CSO recently published its top 10 data breaches of 2007, which reminded me that it’s time for my second annual Top 10 Worst Privacy Breaches list. My system for picking the top 10 is fairly straightforward: I think about which U.S. incidents either risked or compromised the most people’s personal information or privacy. Then I think about which breaches or incidents just plain irritated me the most out of the more than 400 incidents I posted to news during the year. Then I decide. So here we go, with special mention to some also-ran’s….

10. Former security professional John Schiefer went over to the Dark Side and infected 250,000 systems. In the first federal prosecution of its kind, he pled guilty to using botnets for wiretapping, identity theft and defrauding banks.

9. Monster.com’s servers were hacked in August and 1.6 million web site users had some of their nonfinancial personal details stolen as part of a larger scheme to obtain their financial information. Almost 150,000 individuals who used the USAJobs.gov site were also affected. To add to the public relations nightmare, it was revealed that Monster.com knew about the breach well before it disclosed it to those whose data had been stolen. And as if that wouldn’t have guaranteed a spot on this list, Monster.com was back in the news last month when part of the site was hijacked and used to spread malware.

8. A number of states vied for title of most records lost, stolen, or compromised due to bad luck or just stupidity. The Connecticut Department of Revenue Services reported that a laptop containing names and Social Security numbers for 106,000 people had been stolen from their office in Hartford. The California Public Employees’ Retirement System became a contender when it printed the names and Social Security numbers of 445,000 retirees on the outside of a mailing. A Pennsylvania Department of Welfare office had two computers stolen with medical histories on 375,000 people. Then, of course, there was the mess in Ohio [pdf] where an intern left backup tapes in his car, with predictable results. That one affected over 1 million people in Ohio and two other states. But coming in at #8 on my list is Nevada, who cannot account for 470 unencrypted CDs containing personnel and payroll information that have been sent out over the past three years. Former Department of Information Technology security manager Jim Elste blew the whistle on the problem and claims he was fired for his efforts. The state claims he was fired, in part, for problems with “anger control.” Heck, why wasn’t everyone in DOIT angry over this?

7. It was a tough year for licensed professionals in a number of states. The Maryland Department of the Environment reported that a laptop containing four unencrypted databases on 10,000 individuals holding state licenses was stolen from a car, Massachusetts reported that its state regulators accidentally sent out 28 disks containing names, Social Security numbers and personal information on 450,000 licensed professionals in the state. The West Virginia Board of Barbers and Cosmetologists‘ office was robbed and thieves made off with personal information of nearly ever West Virginia barber and cosmetologist licensed since 1986, and the Arkansas Board of Psychology was exposing licensees’ Social Security numbers and personal information on the web, to name but some of the incidents. But coming in #7 on my list is the Illinois Department of Financial and Professional Regulation, who had to notify roughly 300,000 banking and real-estate licensees and applicants that a computer server with their names, addresses, tax numbers and Social Security numbers was compromised by a hacker. It apparently took them from January when the breach occurred until the beginning of May to realize that they had been hacked.

6. In July, Fidelity National Information Services announced its subsidiary, Certegy Check Services, Inc., was victimized by a former employee who stole and sold consumer information to a data broker who in turn sold a subset of that data to a limited number of direct marketing organizations. As more details emerged, we discovered that 8.5 million people were affected and the problem was not confined to just getting more spam. As the year draws to a close, the former employee has pled guilty and Strategia Marketing is under investigation for telemarketing fraud using the data that they bought from the former employee — demonstrating once again that sometimes just name and e-mail address is enough to cause trouble.

5. Educational institutions (at all levels) continued to expose student information. For 2007 to date, the Identity Theft Resource Center shows 109 incidents involving 1,182,375 records (pdf) . But the most egregious breach of student privacy this year, and coming in #5 on my list was perpetrated by SSNBreach.org, who in the name of “helping,” downloaded confidential and private student information, ran to the media before entities who had security issues could fix the problems, and then published personal information about named students to its web site, thereby creating digital footprints for hundreds of students who had no previous footprints online.

4. A number of businesses were in the running for the 4th spot on the list, including Gap, Bank of America, and Affiliated Computer Services (ACS). If we go by the numbers, Affiliated Computer Services (ACS) wins hands down. During 2007, a hard drive with personal data on 2,700 from the Superior Court, Family Court and the Court of Common Pleas in Delaware was stolen from an employee, a CD with names, Social Security numbers, birthdates and addresses of 2.9 million people on Medicaid and PeachCare for Kids that ACS shipped was lost in transit, and they lost a tape with personal data on 32,000 Kraft employees and 500 of their dependents. And for good dysmeasure, KPRC in Texas reports that ACS may not be providing adequate security on outsourced Washington Mutual files.

3. Federal agencies continued to make headlines, and TSA once again demonstrated why we cannot trust the government with our data. They lost a hard drive containing Social Security numbers, bank data and payroll information for about 100,000 employees in May, and in October, two laptop computers with detailed personal information about almost 4,000 commercial drivers who transport hazardous materials were missing and assumed stolen from a contractor. But this year’s winner for federal agencies is the Veterans’ Administration. Not because of the theft of veterans’ files from an employee’s car in Bremerton, and not because a portable hard drive with the personal information of up to 1.8 million veterans and doctors was stolen from theVA medical center in Birmingham. And not because the Ashville veterans hospital distributed an email that contained 861 workers’ names and partial Social Security numbers. And no, not because three computers with personal information on 12,000 veterans were stolen from an Indianapolis VA hospital. The Veterans Administration beat out the competition because they hired someone as an auditor, allowed him to have access to personal information for over two years, and never ran a background check — and never realized that he had stolen files with 1.8 million Social Security numbers.

2. This one was a toss-up between Verus, Inc., the company that didn’t notice that it had removed its firewall, thereby compromising or exposing patient information at all hospitals that used its patient online payment system, military support contractor Science Applications International Corp. (SAIC), who failed to properly secure one of its FTP servers and who may have compromised the information of more than 580,000 households of military personnel when they transmitted unencrypted names, addresses, birth dates, Social Security numbers and health information to its military contract customers, and TJX, who will probably #1 on everyone else’s list this year. In many respects, TJX probably was the most outrageous security breach and cover-up to be reported during 2007, but they only get second spot on my list.

1. Astroglide/BioFilm is this year’s dyswinner for web exposure of names and mailing addresses of over 250,000 people who requested a free sample of a personal lubricant going back to 2003. Michael Hampton first broke the story on Homeland Stupidity. Astroglide never notified customers of the breach and just tried to pass the buck by blaming Google. Christopher Soghoian wrote to the FTC and state attorneys general to urge them to levy fines on Astroglide/BioFilm. The Astroglide/BioFilm incident remains a disturbing reminder that privacy breaches are not just about financial details and that we need a mandatory disclosure law.

Corrected Dec. 20 to include reference to the Ohio breach where an intern left the backup tape in his car and the PA Dept. of Welfare incident (see #8 for both).

Comments are closed