Even so, 2011 saw some of the biggest or most significant breaches in history, PRC says:

1. Sony. Sony suffered over a dozen data breaches, stemming from attacks that compromised Sony PlayStation Network, Sony Online Entertainment, and Sony Pictures, among other Sony-owned websites. Notably, these breaches occurred after Sony had laid off many of its security personnel in the months preceding the attacks. Ultimately, Sony faced an ongoing customer relations fallout–as well as class-action lawsuits–over its failure to protect over 100 million user records. Owing to the frequency with which users reuse passwords, many Sony customers are now at risk from attackers using the stolen password data to access their accounts on other sites.

2. Epsilon. When companies outsource business processes, who’s ultimately responsible for the security of any shared customer data? Answer: the company that outsourced the job. That’s the lesson from the April breach of cloud-based email service provider Epsilon, which fell to a spear-phishing attack. The breach affected data from 75 of Epsilon’s clients–meaning, businesses that had trusted Epsilon with their customers’ data. “Epsilon has not disclosed the names of the companies affected or the total number of names stolen,” according to the PRC report. “However, millions of customers received notices from a growing list of companies, making this the largest security breach ever.” Conservative estimates are that 60 million customer emails addresses were breached.

3. RSA. One of the most high-profile breaches of 2011 didn’t involve consumer information, but rather one of the world’s most-used two-factor authentication systems. After attackers breached the systems of EMC’s RSA in April, stealing information relating to its SecurID system, the company drew fire for failing to detail exactly what had been stolen, or exactly how the attack put customers at risk of being exploited. RSA ultimately traced the attack to an unnamed nation state, and revealed that the exploit had relied on a very low-tech spear-phishing attack. One significant result of the attack has been that many companies are now retooling their security and training processes to help prevent these types of low-cost, easy-to-execute social-engeineering attacks from succeeding.

4. Sutter Physicians Services. Data from both Sutter Physicians Services and Sutter Medical Foundation was breached in November when a thief stole a desktop computer from the organization, which contained about 3.3 million patients’ medical details–including name, address, phone number, email address and health insurance plan name–stored in encrypted format. “The security lapse occurred on two levels: both the data itself (being unencrypted) and the physical location (stored in an unsecure location),” according to the PRC report. A class-action lawsuit lodged against the companies alleged that they also failed to inform affected patients about the breach in a timely manner.

5. Tricare and SAIC. In September, backup tapes containing SAIC (Science Applications International Corporation) data were stolen from the car of a Tricare employee. Much of that data related to current and retired members of the armed services, as well as their families. The breach led to a $4.9 billion lawsuit being filed, which aims to award $1,000 to each of the 5.1 million people affected by the breach. “The Tricare/SAIC breach is significant because not only are the victims at risk of medical identity theft, but financial identity theft as well. The breach begs several questions: Why were the backup tapes being transported in an employee’s personal vehicle? And why were those records not encrypted?” according to the PRC report.

6. Nasdaq. Not all breaches target massive quantities of customer data. Notably, attackers breached Directors Desk, a cloud-based Nasdaq system designed to facilitate boardroom-level communications for 10,000 senior executives and company directors. By monitoring Directors Desk, attackers may have had access to inside information, which they could have sold to competitors or perhaps used to make beneficial stock market trades.

Prepare For Breaches What’s the takeaway from the above six breaches? First, data breaches are a fact of life, and in all industries. Accordingly, security experts recommend that businesses have a data breach response plan formulated in advance. You should also have the right processes and technology in place to spot a breach.

But it’s important to proactively stop data breaches too. To help, the PRC report highlighted the importance that companies must place on creating “strict privacy and security policies,” as well as data retention policies. Furthermore, businesses could avoid “breaches” simply by properly encrypting all sensitive information. Notably, if encrypted data gets lost or stolen, it doesn’t count as a data breach or trigger consumer notification requirements.

Read the full InformationWeek article here.

Rise In Child Identity Theft Prompts Push For Solutions
When Jennifer Andrushko applied for public aid two years ago, a state employee entered her son Carter’s Social Security number into a computer and discovered something strange: The boy appeared to have been earning wages for the past eight years. “I thought, ‘How could this be happening? He’s only three years old,’” Andrushko said. It turned out an undocumented immigrant had been using Carter’s number to acquire jobs since before he was born. But Carter proved relatively fortunate. Unlike many child identity theft victims who do not realize their credit is ruined until they reach adulthood, his case was caught while he was young, giving him time to recover his good name. Read the full Huffington Post article here.

