The Worst Data Breaches of 2009

A look back at another record-breaking year

January 2010

The United States witnessed in 2009 some of the biggest security breaches ever recorded in history, putting the identities and the financial futures of millions of people at risk. Some of these breaches were discovered immediately, closed, and the perpetrators arrested.

But in most cases, victims have no closure, and authorities have made no arrests. The hackers may live in foreign countries with lax data privacy laws, or may be simply too sophisticated to get caught. But in a shocking number of major attacks, the hackers and thieves were no more cunning than common street thugs stealing a purse or a laptop from a car. According to Privacy Rights Clearinghouse, which maintains an updated chronology of reported data breaches, the biggest identity theft cases in 2009 involved everything from high-tech surveillance and top-notch computer programming skills to the most humdrum criminal capers.

Here we present the 10 worst breaches of 2009. In every case, the result was the same: Identities lost, credit scores and entire lives placed at risk.

The worst data breach of 2009, in fact the worst data breach recorded ever, was allegedly masterminded by a man who had already been arrested by the U.S. Secret Service. According to a federal criminal complaint [pdf] Albert Gonzalez orchestrated a cyber attack on companies including 7-Eleven, Heartland Payment Systems, Hannaford Brothers supermarket chain and other national retailers. For almost two years, Gonzalez and his conspirators hacked into corporate computers and stole 130 million credit and debit card numbers. The plot involved Gonzalez and others walking into retail stores to scope out which types of credit card payment machines they used in their checkout aisles. Heartland, a credit card processing company based in Princeton, N.J., was sued 31 separate times by investors, consumers, credit unions and banks for its alleged mishandling of data and slow disclosure of the breach. The motions have been consolidated into one class-action lawsuit, to be heard sometime in 2010 by the Southern District Court of Texas, in Houston.

When his bosses at the National Archives and Records administration wanted to get rid of an unencrypted hard drive containing the personal records of 76 million military veterans without first wiping the drive clean, IT manager Hank Bellomy hid the piece of hardware in his office safe. Bellamy only succeeded in postponing the breach, however: the defective drive was later retrieved from his office, shipped to its manufacturer and later to a recycling company with all of its data still intact.

“This is the single largest release of personally identifiable information by the government ever,” Bellomy told Wired.com. “When the USDA did the same thing, they provided credit monitoring for all their employees. We leaked 70 million records, and no one has heard a word of it.”

The drive was used to help run eVetRecs, the system that delivers discharge papers and health records to veterans. It held the personal information of 76 million veterans, including their Social Security numbers, which the Department of Defense still uses as identity numbers for service members.

The records administration said the incident presented no threat to veterans because all contractors sign promises in their contracts to protect personal privacy. After the breach, the agency started a new policy of destroying all sensitive media itself before sending it onto outside contractors.

“I said you can’t turn them back in. The data is Privacy Act — it’s against the law,” Bellomy told Wired.com. “We have no clue how many drives have been sent back over the past seven years since this system was in place. I am a government employee and I’m a veteran, and just this year had both my credit cards replaced because they were compromised.”

The administration’s inspector general is investigating the incident.

CheckFree, a company that provides online bill payment, acknowledged in January 2009 that hackers rerouted parts of its Web site to deliver traffic to a malicious site hosted in the Ukraine. The attackers used an employee’s password to gain access to the company’s Web site, suggesting either that the hackers used software to steal the password from an employee, or that one of the company’s workers was in on the job, according to The Washington Post. At least 71 other Web sites were redirected to the same Ukranian url during the same time period, which means the attackers were both sophisticated and bold.

“This could have been a lot worse,” Avivah Litan, who analyzes fraud for Gartner Inc., told the Post. “(A)nd if they can do it to CheckFree, they can do it to other banks.

The Connecticut-based insurance company Health Net lost a hard drive containing the personal information of 1.5 million personal records dating back over the last seven years. The drive was either lost or stolen in May 2009. But the company didn’t report it until November, and its early descriptions of the breach overstated how well data on the disc was encrypted, leading to widespread criticism. 

"I am outraged and appalled," Connecticut Attorney General Richard Blumenthal said in a prepared statement. "Health Net's incomprehensible foot-dragging demonstrates shocking disregard for patients' financial security, as well as loss of their highly sensitive and confidential personal health information.”

Originally the company said that information on the drive had been “compressed,” making it difficult for anyone to access it. But an outside investigator said that the data was unencrypted and the compression software is easily available, making the information vulnerable to theft. This revelation prompted Matthew Katz, executive vice president for the Connecticut State Medical Society, to tell the American Medical Association newsletter, “How do we now trust anything Health Net has said regarding the data breach?”

