Even so, 2011 saw some of the biggest or most significant breaches in history, PRC says:

1. Sony. Sony suffered over a dozen data breaches, stemming from attacks that compromised Sony PlayStation Network, Sony Online Entertainment, and Sony Pictures, among other Sony-owned websites. Notably, these breaches occurred after Sony had laid off many of its security personnel in the months preceding the attacks. Ultimately, Sony faced an ongoing customer relations fallout–as well as class-action lawsuits–over its failure to protect over 100 million user records. Owing to the frequency with which users reuse passwords, many Sony customers are now at risk from attackers using the stolen password data to access their accounts on other sites.

2. Epsilon. When companies outsource business processes, who’s ultimately responsible for the security of any shared customer data? Answer: the company that outsourced the job. That’s the lesson from the April breach of cloud-based email service provider Epsilon, which fell to a spear-phishing attack. The breach affected data from 75 of Epsilon’s clients–meaning, businesses that had trusted Epsilon with their customers’ data. “Epsilon has not disclosed the names of the companies affected or the total number of names stolen,” according to the PRC report. “However, millions of customers received notices from a growing list of companies, making this the largest security breach ever.” Conservative estimates are that 60 million customer emails addresses were breached.

3. RSA. One of the most high-profile breaches of 2011 didn’t involve consumer information, but rather one of the world’s most-used two-factor authentication systems. After attackers breached the systems of EMC’s RSA in April, stealing information relating to its SecurID system, the company drew fire for failing to detail exactly what had been stolen, or exactly how the attack put customers at risk of being exploited. RSA ultimately traced the attack to an unnamed nation state, and revealed that the exploit had relied on a very low-tech spear-phishing attack. One significant result of the attack has been that many companies are now retooling their security and training processes to help prevent these types of low-cost, easy-to-execute social-engeineering attacks from succeeding.

4. Sutter Physicians Services. Data from both Sutter Physicians Services and Sutter Medical Foundation was breached in November when a thief stole a desktop computer from the organization, which contained about 3.3 million patients’ medical details–including name, address, phone number, email address and health insurance plan name–stored in encrypted format. “The security lapse occurred on two levels: both the data itself (being unencrypted) and the physical location (stored in an unsecure location),” according to the PRC report. A class-action lawsuit lodged against the companies alleged that they also failed to inform affected patients about the breach in a timely manner.

5. Tricare and SAIC. In September, backup tapes containing SAIC (Science Applications International Corporation) data were stolen from the car of a Tricare employee. Much of that data related to current and retired members of the armed services, as well as their families. The breach led to a $4.9 billion lawsuit being filed, which aims to award $1,000 to each of the 5.1 million people affected by the breach. “The Tricare/SAIC breach is significant because not only are the victims at risk of medical identity theft, but financial identity theft as well. The breach begs several questions: Why were the backup tapes being transported in an employee’s personal vehicle? And why were those records not encrypted?” according to the PRC report.

6. Nasdaq. Not all breaches target massive quantities of customer data. Notably, attackers breached Directors Desk, a cloud-based Nasdaq system designed to facilitate boardroom-level communications for 10,000 senior executives and company directors. By monitoring Directors Desk, attackers may have had access to inside information, which they could have sold to competitors or perhaps used to make beneficial stock market trades.

Prepare For Breaches What’s the takeaway from the above six breaches? First, data breaches are a fact of life, and in all industries. Accordingly, security experts recommend that businesses have a data breach response plan formulated in advance. You should also have the right processes and technology in place to spot a breach.

But it’s important to proactively stop data breaches too. To help, the PRC report highlighted the importance that companies must place on creating “strict privacy and security policies,” as well as data retention policies. Furthermore, businesses could avoid “breaches” simply by properly encrypting all sensitive information. Notably, if encrypted data gets lost or stolen, it doesn’t count as a data breach or trigger consumer notification requirements.

Read the full InformationWeek article here.

