The breach pointed once again to the human element being the weakest link in the security chain. The database was on a laptop and external hard drive that were both stolen in a burglary from a VA analyst's Maryland home. The analyst reported the May 3, 2006 theft to the police immediately, but Veterans Affairs Secretary R. James Nicholson was not told of it until May 16. Nicholson informed the FBI the next day, but the VA issued no public statement until May 22. An unknown person returned the stolen items June 29, 2006. The VA estimated it would cost $100 million to $500 million to prevent and cover possible losses from the theft.
Date: April 20, 2011
Impact: 77 million PlayStation Network accounts hacked; Sony is said to have lost millions while the site was down for a month.
This is viewed as the worst gaming community data breach of all-time. Of more than 77 million accounts affected, 12 million had unencrypted credit card numbers. According to Sony it still has not found the source of the hack. Whoever they are gained access to full names, passwords, e-mails, home addresses, purchase history, credit card numbers, and PSN/Qriocity logins and passwords. "It's enough to make every good security person wonder, 'If this is what it's like at Sony, what's it like at every other multi-national company that's sitting on millions of user data records?'" says eIQnetworks' John Linkous. He says it should remind those in IT security to identify and apply security controls consistently across their organizations. For customers, "Be careful whom you give your data to. It may not be worth the price to get access to online games or other virtual assets."
Date: July-August 2011
Impact: The personal information of 35 million South Koreans was exposed after hackers breached the security of a popular software provider.
It is called South Korea's biggest theft of information in history, affecting a majority of the population. South Korean news outlets reported that attackers with Chinese IP addresses uploaded malware to a server used to update ESTsoft's ALZip compression application. Attackers were able to steal the names, user IDs, hashed passwords, birthdates, genders, telephone numbers, and street and email addresses contained in a database connected to the same network. ESTsoft CEO Kim Jang-joon issued an apology and promised to, "strengthen the security system of our programs."
9. Gawker Media
Date: December 2010
Impact: Compromised e-mail addresses and passwords of about 1.3 million commenters on popular blogs like Lifehacker, Gizmodo, and Jezebel, plus the theft of the source code for Gawker's custom-built content management system.
Sign up for Computerworld eNewsletters.