Ten Most Damaging Data Breaches of 2009

Every week for the past four years the San Diego-based Privacy Rights Clearing House (PRCH), an organization dedicated to empowering consumers and protecting privacy, has been chronicling data breaches on a weekly basis.

By  Laton McCartney | Dec 4, 2009
Page 1 of 2
Print ArticleEmail Article
  • Share on Facebook
  • Share on Twitter
  • Share on LinkedIn
Every week for the past four years the San Diego-based Privacy Rights Clearing House (PRCH), an organization dedicated to empowering consumers and protecting privacy, has been chronicling data breaches on a weekly basis.

These range from small, regional breaches, which may involve a local business or hospital, to national breaches that typically revolve around credit and debit cards.

"These are the mega-breaches that can skew the figures in terms of the number of people victimized,” says Paul Stephens, PRCH's director of policy and advocacy.

Based on PRCH's listings, here are the ten biggest, most damaging and most embarrassing breaches to date this year.


Heartland Payment Systems

For Heartland, a Princeton, N.J.-based payment systems company, the initial warnings came from Visa and MasterCard. Their concern: Suspicious processed credit card activity. Turns out that Heartland was the target of one of the biggest cyber-fraud schemes ever, one allegedly carried out by a former Secret Service informant and Russian hackers. Also targeted were Hannaford Brothers, 7-Eleven and two unnamed national retailers. Almost three-dozen separate lawsuits on behalf of consumers, investors, banks and credit unions have been filed against Heartland.

Number of records affected: According to the court document, hackers stole more than 130 million credit and debit card numbers from Heartland and Hannaford.

Date made public: Jan. 20

Metro Nashville School

Guess what? Your Social Security number is on Google. Or at least Metro Nashville students' SSNs, along with their names, addresses, dates of birth and parents' demographic information, were available via Google searches. Public Consulting Group, a private contractor, unintentionally put student data on a computer Web server that wasn't secure, and the data was available online for three months.

Number of records affected: 18,000

Date made public: April 8

Federal Reserve Bank of New York

A former employee of the New York Fed and his brother were arrested on suspicion of obtaining loans using stolen identities. The ex-employee previously worked as an IT analyst at the bank and had access to sensitive employee information, including names, birthdates, Social Security numbers and photographs. A thumb drive attached to his computer was found to have applications for $73,000 in student loans using two stolen identities. Police also found a fake drivers license with the photo of a bank employee who wasn't the person identified in the license.

Number of records affected: Unknown

Date made public: April 8

Virginia Department of Health Professions

"Give us $10 million, and we'll return the millions of personal pharmaceutical records we stole from your prescription drug database.” That's essentially what hackers told the state of Virginia in May. Did they have the goods? A notice posted on the Virginia DHP Web site acknowledged that the site "is currently experiencing technical difficulties which affect computer and e-mail systems.” Some customer identification numbers, which may have been Social Security numbers, were included, but medical histories were not. Subsequently, the state sent out notifications to 530,000 people whose prescription records may have contained SSNs. Also, 1,400 registered users of the database, mostly doctors and pharmacists, who may have provided SSNs when they registered for the program, were alerted.

Number of records affected: Potentially 531,400

Date made public: May 4

University of California, Berkeley

Hackers infiltrated Berkeley's restricted computer databases, possibly stealing personal information of 160,000 current and former students and alumni. The university said Social Security numbers, health insurance information and non-treatment medical records dating back to 1999 were accessed. The breach was discovered April 21, when administrators performing routine maintenance identified messages left by the hackers and found that restricted electronic databases had been illegally accessed from Oct. 9, 2008 to April 6, 2009. All of the exposed databases were removed from service to prevent further attacks.

Number of records affected: 180,000

Date made public: May 9, 2009

Comment and Contribute
(Maximum characters: 1200). You have
characters left.
Get the Latest Scoop with Enterprise Networking Planet Newsletter
Helpful Links

  • Yankee Group Mobile WAN Optimization Report

    Mobile work continues to evolve. Your organization must keep up with the demands of its mobile workforce. This report introduces the concept of mobile WAN optimization and provides three case studies including RCM, PRTM and Einstein that highlight how this emerging technology can help IT departments achieve what previously appeared to be conflicting goals. Read >

  • Network Security Resources

    More threats than ever before pose a danger to today's enterprise network. Get the latest tips and intel on the newest risks in our guide to network security resources. Read >

  • Extreme Savings: Cutting Costs with WAN Optimization

    Did you know it's possible to cut IT costs without impacting day-to-day IT operations? In fact, when you download this whitepaper from Riverbed on cost-savings through WAN optimization, you'll discover how businesses of all different sizes have realized a return on investment in just a few months through significant hard cost savings in areas such as bandwidth reduction and IT consolidation. It's called Extreme Savings and its only from Riverbed. Read >