Rise In Child Identity Theft Prompts Push For Solutions
When Jennifer Andrushko applied for public aid two years ago, a state employee entered her son Carter’s Social Security number into a computer and discovered something strange: The boy appeared to have been earning wages for the past eight years. “I thought, ‘How could this be happening? He’s only three years old,’” Andrushko said. It turned out an undocumented immigrant had been using Carter’s number to acquire jobs since before he was born. But Carter proved relatively fortunate. Unlike many child identity theft victims who do not realize their credit is ruined until they reach adulthood, his case was caught while he was young, giving him time to recover his good name. Read the full Huffington Post article here.

Lax Security Exposes Voice Mail to Hacking, Study Says
It may be tempting to view the illegal interception of telephone voice mails, a practice that has roiled Britain and the News Corp. media empire of Rupert Murdoch, as an arcane tool employed by scofflaw journalists with friends in Scotland Yard. But according to a study to be presented Tuesday, cellphone users in Europe and the rest of the world may be just as vulnerable as the actor Hugh Grant and other celebrities to having their personal voice mail hacked — or worse — because of outdated mobile network security. Read more from the NY Times here.

Insurance Against Cyber Attacks Expected to Boom
Sony is still awaiting the final tally for losses related to its data breaches earlier this year. At last count, it had compromised 100 million customer accounts, and Sony anticipated the debacle would cost $200 million. With 58 class-action suits in the works, that may be wishful thinking. Now for the really bad news: Sony’s losses aren’t insured. In a lawsuit, Sony’s insurer, the Zurich American Insurance Company, reminded the company it does not own a cyber insurance policy. Sony’s policy only covers tangible losses like property damage, not cyber incidents. Read more from the NY Times here.

Stratfor Targeted by Hacking Group Anonymous
he loosely-associated band of hackers known as Anonymous claims to have targeted the global intelligence think tank Strategic Forecasting, known as Stratfor, boasting on the microblogging site Twitter that personal information, including credit card numbers, belonging to Stratfor clients had been stolen. As of Monday morning, Stratfor’s Website was down, with a placeholder page saying the site was undergoing maintenance and asking visitors to “check back soon.” Read more from eWeek here.

Medical Data Breaches Affected More Than 10 Million Americans In 2011
2011 has been a bad year for medical data breaches. The medical records of more than ten million Americans were exposed this year. The San Diego-based Privacy Rights Clearinghouse has issued a list of this year’s six most significant data breaches. The insurer Health Net suffered one of the worst, when nine data servers went missing from a Northern California data center in January. The servers contained records of nearly two million current and former policy holders. Read more from KPBS here.

Enterprise Data Breaches: Insider Threats That Cause Most Losses
Organizations are beefing up their network and data defenses to protect sensitive information and intellectual property from attackers. But enterprise management often forgets that their own employees and contractors can also pose a threat. A recent Symantec report found that approximately 65 percent of malicious data thieves are on their way out the door to join a competitor or start their own company. More than half of the data theft occurs within a month before an employee’s departure, according to the study. Check out more from eWeek here.

Welcome to the Monday Morning News Kick Off post from the ITAC blog. What do the Iowa Caucus, Gene Simmons and Malcolm X’s daughter all have in common? They are popping up in major stories about cyber security, data breaches and identity theft right now. Who would have thought that a simple blog that focuses on identity theft would have so much celebrity new to share? So, check out these stories and more in the following post. Happy Monday!

Iowa Caucus Polling System Threatened By Hackers
Republican Party officials in Iowa are taking new steps to secure their vote counting systems after an anonymous threat suggested computer hackers could attempt to disrupt next month’s presidential nominating caucuses. A video uploaded to YouTube features a computer-generated voice denouncing a corrupt political system and calls on supporters to “peacefully shut down” the Jan. 3 caucuses. The video claims to be from Anonymous, a loosely organized group of hackers who have successfully conducted past computer attacks. Investigators aren’t sure whether the video is authentic, but party officials have instructed precinct caucuses to use paper ballots as a backup system and taken other steps to protect the database and website that displays caucus results. Read the full Fox News piece here.

