited three months before notifying affected individuals. The servers were discovered missing in January, but policyholders were not notified until March.

• Tricare Management Activity, Science Applications International Corp. (SAIC), Sept. 30 - The car theft of backup tapes resulted in the exposure of protected health information from patients of military hospitals and clinics. Uniformed service members, retirees and their families were affected. Patient data from the military health system dating from 1992 to September 2011 could have been compromised. It included Social Security numbers, addresses, phone numbers, clinical notes, laboratory tests, prescriptions and other medical information. Four people have filed a $4.9 billion lawsuit over the improper disclosure of active and retired military personnel and family data. The lawsuit would give $1,000 to each of the affected individuals. SAIC reported that 5,117,799 people were affected by the breach.

These breaches highlight some important lessons, among them: The need for strict privacy and security policies; the importance of data retention policies; and the need for data encryption. Most data breach notification laws have exceptions for encrypted data because stolen data is generally unreadable if encrypted.

CLICK to GO BACK to Main Page.

E-Commerce Alerts are issued by Bennett Gold LLP, Chartered Professional Accountants as situations develop. Bookmark this site and check back often. Our e-mail address is: info@BennettGold.ca

In accordance with United States Code, Title 17, Section 107 and Article 10 of The Berne Convention on Literary and Artistic Works, the news clippings on this web site are made available without profit for research and educational purposes.

Final Entries

LINK TO: Bennett Gold, Chartered Professional Accountants: A Licensed Provider of WebTrust Services.

WebTrust Is Your
Best Defense
Privacy Breaches.

Get WebTrust
Working For
Your Site.