Impact: 40 million credit card accounts exposed. CSS, one of the top payment processors for Visa, MasterCard, American Express is ultimately forced into acquisition.
Hackers broke into CardSystems' database using an SQL Trojan attack, which inserted code into the database via the browser page every four days, placing data into a zip file and sending it back through an FTP. Since the company never encrypted users' personal information, hackers gained access to names, accounts numbers, and verification codes to more than 40 million card holders. Visa spokeswoman Rosetta Jones told Wired News at the time that CSS received an audit certification in June 2004 that it was compliant with data storage standards, but an assessment after the breach showed it was not compliant. "Had they been following the rules and requirements, they would not have been compromised," Jones said. The company was acquired by Pay-by-touch at the end of 2005.
Date: August 6, 2006
Impact: Data on more than 20 million web inquiries, from more than 650,000 users, including shopping and banking data were posted publicly on a web site.
In January 2007, Business 2.0 Magazine ranked the release of the search data in among the "101 Dumbest Moments in Business." Michael Arrington, a lawyer and founder of the blog site TechCrunch, posted a comment on his blog saying, "The utter stupidity of this is staggering." AOL Research, headed by Dr. Abdur Chowdhury, released a compressed text file on one of its websites containing 20 million search keywords for more than 650,000 users over a three-month period. While it was intended for research purposes, it was mistakenly posted publicly. AOL pulled the file from public access by the next day, but not before it had been mirrored and distributed on the Internet. AOL itself did not identify users, but personally identifiable information was present in many of the queries, and as AOL attributed the queries to particular user accounts, identified numerically, an individual could be identified and matched to their account and search history by such information. The breach led to the resignation of AOL's CTO, Maureen Govern, on Aug. 21, 2006.
Date: August 2007
Impact: Confidential information of 1.3 million job seekers stolen and used in a phishing scam.
Hackers broke into the U.S. online recruitment site's password-protected resume library using credentials that Monster Worldwide Inc. said were stolen from its clients. Reuters reported that the attack was launched using two servers at a Web-hosting company in Ukraine and a group of personal computers that the hackers controlled after infecting them with a malicious software program. The company said the information stolen was limited to names, addresses, phone numbers and e-mail addresses, and no other details, including bank account numbers, were uploaded. But one problem was that Monster learned of the breach on Aug. 17, but didn't go public with it for five days. Another, reported by Symantec, was that the hackers sent out scam e-mails seeking personal financial data, including bank account numbers. They also asked users to click on links that could infect their PCs with malicious software. Once that information was stolen, hackers e-mailed the victims claiming to have infected their computers with a virus and threatening to delete files unless the victims met payment demands.
Sign up for Computerworld eNewsletters.