ID Theft Ring Targeted Charitable Donors
A crime ring used corrupt employees in banks, an Audi car dealership, and the nonprofit United Jewish Appeal-Federation of New York to steal identities of well-heeled customers, clients, and donors and defraud them of more than $2 million, New York authorities said on Friday. The indictment of 55 defendants on a variety of grand larceny, identity theft and other charges marked the fourth major cybercrime prosecution announced in as many weeks, Manhattan District Attorney Cyrus Vance said at a news conference, underscoring his contention that “the Internet is the crime scene of the 21st century.” Read the full Reuters story here.

Square Enix to Reopen Hacked Site, Says No Private Data Lost
Japanese game developer Square Enix said Monday that no private data was stolen when a server for a fan site was hacked last week, and it plans to reopen the site to users by the end of the year. The company shut down the “Square Enix Members” site for the U.S. and Japan last week immediately after finding unknown parties had accessed its server. The hacked machine stores registration details including e-mail addresses, names, addresses and phone numbers on 1.8 million users, but no credit card information. The European version of the site was not affected. Read the full PC World article here.

Anonymous Hacker Arrested for Attack on Gene Simmons’s Website
A member of the international hacker group Anonymous was arrested this morning after he conducted a sophisticated cyberattack on a website operated by KISS rocker and Family Jewels star Gene Simmons. Kevin George Poe, 24, was taken into custody by federal authorities at his home in Manchester, Conn. He is charged with two federal counts of conspiracy and unauthorized impairment of a protected computer. If convicted, Poe could face up to 15 years in federal prison. Read the full Daily Beast post here.

Malcolm X Youngest Daughter Behind Bars in Identity Theft Case
Malikah Shabazz, the youngest daughter of black civil rights leader Malcolm X, is in prison for failing to start paying back money stolen in an identity theft case, law enforcement sources confirmed on Thursday. Shabazz, 46, pleaded guilty in June to stealing the identity of a longtime family friend and using it to make $55,000 in credit card purchases. She was sentenced to five years probation and ordered to pay restitution of $1,229.45 each month, beginning in September, to repay the full amount of illegal charges. Read the full Reuters story here.

NYC Officer Arrested in ID Fraud Scheme
Prosecutors say a 23-year-old New York City police officer has been arrested on grand larceny and forgery charges as part of massive identity theft takedown earlier this year. Officer Raymond Gumti who works at the Police Academy is accused of giving his mother’s credit card numbers and other identification to men accused of running a mass ID theft scheme. The arrest Thursday is related to an October takedown in which more than 100 people were arrested. Queens District Attorney Richard Brown said at the time that five separate criminal enterprises operating out of Queens were dismantled. They were hit with hundreds of charges. Read the full WSJ article here.

Smartphones Blamed for Increasing Risk of Health Data Breaches
The number of physicians using smartphones has reached a near-saturation point. Meanwhile, the number of data breaches is going up. Coincidence? Leading experts think not. Recent reports by Manhattan Research have found more than 81% of physicians use a smartphone, up from 72% in 2010. Also on the rise have been data breaches, which, according to research released in December by Ponemon Institute, have risen 32% in the past year. Ponemon found that 96% of all health care organizations surveyed said they had experienced at least one data breach in the past two years. Read the full American Medical News article here.

A U.S. District Judge has ruled to dismiss the majority of claims included in a multi-institution suit against Heartland Payment Systems, which in 2008 was hacked, ultimately compromising 130 million U.S. debit and credit cards.

The Heartland breach, announced in January 2009, was the first card processor breach to attract international attention. A multiparty complaint against Heartland ultimately resulted, after the Judicial Panel on Multidistrict Litigation consolidated individual suits filed by consumers and U.S. banking institutions seeking financial compensation for losses suffered as a result of systems breach.

