10 multi-million dollar data security snafus

Think your company has all its data security bases covered? Think again. The simplest security measures are often overlooked. Here are 10 examples of data security snafus that cost companies millions of dollars – and one incident that put the company out of business altogether. Learn from their mistakes to avoid multi-million dollar payouts. 

The Ponemon Institute Total Direct Cost Estimate for each incident was calculated using figures reported by the Ponemon Institute in its 2009 Annual Study: U.S. Cost of a Data Breach. The institute found that the direct cost of each compromised record was $60 in 2008. See page 5 of the report.

1. Citigroup/Citibank, N.A. – June 2011

Using a technique taught in Hacking 101, hackers manipulated the URL of Citigroup’s online banking website to steal account information from more than 300,000 customers including names, email addresses and card numbers. The company was liable for $2.7 million in unauthorized purchases made using the accounts of 3,400 card holders in North America.

Total Records Compromised: 360,000

Ponemon Institute Total Direct Cost Estimate: $21.6 million

Lesson Learned: Make sure your programmers know what they’re doing. There were a couple of basic steps the developers could’ve taken to prevent the attack. Citigroup was widely criticized for not doing more to provide secure online account access and for waiting too long to notify its customers of the breach.

2. Triwest/US Department of Defense – December 2002

Thieves broke into the Phoenix office of Triwest Healthcare Alliance and stole computer hard drives containing the Social Security numbers and other personal information of more than 500,000 military personnel and their families. Some credit card numbers were exposed as well.

Total Records Compromised: 562,000

Ponemon Institute Total Direct Cost Estimate: $33.7 million

Lesson Learned: This breach occurred at the time the Department of Defense was embarking on a project to computerize the health records of all military personnel. It prompted the military to examine both its physical and electronic security measures throughout its health care system.

3. Sutter Medical Foundation – October 2011

A password-protected but unencrypted desktop computer containing the names, addresses, birthdates, phone numbers and some email addresses of more than 4 million patients was stolen during a break-in at one of the foundation’s administrative offices in Sacramento, CA. The organization was in the process of encrypting the data stored on its computers when the theft occurred.

Total Records Compromised: 4.2 million

Ponemon Institute Total Direct Cost Estimate: $255 million

Lesson Learned: Physical security is just as important as electronic security.

4. Tricare Management Activity/US Department of Defense – September 2011

A Science Applications International Corporation (SAIC) contractor working for Tricare in San Antonio, TX, was supposed to transport back-up tapes from one government facility to another, except a thief broke into the contractor’s car while it was parked in a parking garage and stole the unencrypted tapes. Tricare is the health care system for active-duty military personnel and veterans. The tapes contained the names, addresses, phone numbers and Social Security numbers in addition to clinical notes, laboratory tests, and prescriptions of almost 5 million Tricare beneficiaries.

The agency initially spent more than $14 million on a mass mailing and running a call center to notify all current and former service members whose information was potentially compromised. The VA later agreed to pay out $20 million to settle a class-action lawsuit brought by the veterans and active-duty service members affected.

Total Records Compromised: 4.9 million

Ponemon Institute Total Direct Cost Estimate: $307 million

Lesson Learned: Another example of the importance of physical security (and data encryption).

5. Fidelity National Information Services – July 2007

A senior-level database administrator at Fidelity subsidiary Certegy Check Services stole more than 8 million consumer records and sold them to a data broker who then sold a subset of the records to numerous direct marketing companies. The employee was in charge of managing who had access to what data. The records included financial data like checking account details and credit card numbers, plus names, addresses and birth dates. Ultimately, the company paid out $6.7 million to settle court cases filed against it.

Total Records Compromised: 8.5 million

Ponemon Institute Total Direct Cost Estimate: $510 million

Lesson Learned: Install data loss prevention software and take other steps to limit employees’ abilities to copy data. The perpetrator was said to have copied the data and carried it out the door.

6. US Department of Veterans Affairs – May 2006

A laptop and external hard drive containing the names, addresses and Social Security numbers of US veterans and active-duty military personnel were stolen from a VA employee’s home. Victims filed a class action lawsuit and were awarded a $20 million judgment.

Total Records Compromised: 26.5 million

Ponemon Institute Total Direct Cost Estimate: $1.59 billion

Lesson Learned: Password-protect and encrypt your data. The stolen laptop and external hard drive weren’t password-protected, and the data wasn’t encrypted.

7. CardSystems Solutions – May 2005

Hackers infiltrated the company’s computer system after breaking in through the website customers used to access their accounts online. In total, 40 million names, card numbers and card security codes were exposed in the breach.

Total Records Compromised: 40 million

Ponemon Institute Total Direct Cost Estimate: $2.4 billion

Lesson Learned: Verify that your internal procedures are in compliance with business partner requirements designed to keep customer data secure. Being out of compliance could mean being out of business: While a forensic analysis showed that only a fraction of the compromised accounts were actually downloaded, it was revealed during the investigation that CardSystems Solutions kept an unauthorized file of transaction data in violation of MasterCard and Visa’s security policies – in the end, the company was forced into acquisition.

8. Sony Corporation – April 2011

Hackers swiped more than 70 million customer records, including financial information, by injecting rogue SQL code that performed database dumps.

Total Records Compromised: 77 million

Ponemon Institute Total Direct Cost Estimate: $4.62 billion

Lesson Learned: Install patches and updates regularly. The hackers exploited out-dated Apache web server software.

9. TJX Companies, Inc.  – January 2007

Hackers, led by the infamous Albert Gonzalez, stole almost 100 million credit and debit card numbers from the parent company of retail outlets TJ Maxx and Marshalls. The company was held liable for $64 million: $23 million in monetary awards resulting from class action lawsuits and $41 million in an out-of-court settlement with Visa.

Total Records Compromised: 94 million

Ponemon Institute Total Direct Cost Estimate: $5.64 billion

Lesson Learned: Secure your wireless networks. The criminals used war driving techniques to pinpoint holes in the company’s wireless networks. Once inside, they installed sniffer software to steal passwords and get access to the card numbers, which were used to buy millions of dollars worth of electronics from Walmart and other stores.

10. Heartland Payment Systems – January 2009

Gonzalez and his cohorts also stole more than 100 million account holders’ names, credit and debit card numbers, and expiration dates from Heartland Payment Systems, the 5th largest electronic payment processor in the US. Heartland was forced to pay out $68 million in monetary damages as a result of class action lawsuits filed by victims and out-of-court settlements with American Express and Visa.

Total Records Compromised: 130 million

Ponemon Institute Total Direct Cost Estimate: $7.8 billion

Lesson Learned: Identify and fix your computer system’s vulnerabilities before hackers exploit them. The thieves stole the card data as it traveled unencrypted over the payment network and used it to rack up millions of dollars in fraudulent charges.