Lax Security Exposes Voice Mail to Hacking, Study Says
It may be tempting to view the illegal interception of telephone voice mails, a practice that has roiled Britain and the News Corp. media empire of Rupert Murdoch, as an arcane tool employed by scofflaw journalists with friends in Scotland Yard. But according to a study to be presented Tuesday, cellphone users in Europe and the rest of the world may be just as vulnerable as the actor Hugh Grant and other celebrities to having their personal voice mail hacked — or worse — because of outdated mobile network security. Read more from the NY Times here.

Insurance Against Cyber Attacks Expected to Boom
Sony is still awaiting the final tally for losses related to its data breaches earlier this year. At last count, it had compromised 100 million customer accounts, and Sony anticipated the debacle would cost $200 million. With 58 class-action suits in the works, that may be wishful thinking. Now for the really bad news: Sony’s losses aren’t insured. In a lawsuit, Sony’s insurer, the Zurich American Insurance Company, reminded the company it does not own a cyber insurance policy. Sony’s policy only covers tangible losses like property damage, not cyber incidents. Read more from the NY Times here.

Stratfor Targeted by Hacking Group Anonymous
he loosely-associated band of hackers known as Anonymous claims to have targeted the global intelligence think tank Strategic Forecasting, known as Stratfor, boasting on the microblogging site Twitter that personal information, including credit card numbers, belonging to Stratfor clients had been stolen. As of Monday morning, Stratfor’s Website was down, with a placeholder page saying the site was undergoing maintenance and asking visitors to “check back soon.” Read more from eWeek here.

Medical Data Breaches Affected More Than 10 Million Americans In 2011
2011 has been a bad year for medical data breaches. The medical records of more than ten million Americans were exposed this year. The San Diego-based Privacy Rights Clearinghouse has issued a list of this year’s six most significant data breaches. The insurer Health Net suffered one of the worst, when nine data servers went missing from a Northern California data center in January. The servers contained records of nearly two million current and former policy holders. Read more from KPBS here.

Enterprise Data Breaches: Insider Threats That Cause Most Losses
Organizations are beefing up their network and data defenses to protect sensitive information and intellectual property from attackers. But enterprise management often forgets that their own employees and contractors can also pose a threat. A recent Symantec report found that approximately 65 percent of malicious data thieves are on their way out the door to join a competitor or start their own company. More than half of the data theft occurs within a month before an employee’s departure, according to the study. Check out more from eWeek here.

A U.S. District Judge has ruled to dismiss the majority of claims included in a multi-institution suit against Heartland Payment Systems, which in 2008 was hacked, ultimately compromising 130 million U.S. debit and credit cards.

The Heartland breach, announced in January 2009, was the first card processor breach to attract international attention. A multiparty complaint against Heartland ultimately resulted, after the Judicial Panel on Multidistrict Litigation consolidated individual suits filed by consumers and U.S. banking institutions seeking financial compensation for losses suffered as a result of systems breach.

But earlier this month, after more than two years of litigation, District Judge Lee Rosenthal dismissed the majority of those claims, saying the plaintiffs failed “to state a claim upon which relief can be granted.”

One exception, however, was noted in Rosenthal’s ruling. A violation of the Florida Deceptive and Unfair Trade Practices Act claimed in one of the banking institution suits may be amended. Rosenthal found that the banks’ and credit unions’ claim could be heard if amended to include more than one state’s law and inclusion of more specific details about alleged contractual violations.

Read the full BankInforSecurity.com article here.

Welcome to the Monday Morning News Kick Off post from the ITAC blog. We hope everyone had a restful weekend and are ready to take on the work week. As always, the editors of the ITAC blog have been kind enough to compile all the actionable news you need to kick start the work week.

12 Chinese Hacker Teams Responsible for Most U.S. Cybertheft
As few as 12 different Chinese groups, largely backed or directed by the government there, do the bulk of the China-based cyberattacks stealing critical data from U.S. companies and government agencies, according to U.S. cybersecurity analysts and experts. The aggressive, but stealthy attacks, which steal billions of dollars in intellectual property and data, often carry distinct signatures allowing U.S. officials to link them to certain hacker teams. And, analysts say the U.S. often gives the attackers unique names or numbers, and at times can tell where the hackers are and even who they may be. Read the full AP story here.