But earlier this month, after more than two years of litigation, District Judge Lee Rosenthal dismissed the majority of those claims, saying the plaintiffs failed “to state a claim upon which relief can be granted.”

One exception, however, was noted in Rosenthal’s ruling. A violation of the Florida Deceptive and Unfair Trade Practices Act claimed in one of the banking institution suits may be amended. Rosenthal found that the banks’ and credit unions’ claim could be heard if amended to include more than one state’s law and inclusion of more specific details about alleged contractual violations.

Read the full BankInforSecurity.com article here.

In case you have not been following the whole brouhaha about the new TLC show All-American Muslim and how home retailer Lowes dropped its advertising support foe the show, here’s a quick update:  Anonymous has stepped in seeking vigilante justice by hacking the Florida Family Association (FFA).   The rogue hacker group targeted the FFA for its role in persuading the Lowes to drop its advertising support for the show.

The word is that hackers worked through 15 levels of security to achieve a small breach into the FFA’s online systems, prompting their webmaster to shut down the site to avoid further incursion.

For weeks, the FFA sent out numerous email alerts denouncing the program as “propaganda” that “hides the Islamic agenda’s clear and present danger to American liberties.

Though fret not, hip-hop mogul Russell Simmons has stepped in and has bought up the surplus advertising space for the show.

Welcome to the Monday Morning News Kick Off post from the ITAC blog. We hope everyone had a restful weekend and are ready to take on the work week. As always, the editors of the ITAC blog have been kind enough to compile all the actionable news you need to kick start the work week.

12 Chinese Hacker Teams Responsible for Most U.S. Cybertheft
As few as 12 different Chinese groups, largely backed or directed by the government there, do the bulk of the China-based cyberattacks stealing critical data from U.S. companies and government agencies, according to U.S. cybersecurity analysts and experts. The aggressive, but stealthy attacks, which steal billions of dollars in intellectual property and data, often carry distinct signatures allowing U.S. officials to link them to certain hacker teams. And, analysts say the U.S. often gives the attackers unique names or numbers, and at times can tell where the hackers are and even who they may be. Read the full AP story here.

Romanian Hackers Steal Millions from Subway
Romanian hackers have had an indictment served upon them in the US, after an investigation uncovered the hacking of 150 Subway stores, along with 50 other unnamed retailers. It is thought that the attacks compromised the credit card details of over 80,000 customers and millions of dollars worth of unauthorised purchases were carried out. The indictment names four Romanians as the perpetrators as well as two unnamed defendants who are at an “unknown location”, and it includes the hacker’s online monikers. Read the full TechWorld article here.

PhD Student Sentenced in Identity Theft, Fraud Case
A gifted college student who masterminded an identity theft and credit card fraud operations was sentenced on Friday to 70 months in prison. Carlton A. Lewis, 25, was just a few credits shy of a doctoral degree from the University of Georgia when his arrest on March 26 by Tennessee Highway Patrol State Trooper Van Morgan on a DUI offense led to the U.S. Secret Service investigation unraveling the scheme. Five other suspects were ultimately arrested and pleaded guilty to various offenses. Lewis is the first of them to be sentenced. Check out the full Knoxville Times article here.

Hackers Exploit Adobe Reader Flaw
Security researchers at Symantec today confirmed that exploits of an unpatched Adobe Reader vulnerability targeted defense contractors, among other businesses. “We’ve seen [this targeting] people at telecommunications, manufacturing, computer hardware and chemical companies, as well as those in the defense sector,” said Joshua Talbot, senior security manager in Symantec’s security response group, in an interview last week. Check out the full Computerworld article here.

The Evolution of Online Data Access: Keeping It Secure
In today’s reality of numerous high-profile data thefts, the last thing an IT manager or department head needs is their company becoming part of the news headlines and the next big data breach. Thankfully, there is no shortage of solutions and techniques to consider for maintaining data security. Check out more from TechNewsWorld here.

