The Breach Blog Week in Review 9/22-9/28
Technorati Tag: Security Breach 
All-in-all, this was a relatively quiet week compared to the last few. This week there were five (5) breaches reported on the blog, compared with fifteen (15) the prior week (9/15-9/21).
eBay
Among the most notable breaches this week was the one affecting eBay customers. This breach is still shrouded in mystery and eBay claims it did not occur as a result of hacking their systems. Would you expect eBay to say anything different? There is plenty of speculation that this was indeed a hack of their internal systems and that a hacker by the name of “Vladuz” might somehow be involved. has haunted eBay in the past, as far back as 2006. Another popular theory, and one that eBay is actively endorsing is that the victims were duped by phishing attacks.
Other Breaches This Week
The week started off with another laptop stolen from a State of Pennsylvania employee. Of course, the laptop was not encrypted and contained some very sensitive information about teachers and bus drivers from at least one Pennsylvania school district. This was the second incident involving State of Pennsylvania stolen computer equipment this month.
A couple of days later we received a report of another stolen laptop from a different state government. This time it was Utah’s turn. 2,000 people are affected when a Department of Workforce Services computer was stolen from an employee’s car. On the laptop was an unencrypted spreadsheet with private data. The victims are job seekers.
By Monday, we were already reporting on the third breach of the week, and things looked like they were going to go the way they did last week. On Monday we reported a Central Piedmont Community College (CPCC) breach affecting 2,600 employees. Although it hasn’t been confirmed, this breach looks to be the result of a poor off-boarding process.
eBay was next, then onto the last breach of the week. This breach is important to note. By all accounts this appears to be a case where an organization “puts their money where their mouth is” in terms of taking care of confidential information. I was particularly pleased with Southern Oregon University when I read "SOU stopped using Social Security numbers for identification two years ago”.
Other breaches that we passed on reporting included an arrest of the person responsible for an unauthorized access to South Africa’s health information clearing house, Electronic Patient Records (EPR). The suspect accessed the information then turned around and attempted to extort money from EPR. We also did not report on a couple of “zero-day” exploits that affected users and AOL and Yahoo! instant messaging users. We did not report on these because we have no information about anyone who may have been directly affected.
Summary
Overall, it was nice to see a week with less to report. Less reporting means more time for other things!
Stats for the week:
Number of breaches: 5
Number of victims: 6,200 (one breach unknown)
Average number of victims/breach: 1,550
Total cost: $868,000*
Most popular breach type: Stolen Laptop (2)
Stats for last week:
Number of breaches: 15
Number of victims: 30,509 (four breaches unknown)
Average number of victims/breach: 3,390
Total cost: $4,271,260*
Most popular breach type: tie, Stolen Laptop (3) and Employee Mistake (3)
Stats for September:
Number of breaches: 39
Number of victims: 7,137,782 (thirteen breaches unknown)
Average number of victims/breach: 274,530
Total Cost: $ 999,289,480*
Most popular breach type: tie, Stolen Laptop (9) and Hack (9)
*based on the number of victims multiplied by the average cost of $140 per lost or stolen record. (source Ponemon Institute's 2006 Cost of Data Breach Study)
All-in-all, this was a relatively quiet week compared to the last few. This week there were five (5) breaches reported on the blog, compared with fifteen (15) the prior week (9/15-9/21).
eBay
Among the most notable breaches this week was the one affecting eBay customers. This breach is still shrouded in mystery and eBay claims it did not occur as a result of hacking their systems. Would you expect eBay to say anything different? There is plenty of speculation that this was indeed a hack of their internal systems and that a hacker by the name of “Vladuz” might somehow be involved. has haunted eBay in the past, as far back as 2006. Another popular theory, and one that eBay is actively endorsing is that the victims were duped by phishing attacks.
Other Breaches This Week
The week started off with another laptop stolen from a State of Pennsylvania employee. Of course, the laptop was not encrypted and contained some very sensitive information about teachers and bus drivers from at least one Pennsylvania school district. This was the second incident involving State of Pennsylvania stolen computer equipment this month.
A couple of days later we received a report of another stolen laptop from a different state government. This time it was Utah’s turn. 2,000 people are affected when a Department of Workforce Services computer was stolen from an employee’s car. On the laptop was an unencrypted spreadsheet with private data. The victims are job seekers.
By Monday, we were already reporting on the third breach of the week, and things looked like they were going to go the way they did last week. On Monday we reported a Central Piedmont Community College (CPCC) breach affecting 2,600 employees. Although it hasn’t been confirmed, this breach looks to be the result of a poor off-boarding process.
eBay was next, then onto the last breach of the week. This breach is important to note. By all accounts this appears to be a case where an organization “puts their money where their mouth is” in terms of taking care of confidential information. I was particularly pleased with Southern Oregon University when I read "SOU stopped using Social Security numbers for identification two years ago”.
Other breaches that we passed on reporting included an arrest of the person responsible for an unauthorized access to South Africa’s health information clearing house, Electronic Patient Records (EPR). The suspect accessed the information then turned around and attempted to extort money from EPR. We also did not report on a couple of “zero-day” exploits that affected users and AOL and Yahoo! instant messaging users. We did not report on these because we have no information about anyone who may have been directly affected.
Summary
Overall, it was nice to see a week with less to report. Less reporting means more time for other things!
Stats for the week:
Number of breaches: 5
Number of victims: 6,200 (one breach unknown)
Average number of victims/breach: 1,550
Total cost: $868,000*
Most popular breach type: Stolen Laptop (2)
Stats for last week:
Number of breaches: 15
Number of victims: 30,509 (four breaches unknown)
Average number of victims/breach: 3,390
Total cost: $4,271,260*
Most popular breach type: tie, Stolen Laptop (3) and Employee Mistake (3)
Stats for September:
Number of breaches: 39
Number of victims: 7,137,782 (thirteen breaches unknown)
Average number of victims/breach: 274,530
Total Cost: $ 999,289,480*
Most popular breach type: tie, Stolen Laptop (9) and Hack (9)
*based on the number of victims multiplied by the average cost of $140 per lost or stolen record. (source Ponemon Institute's 2006 Cost of Data Breach Study)
Posts Atom 1.0
Comments