The week that was: changes in the Top 10 list of breaches

By , August 31, 2008 8:19 am

When Scotland’s Sunday Herald proclaimed “Revealed: 8 million victims in the world’s biggest cyber heist,” they appeared to be wrong on a few counts.  Even if  they had been correct that every Best Western hotel guest’s data  had been stolen, that would not have made the breach the world’s biggest cyber heist.  Had they consulted any one of a number of online sources, they would have discovered that 8,000,000 records or people might have barely qualified for the Top 10 list in terms of breaches where we have numbers reported. As it turns out, Best Western disputes the numbers and claims that the numbers are in the dozens, not millions.

But what does it take to make the top 10 list in terms of breaches?  After two breach reports from this week changed the rankings, it looks like it takes over 8,500,000 records or people just to stand a chance of becoming a cautionary tale.  A breach reported from Taiwan moves right to the head of the list — depending on how you ‘count’ the TJX breach.  If you count it as 94,000,000 as banks claimed in their court filings, TJX currently retains the dubious distinction of worst breach ever in terms of number of records compromised.  If you use the 46,500,000 figure that had been previously cited and that seems to synch with recent federal indictments, the TJX breach falls to second place behind the 50,000,000-record hack in Taiwan orchestrated by at least 6 people who hacked into government databases, state-run firms, telecom companies and a television shopping network.

BNY Mellon and Archive Systems Inc. also joined the Top 10 list this week when BNY revealed that missing unencrypted backup tapes contained data on 12.5 million people — not the 4.5 million originally reported.  To their shame, BNY Mellon did not discover the additional 8 million people on their own initiative — the extent of the breach was only discovered when they responded to a probe by Connecticut.

So what does the Top 10 list currently look like?  Based on available information, it might look like this:

Rank # of Records or People Entity First Reported Incident
1 94,000,000* TJX, Inc. 2007-01-17 Hack
2 50,000,000 Misc. Taiwanese 2008-08-28 Hack
3 40,000,000 Card Systems 2005-06-17 Hack
4 26,500,000 U.S. Department of Veterans Affairs 2006-05-22 Stolen Laptop
5 25,000,000 HM Revenue and Customs / TNT 2007-11-20 Lost Tapes
6 18,000,000** 2008-02-17 Hack
7 12,500,000 Bank of New York Mellon / Archive Systems Inc, 2008-03-26 Lost Tapes
8 9,000,000 Misc. Korean 2008-07-27 Hack
9 8,637,405 Dai Nippon Printing Company / Unnamed Contractor 2007-03-12 Insider
10 8,500,000 Certegy Check Services Inc. 2007-07-03 Insider

* 94,000,000 or 46,500,000 depending on source.

Given the fact that entities are still amassing tremendous amounts of data, one can only wonder what the list will look like by the end of this year.

Update Sept. 6th: A breach involving 11.1 million GS Caltex customers reported today would move GS Caltex into the Top 10, bumping Certegy off of the list.

** breach said their number is 10.8 million and not 18 million as reported by other sources.

Comments are closed

Panorama Theme by Themocracy