Romanian Hackers Steal Millions from Subway
Romanian hackers have had an indictment served upon them in the US, after an investigation uncovered the hacking of 150 Subway stores, along with 50 other unnamed retailers. It is thought that the attacks compromised the credit card details of over 80,000 customers and millions of dollars worth of unauthorised purchases were carried out. The indictment names four Romanians as the perpetrators as well as two unnamed defendants who are at an “unknown location”, and it includes the hacker’s online monikers. Read the full TechWorld article here.

PhD Student Sentenced in Identity Theft, Fraud Case
A gifted college student who masterminded an identity theft and credit card fraud operations was sentenced on Friday to 70 months in prison. Carlton A. Lewis, 25, was just a few credits shy of a doctoral degree from the University of Georgia when his arrest on March 26 by Tennessee Highway Patrol State Trooper Van Morgan on a DUI offense led to the U.S. Secret Service investigation unraveling the scheme. Five other suspects were ultimately arrested and pleaded guilty to various offenses. Lewis is the first of them to be sentenced. Check out the full Knoxville Times article here.

Hackers Exploit Adobe Reader Flaw
Security researchers at Symantec today confirmed that exploits of an unpatched Adobe Reader vulnerability targeted defense contractors, among other businesses. “We’ve seen [this targeting] people at telecommunications, manufacturing, computer hardware and chemical companies, as well as those in the defense sector,” said Joshua Talbot, senior security manager in Symantec’s security response group, in an interview last week. Check out the full Computerworld article here.

The Evolution of Online Data Access: Keeping It Secure
In today’s reality of numerous high-profile data thefts, the last thing an IT manager or department head needs is their company becoming part of the news headlines and the next big data breach. Thankfully, there is no shortage of solutions and techniques to consider for maintaining data security. Check out more from TechNewsWorld here.

How Finance Execs Can Help Address Data Breaches
Patient data breaches have typically been the bailiwick of the CIO and other healthcare IT executives, but new data suggest it might be time for the finance people to step in. A study by the Michigan-based Ponemon Institute concluded that the average economic impact of a data breach on a healthcare organization during 2011 was $2.2 million, up 10 percent from 2010. Read the full FierceHealthFInance post here.

Well it seems that a Philadelphia man who had similar prowess with the ladies used his talents to bilk 24 victims out of $2 million in a pretty aggressive identity theft ring.

Between Sept. 1, 2005, and October 2009, Miguel Bell used the victims’ names, dates of births, addresses, Social Security numbers, and bank account numbers, which Bell obtained from romantic relationships with bank and insurance company employees.

Well no matter how suave you are, law enforcement will catch up to you. Bell faces a two-year mandatory minimum prison sentence and has to pay restitution in the amount of $1.7 million.

Crystal Thorne, a coordinator at the Jewish Community Services of South Florida, offered to sell the allegedly stolen Holocaust victims’ IDs to a confidential police informant.  Thorne’s job gave her access to the personal information of clients –names, addresses, dates of birth and Social Security numbers — who regularly seek help from the Holocaust Survivors Assistance Program.

Kudos to law enforcement for arresting Thorne on identity theft charges.  And, while this may seem like a small case, it reinforces that the criminals will continue to sink lower and lower.  We will be covering this case in the coming months. Stay tuned for more …

NY ID-Theft Ring Recruited Waiters to Steal Info
An ambitious and organized identity-theft ring recruited waiters at steakhouses and other high-end restaurants to steal diners’ credit-card information, then used it for luxury shopping sprees, authorities said last week. Some 27 people have been indicted on racketeering and other charges. Arraignments were ongoing Friday. The group had waiters use so-called “skimming” devices to copy at least 50 restaurant-goers’ credit-card data surreptitiously while running their tabs at such powerhouse eateries as Smith & Wollensky and Wolfgang’s Steakhouse, Manhattan District Attorney Cyrus R. Vance Jr. said. His office, the New York Police Department and the U.S. Secret Service built the case. Read the full AP story here.