How Finance Execs Can Help Address Data Breaches
Patient data breaches have typically been the bailiwick of the CIO and other healthcare IT executives, but new data suggest it might be time for the finance people to step in. A study by the Michigan-based Ponemon Institute concluded that the average economic impact of a data breach on a healthcare organization during 2011 was $2.2 million, up 10 percent from 2010. Read the full FierceHealthFInance post here.

Goldblatt is the lead plaintiff in a class action lawsuit, filed Thursday against HP in California, claiming that the IT giant should have warned customers about the flaws ahead of time.

In a nutshell, the flaw is a pretty bad one. HP LaserJet printers built before 2009 will accept remote firmware updates without properly checking where they come from. This means that — at least in theory — a hacker could cook up a malicious firmware update and upload it to a printer to make it stop working, spy on print jobs, or maybe even set the printer on fire by overworking the printer’s fuser — the part of the printer that dries ink on the paper.

HP says that it’s never heard of its printers being hacked by criminals and that its printers have “thermal breakers” that would prevent this kind of hacker inferno. But the company has acknowledged the underlying problem in a security alert.

The lawsuit seeks unspecified damages to be paid out to HP LaserJet customers (InkJet printers can’t do the remote firmware upgrade).

But how could HP have known about the defects, which were discovered by researchers at Columbia University and publicized late last month in an MSNBC story? That’s where things get a little fuzzy. Goldblatt’s attorneys cite a 2010 report commissioned by HP and written by analyst firm Quocirca, that describes some high-level security risks to printers, without spelling out specific attacks.

Read the full Wired story here.

First up.  It was reported that a group of hackers has posted more than 100 email addresses and login details, which it claimed to have extracted from the United Nations.  Yes, it was a typical tactical move by “hactivist” group Team Poison who wanted to flex its muscles and show that no global organization is immune to being exposed.  In a funny twist, Team Poison posted this on a Pastebin: “United Nations, why didn’t you expect us?”  So, yes, nobody is immune.

For the second feature, we have a story about how hackers can give a printer instructions to overheat and catch on fire.  Wow.  Talk about a great headline that would certainly generate those highly coveted Internet eyeballs that make or break an online news organization.

The problem is that hackers could never actually do this.  HP has stepped up and implemented a laudable (and may say credible) PR campaign to counter this story.  Can they catch fire?  No.  Are their printers vulnerable to breaches by hackers?  Yes.  Though HP has reported that no customer has reported unauthorized access of its printers.

So, why double up a hactivist story with a sensational piece design to strike fear in the heart of the average soccer mom?  We wanted to showcase how hacking and data breaches have penetrated pretty much every part of life – from the highest echelons of government down to the average U.S. homeowner.

But don’t worry…your printer won’t explode.

Forensic evidence indicates that the hackers may have been in the system as early as September, according to the “Public Water District Cyber Intrusion” report, released by the Illinois Statewide Terrorism and Intelligence Center on November 10.

The intruders launched their attack from IP addresses based in Russia, and gained access to the utility system by first hacking into the network of a software vendor that makes the SCADA system used by the utility. The hackers stole usernames and passwords that the vendor maintained for its customers, and thereafter used the credentials to gain remote access into the water utility’s system.

The theft of credentials raises the possibility that other customers using the vendor’s SCADA system may be targeted as well.

“It is unknown, at this time, the number of SCADA usernames and passwords acquired from the software company’s database and if any additional SCADA systems have been attacked as a result of this theft,” the report states, according to Joe Weiss, managing partner of Applied Control Solutions, who obtained a copy of the document and read it to Threat Level.

Software vendors often have remote access to customer systems in order to provide maintenance and upgrades to the systems. But such access provides a backdoor for intruders to exploit. This is how a Romanian hacker obtained access into restaurant credit card processing systems in the U.S. The point-of-sale systems in several states were installed by a single company, which maintained default usernames and passwords for remote access into the systems that the hacker was able to use to breach them.

Check out the full Wired Threat Level post here.