The Breach Blog November Review
Technorati Tag: Security Breach
The Breach Blog Month in Review November, 2007
Thirty-nine (39) breaches were reported on the The Breach Blog during the month of November, 2007 compared with thirty-five (35) during the month of October. November ranks second to September (44) in the number of breaches reported in a month, since The Breach Blog began compiling reports in August.
The month started out like most of the others, with our first breach report coming on the first day of the month. On October 27th, Art.com, Inc. issued a statement to customers alerting them to the fact that a criminal Internet "hacker" illegally accessed a system or systems containing names and encrypted credit card information. We reported it on November 1st. Art.com should be complimented on their decision to encrypt sensitive data.
The most read breach of the month concerned a stolen laptop belonging to the United States Postal Service in Oahu, Hawaii that affected 3,000 postal workers. This breach was reported on The Breach Blog on November 2nd, so this may contribute to its link popularity for the month.
There were multiple organizations that reported their 2nd (or 3rd or 4th) breach since we started keeping track, and there were two organizations that reported more than one breach in November alone! Organizations that have reported breaches before, in addition to one or more in November include Her Majesty’s Revenue and Customs (3 total), Montana State University (4), Capital Health (2), United States Department of Veterans Affairs (2), and the State of Massachusetts (2). Montana State University reported three breaches and Her Majesty’s Revenue and Customs (HMRC) reported two in November alone!
The breach reported by Her Majesty’s Revenue and Customs (HMRC) was by far the single largest breach offender in terms of the number of affected individuals. HMRC reported lost “discs” containing sensitive information belonging to Standard Life pensioners on November 2nd, then followed up with lost “discs” containing sensitive information about 25,000,000 individuals AND 7,250,000 families. This single breach alone reportedly affects ½ of the British population! The head of HMRC resigned, and victims are left wondering. This breach occurred not only because of poor security but also lack of common sense.
It was an interesting month to say the least.
Summary
Anytime there is even one breach to report it means that someone’s life has been impacted by a failure of information security. It wasn’t the worst of months, but it certainly wasn’t the best either. November closed out with an estimated five billion dollar price tag with HMRC contributing 96+%.
Stats for November:
Number of breaches: 39
Number of victims: 25,944,451 (seven breaches unknown, 944,451 without HMRC) Average number of victims/breach: 665,242 (24,854 without HMRC)
Average cost/breach: $131,052,674 ($4,896,238 without HMRC)*
Total Cost: $5,111,056,847 (186,056,847 without HMRC)*
Most popular breach type: Stolen unencrypted laptop or device (9), Employee mistake (9)
Stats for October:
Number of breaches: 35
Number of victims: 943,419 (eight breaches unknown)
Average number of victims/breach: 26,954
Average cost/breach: $5,309,938*
Total Cost: $185,853,543*
Most popular breach type: Stolen unencrypted laptop (11)
*based on the number of victims multiplied by the average cost of $197 per lost/stolen record "investigating the breach, notifying customers, restoring security infrastructures and recovering lost business." (source Ponemon Institute's 2007 Cost of Data Breach Study)
The Breach Blog Month in Review November, 2007Thirty-nine (39) breaches were reported on the The Breach Blog during the month of November, 2007 compared with thirty-five (35) during the month of October. November ranks second to September (44) in the number of breaches reported in a month, since The Breach Blog began compiling reports in August.
The month started out like most of the others, with our first breach report coming on the first day of the month. On October 27th, Art.com, Inc. issued a statement to customers alerting them to the fact that a criminal Internet "hacker" illegally accessed a system or systems containing names and encrypted credit card information. We reported it on November 1st. Art.com should be complimented on their decision to encrypt sensitive data.
The most read breach of the month concerned a stolen laptop belonging to the United States Postal Service in Oahu, Hawaii that affected 3,000 postal workers. This breach was reported on The Breach Blog on November 2nd, so this may contribute to its link popularity for the month.
There were multiple organizations that reported their 2nd (or 3rd or 4th) breach since we started keeping track, and there were two organizations that reported more than one breach in November alone! Organizations that have reported breaches before, in addition to one or more in November include Her Majesty’s Revenue and Customs (3 total), Montana State University (4), Capital Health (2), United States Department of Veterans Affairs (2), and the State of Massachusetts (2). Montana State University reported three breaches and Her Majesty’s Revenue and Customs (HMRC) reported two in November alone!
The breach reported by Her Majesty’s Revenue and Customs (HMRC) was by far the single largest breach offender in terms of the number of affected individuals. HMRC reported lost “discs” containing sensitive information belonging to Standard Life pensioners on November 2nd, then followed up with lost “discs” containing sensitive information about 25,000,000 individuals AND 7,250,000 families. This single breach alone reportedly affects ½ of the British population! The head of HMRC resigned, and victims are left wondering. This breach occurred not only because of poor security but also lack of common sense.
It was an interesting month to say the least.
Summary
Anytime there is even one breach to report it means that someone’s life has been impacted by a failure of information security. It wasn’t the worst of months, but it certainly wasn’t the best either. November closed out with an estimated five billion dollar price tag with HMRC contributing 96+%.
Stats for November:
Number of breaches: 39
Number of victims: 25,944,451 (seven breaches unknown, 944,451 without HMRC) Average number of victims/breach: 665,242 (24,854 without HMRC)
Average cost/breach: $131,052,674 ($4,896,238 without HMRC)*
Total Cost: $5,111,056,847 (186,056,847 without HMRC)*
Most popular breach type: Stolen unencrypted laptop or device (9), Employee mistake (9)
Stats for October:
Number of breaches: 35
Number of victims: 943,419 (eight breaches unknown)
Average number of victims/breach: 26,954
Average cost/breach: $5,309,938*
Total Cost: $185,853,543*
Most popular breach type: Stolen unencrypted laptop (11)
*based on the number of victims multiplied by the average cost of $197 per lost/stolen record "investigating the breach, notifying customers, restoring security infrastructures and recovering lost business." (source Ponemon Institute's 2007 Cost of Data Breach Study)
Posts Atom 1.0
I hate Labcorp with a passion. Everytime my doctors wants to run a test I cringe. Between the wait time, the clueless idiots who works there, the inexperienced techs who can’t find the vein saying “Goodness the veined rolled”.
I hate this place. The last 2 times I went I suggested to them a real nice vein and the tech chose to use a vein that was almost not visable and then they dug and digged until the caught it. You should see the bruises.
Todays problem is their refusing to supply me with my reports. They did offer it mail it to me in 2 weeks. This is against NJ Department of Health and Hospital requlations. I spoke with DHH and they suggested me filing a complaint. When I told Don Luu the Director of Hippa regulations he was no help just an arrogant idiot who is too lazy to do his job and follow the NJ Statuates. Then I spoke with Don Hardison COO and he stands behind his MORON. Dave King CEO is out of the office at a conference. I’m sure some exotic resort at the sharholders $$$$$.
What a joke. These people should be heavily regulated and made to follow the rules of each state, not make up the rules as they see fit.
Reply to this