‘Modern Warfare 3′ Takes on the Hackers
Modern Warfare 3 is not a cyber-warfare game, but the “modern” in the title might be out of date already. The real threat of modern warfare is the very real possibility of cyber warfare. It turns out the real war taking place behind the scenes for MW3 is very much a high-tech war between the game’s developers and hackers who are exploiting loopholes in the game to cheat: As the saying goes, cheaters never win. While it doesn’t always prove true, a huge number of cheaters definitely won’t make it to the end of Call of Duty: Modern Warfare 3. Infinity Ward has banned more than 1,600 players from MW3 for cheating using glitches uncovered in the new game. The number of banned MW3 players is expected to rise as more people exploit these illegal loopholes. Check out the full Forbes story here.

Healthcare Breach Exposes Nearly 4 Million Patients’ Data
A desktop computer stolen from healthcare organization Sutter Medical Foundation has potentially exposed the personal information of nearly 4 million patients. The password-protected but unencrypted machine contained a patient database. Ironically, the Sacramento, Calif.-based healthcare organization had been implementing encryption across the organization at the time of the theft. Unfortunately, the machine that was stolen was not yet encrypted. Read the full InformationWeek story here.

Why SMBs Are Attractive to Hackers
A Symantec global survey of nearly 2,000 SMBs showed that 50% did not consider themselves an attack target. However, looking at today’s threat landscape, this is clearly a misconception. If a site is online, regardless of its popularity, it will be targeted, according to Imperva. Hackers are going after low hanging fruits. These are the companies who are less security aware and do not have the proper defenses in place. According to the 2011 Verizon Data Breach Investigations Report, hackers are increasingly targeting smaller, softer, less reactive targets since these provide a lower-risk alternative to financial institutions. Read the full HelpNetSecurity post here.

Hackers Launch Sewer Jihad
Hackers are coordinating with radical Muslim terrorists in the United States to destroy the nation’s sewer systems. Hence, U.S. navy sailors will not be the only Americans to endure clogged toilets and suffer the unpleasant consequences. According to the Houston Chronicle, “a hacker identified only as ‘prof’ posted diagrams of the south Houston sewer system (located in U.S. Rep. Sheila Jackson Lee’s (D.-Tx.) Congressional District) online to show how easy it is to infiltrate the system.” On Saturday, South Houston Mayor Joe Soto disclosed that now harm was caused to the sewer system, and the control system called Supervisory Control and Data Acquisition, has been taken offline. Check out the full Dallas Blog post here.

Unemployed Romanian Hacker Accused of Breaking Into NASA
Romanian authorities have arrested a 26-year old hacker who is accused of breaking into multiple NASA servers and causing US$500,000 in damages to the U.S. space agency’s systems. Robert Butyka, 26, was arrested on Tuesday in Cluj, a city in Western Romania, following an investigation by the Romanian Directorate for Investigating Organized Crime and Terrorism (DIICOT). According to local reports, the hacker used the online moniker of “Iceman.” He does not have a higher education or an occupation, a DIICOT spokeswoman said. Check out the full PC World story here.

Kindle Fire Has Already Been Hacked
If there’s one thing you can say about the Android developer and hacker community, it’s that it moves incredibly fast. Each time a new smartphone or tablet finds its way into the market, the modders and hackers get to work, trying to root the device. And now, just days two days after its release, the Amazon Kindle Fire has become the latest target. Gaining root-level access gives users the ability not only to install applications from additional sources, but also it allows for the removal of the standard software. Potentially that means that developers and tech-savvy enthusiasts could load their own ROMs onto the $200 Kindle Fire, opening the door to Honeycomb and, possibly, Ice Cream Sandwich. Check out the full CNET story here.

Welcome to the Monday Morning News Kick Off post from the ITAC blog. We hope everyone had a restful week and are ready to kick off the work week. What is that? Not quite ready to abandon the weekend? Well, fret not faithful ITAC blog readers. As always, we have been kind enough to pull together all the key identity theft, cyber security and data breach stories to give you the wisdom and knowledge you need to operate at peaks performance.

In a World of Cybertheft, U.S. Names China, Russia as Main Culprits
Online industrial spying presents a growing threat to the U.S. economy and national security, American intelligence agencies warned Thursday in a report to Congress that publicly accused China and Russia of responsibility for cyber-espionage. Tens of billions of dollars of trade secrets, technology and intellectual property are being siphoned each year from the computer systems of U.S. government agencies, corporations and research institutions, said the Office of the National Counterintelligence Executive, which focuses on espionage against the United States. Read the full Washington Post story here.