A laptop containing the personal information of 1 million citizens was stolen from a state human services worker in Oklahoma City on April 3. A single file on the computer contained the consumers’ names, Social Security numbers, dates of birth and home addresses of people who receive Medicaid, child care assistance, food stamps, and other support for the blind, disabled and poor, according to a department press release.

“The risk of the data being accessed is low because the computer uses a password protected system,” agency director Howard H. Hendrick said in the statement.

The department mailed notification letters to every participant in the state programs, and offered a call center at 1-866-287-0371 for people concerned about identity theft

The Arkansas Department of Information Systems paid a private company, Information

Vaulting Services of Little Rock, to place a computer storage tape in its vault. The tape contained names, Social Security numbers, dates of birth and addresses of 807,700 people whose criminal backgrounds were checked in the last 12 years. This year it went missing, and nobody knows how.

“I really, honestly, don't know what happened,” Danny Palo, chief operating officer of Information Vaulting Services, told SC Magazine.

The company implemented a new access control system after the breach. The state offered a call center and Web site for citizens to check whether their names are among the missing, at 888-682-0411 or http://notify.arkansas.gov.

Hackers attacked the Web site of Network Solutions, a Virginia-based company that provides

Web site registration and hosting services. They planted rogue code into the Web hosting packages of 4,343 companies, mostly small online retailers. Using their implanted code, the attackers intercepted and stole the financial information of customers who bought items from those stores, Susan Wade, a company spokeswoman, told CNET.com.

The system was breached from March 12, 2009 to June 8, 2009. Due to the small size of most of the retailers affected and the high cost of victim notification, Network Solutions will pay to notify all consumers whose information may have been stolen, as well as 12 months of credit monitoring services.

"We feel terribly about it to burden them with the notification process, which can be kind of tricky because there is no one federal data breach statute," Wade told the Washington Post.

 

In April, hackers broke into a Web site maintained by the Virginia Department of Health Professions that helps pharmacists identify possible prescription drug abuse. The hackers deleted the records belonging to more than 8 million people, and then replaced the department’s home page with a ransom note demanding $10 million for the return of the records. According to the Washington Post, the note read:

“I have your [expletive] In *my* possession, right now, are 8,257,378 patient records and a total of 35,548,087 prescriptions. Also, I made an encrypted backup and deleted the original. Unfortunately for Virginia, their backups seem to have gone missing, too. Uhoh :( For $10 million, I will gladly send along the password."

 It didn’t take long for the ransom note to catch the attention of the FBI, which is still investigating.

"There is a criminal investigation under way by federal and state authorities, and we take…information security very serious,” Sandra Whitley Ryals, director of the health professions department, told the Post.

The department reviewed safety protocols for the site before posting it back online, Ryals said.

One of the Internet’s most popular software programs for interactive forums, phpBB.com, was hacked in February, giving thieves full access to the company’s database containing the names, passwords and e-mail addresses of all its customers.

The breach was caused by “an outdated awstats and kernel,” the company said in a press release. The company continued in more layperson-friendly terms, urging their users to upgrade their phpBB software, which addressed the vulnerabilities.

A hacker broke into a computer server containing the personal medical information of 236,000 women who participated in the Carolina Mammography Registry, a research study that has gathered and analyzed mammogram data from radiologists in North Carolina for the last for 14 years. The files contained patients’ names, addresses, and for 114,000 people, their Social Security numbers, according to the Winston-Salem Journal.

Many patients involved in the study did not know their personal information was being saved, and were livid at having been exposed to identity theft.

“I wasn't told that my information was going to be part of a research study that was going to be shared with six states," Beverly Olson, who received a letter from the UNC Chapel Hill School of Medicine about the breach, told the newspaper. “Here I went for a routine mammogram and then find my information had been hacked and compromised.… How do I protect myself?”

The state attorney general investigated the breach. “I try to protect my data, and I value my identity and don't want someone perpetrating as myself,” Althea Taylor-Jones, a study participant from Kernersville, North Carolina, told the Journal. "It could ruin my credit and my life."

Consumer Tips: If your information has been breached

The best any consumer can do when they receive notification that their personal or financial information has been compromised in a breach is to monitor, monitor, monitor.

If the organization responsible for the breach offers credit and/or fraud monitoring, take it and use it.  These can be incredibly useful tools in helping you to detect signs of identity fraud, and the sooner your detect problems, you stand a better chance of correcting them before too much damage is done in your name.

• If your medical information has been breached, request copies of your medical reports from your health care providers and copies of medical insurance claims, if possible.  Make sure that your information is correct; immediately correct any erroneous information. 

• If your Social Security number has been compromised, check your credit reports regularly for signs of unauthorized accounts and check your Social Security statement to ensure that your reported income matches your actual earned income.

• If your financial data has been compromised, contact your financial institution and ask for a new account number and card.  Be sure to monitor all accounts daily.