So far this year millions of user accounts have been compromised, and millions of dollars spent in cleaning up the messes. Several other articles are writing about this, saying that 2011 is set to be the worst year ever for security breaches. Online security is certainly not keeping pace with the growth in the amount of data stored online. The mounting number of breaches should alarm all security managers to implement better practices.
The number of online breaches this year are too many to count. Yet, a few major ones are worth mentioning:
- 10,000 credit cards at the St. George Bank in Australia
- 18,000 Bioware accounts
- 25,000 accounts at Square Enix
- Tens of thousands of accounts at Codemasters
- 100 million or more Sony accounts
- 114,000 accounts of iPad 3G owners
- 200,000 accounts or more at Bethesda Softworks
- 280,000 accounts at Honda
- 360,083 bank accounts at Citigroup
- 1.2 million accounts at the Texas Comptroller’s office
- 1.29 million Sega accounts
- 8.63 million patients’ information at the National Health Service Facility in London (UK’s largest employer)
- The email accounts of over 2,500 companies serviced by Epsilon
- 40 million or more RSA SecurID tokens issued by EMC to over 30,000 companies and government agencies, including half of US banks that use SecurID tokens
Attackers are taking anything from social security card and credit card numbers to email addresses and other personal information. Not just credit card numbers are valuable to hackers. Any bit of information about a person can be sold on the black market for significant amounts because it can be used to construct false identities, or outright identity theft. One of the most significant threats as a result of the loss of personal information is spear phishing, which was the method of attack against a number of Gmail accounts held by government officials and Chinese activists earlier this year.
The Texas comptroller has already lost $1.8 million in cleaning up its security blunder. Hopefully, new legislation like the Data Security and Breach Notification Act or possibly even an organization like the FDA for data centers to oversee IT “health inspections” will transform this chaotic state into one that is safe for users. Unless organizations, whether commercial or private or governmental, take information security more seriously there will be many more PR nightmares and significant financial losses trying to clean up the mess. In the mean time, keep up with the latest security breaches on Yahoo Pipes, the Web Hacking Incident Database, or the DataLossDB.