Hacker Selling Access to Compromised Web Sites Gets Hacked
A hacking group called d33ds broke into the online shop of a rival hacker who sells unauthorized access to high-profile websites and data. This illegal marketplace has been used in the past to advertise information stolen from websites belonging to the U.S. Army, the U.S. Department of Defense, the South Carolina National Guard and other institutions. Its owner, a hacker calling himself Srblche, also offered services that included compromising the particular servers his customers wanted. Check out the full PC World story here.

Hackers Mistake French Rugby Site for German Stock Exchange
Hacktivists mistakenly attacked a French rugby fansite instead of their intended target, the German stock exchange. The misdirected assault meant the allezdax.com website, a fan site for French second division side rugby club Dax, was unavailable for two weeks. Meanwhile the hackers’ intended target, the German stock exchange (DAX) website, remained up and running as normal. An administrator of allezdax.com told France Bleu Gascogne radio station that hackers had “insulted us copiously in German”. He added: “I only have one thing to say to them: leave us alone!” Read the full story from The Register here.

Malaysian Man Gets 10-Year Prison Sentence in Federal Reserve Hacking Case
A Malaysian man who pleaded guilty to conducting a credit-card scheme and who was accused of hacking the Federal Reserve’s computers got a 10-year prison sentence. Lin Mun Poo, 32, was sentenced today by U.S. District Judge Dora L. Irizarry in Brooklyn, New York. In April, he pleaded guilty to illegally possessing card account numbers with intent to defraud. Ten years was the maximum sentence he could receive. “He was able to install a keystroke logger into the Federal Reserve Bank,” Assistant U.S. Attorney Cristina M. Posa told Irizarry. “He could have wreaked financial havoc through insider trading.” Read the full Bloomberg News story here.

U.C.L.A. Health System Warns About Stolen Records
UCLA’s system of hospitals and clinics warned more than 16,000 patients that their personal information was on a computer hard drive stolen in the burglary of a doctor’s home, officials said Friday. The UCLA Health System sent letters to the 16,288 patients affected, warning them of possible identity theft and giving them contact information for a data security company the system has enlisted for help. Someone using the documents for identity theft was “very unlikely,” but there was a possibility, the statement said. Read the full AP story here.

Data Breach May Hit 4.9 Million Tricare Patients
The Pentagon said Friday Tricare patients in Texas concerned about a recent data breach will receive one year of credit monitoring and restoration services. The Defense Department announced in a release Science Applications International Corp. has been directed to provide the credit services to manage a data breach that was reported to Tricare Management Activity on Sept. 14. The private information of an estimated 4.9 million patients treated at military facilities in the past 20 years may have been compromised in the breach, the Pentagon said. Letters were being sent to potential victims. Read the full UPI story here.

2 Charged in Hotel Guest ID Theft Scam in NYC
A New York City hotel chain auditor has been charged with stealing hundreds of guests’ credit card information and selling it to a man accused of using it to buy $840,000 worth of airline tickets and other items. Lukasz Kruk and Barry Herndon pleaded not guilty to grand larceny, identity theft and other charges Friday. The Manhattan district attorney’s office says 237 accounts were compromised over three years. Check out the full AP story here.

Identity Thieves ‘Make It Rain’ Cash With Fraudulent Tax Refunds
Police in Tampa, Fla., knew something was up when they noticed many of their biggest drug dealers were no longer on the streets. When one of the drug dealers was pulled over at a traffic stop, instead of finding drugs in the car police found large numbers of pre-paid debit cards and ledgers with Social Security numbers. Identity theft involving tax fraud is increasing faster than law enforcement and government officials can deal with it, according to testimony today before a House oversight subcommittee. Identity theft to scam fraudulent tax refunds from the government has increased 100 percent in just three years. Read the full ABC News story here.

Judge Rules Case of Belleville Woman’s Fake Facebook Page Can Proceed
State law against impersonating already covers electronic media, a judge ruled last week in continuing the case against a Belleville woman accused of creating a fake Facebook page in the name of her ex-boyfriend, a narcotics detective in Parsippany. Superior Court Judge David Ironson in Morristown refused to dismiss the indictment charging Dana Thornton, 41, with identity theft. She has pleaded not guilty, and faces up to 18 months in prison if convicted. Check out the full NJ.com story here.