As of this writing, there have been 4,175 data hacks and 663 million records breached since these incidents began getting recorded in 2005. The well-publicized data breaches involving Target, Michael’s, and most recently Barclay’s Bank taking place within a few months of each other may make a casual follower of these events believe this is a recent and somewhat sporadic phenomenon.
The truth is that there are data breaches every day, and as the recent emptying of Silk Road 2’s Bitcoin coffers has shown, even the black market isn’t safe. Most data breaches are too small to be noticed by the public, such as an HR email blast including sensitive data accidentally sent to the wrong employee. But, even in the cases with a much larger record breach, it happens so often these days that it’s rarely considered newsworthy unless millions of people are affected.
Our information has been insecure almost as long as there has been a popularized internet. One of the most troublesome issues surrounding data breaches is that in many cases (such as records being sold to spammers), there is no way to calculate how many people were affected by any particular event.
With an estimated rate of 9.9 million incidents (and that’s just what has been reported within the United States), becoming vigilant about one’s information is an unfortunate fact of life in the digital age. Even if the best minds in technology came up with a foolproof method for combating hacking, as this list demonstrates, finding ways around inside jobs, carelessness and lax security makes guaranteed safety of personal information an impossible task in today’s world.
5 Greek Government – Data Records Breached: 9,000,000
It takes a lot of guts to steal the personal information of most of a country’s population, but one hacker did just that. The unnamed 35 year old programmer was arrested in 2013 for both stealing and suspicion of attempting to sell nine million files containing information on identification cards, addresses, tax ID and license plate numbers of Greek citizens after police raided his home.
As the most recent census puts Greece’s population at 11 million, this amounted to a data breach of over 80% of the country’s population.
While the hacker has been charged, there has been no further news as to the status of the hacker’s case (and whether or not he had any inside help), the Greek government was fined $200,000 by a privacy watchdog group and given two months to increase its security.
4 U.S. Department of Veterans Affairs – Data Records Breached: 26,500,000
You may have heard about the data breach that affected 70 million veterans back in 2009, occuring when a hard drive holding sensitive record information was sent for repairs without being wiped, but it’s not the first time an oversight by a VA employee caused personal records to be exposed.
In May 2006, a VA employee in Maryland took home a work laptop that held the unencrypted records of 26.5 million veterans, which was then stolen from the employee’s home. These records held the names, Social Security numbers, date of birth and disability ratings for both active-duty personnel and veterans.
Under questioning, the employee admitted that he had been taking home the laptop containing this sensitive information regularly for three years. Inexplicably, the theft was not reported for nearly two weeks to the FBI. Almost a week after that, the VA issued a statement about the thefts; a delay which wound up costing them.
In 2009, the VA agreed to settle a class action lawsuit stemming from this incident and pay $20 million to any veteran who could prove he or she was harmed from this lax security, with any remaining funds going to veterans’ charities. The VA employee was fired.
3 CardSystems Solutions – 40,000,000+ Data Records Breached
One part corporate incompetence, one part hacking, led to over 40 million credit cards, account codes and other user information being at risk of being stolen or otherwise fraudulently used.
In 2005, Tuscon-based CardSystems Solutions, which provided processing services to Visa, Mastercard, American Express and Discover, failed to see the importance of encrypting users’ personal information. Card Systems’ habit of retaining card holders’ information resulted in a major security failing when a Trojan attack carried out by an unidentified hacker, and getting that information was almost too easy.
As the credit card companies were mum on any fraudulent transactions that may have occurred due to this breach, it is impossible to calculate the damages to those affected by the event.
Damages are little easier to calculate for CardSystems, however. Due to their lax measures as well as disregarding record-keeping rules, Visa and American Express quickly dropped CardSystems Solutions. Less than six months later, CardSystems was acquired by biometric payment company, Pay By Touch. In 2008, Pay By Touch shut down without notice to its customers and was the subject of multiple lawsuits.
2 Evernote – Data Records Breached: 40,000,000
On March 2, 2013, Dave Engberg, Evernote’s CTO, posted on the company’s blog (as well as sent out an email to the company’s 50 million users) that Evernote’s technical team has uncovered a breach in which users had their emails, usernames and passwords compromised.
While Evernote was able to spot and fix the breach before any payment information was stolen, they were not able to prevent users’ email addresses and usernames from being potentially sold and abused.
While the hackers were never identified, Bob Lord, Evernote’s information security director, asserted to the BBC that this was not the work of amateurs.
1 AOL –Data Records Breached: 92,000,000
One of the biggest data breaches in history took place nearly a decade ago. Jason Smathers, an ex-AOL software engineer, sold 92 million screen names and email addresses to 21 year old Sean Dunaway, who then sent out up to seven billion spam gambling emails before selling the information to an herbal penile enlargement pill spammer.
Compared to what goes on these days, this incident seems pretty tame, but the judge threw the book at Smathers, declaring, “The Internet is not lawless.” Despite trying to offer a plea bargain, Smathers was sentenced to a year and a half in jail. He also had to pay $84,000.00 in restitution, or triple the amount he made selling the information. However, the judge stopped short of the Probation Department’s recommendation that Smathers be banned from the industry.
After his release from prison, Jason Smathers retired from IT and has since become a Baptist minister.