Even so, 2011 saw some of the biggest or most significant breaches in history, PRC says:

1. Sony. Sony suffered over a dozen data breaches, stemming from attacks that compromised Sony PlayStation Network, Sony Online Entertainment, and Sony Pictures, among other Sony-owned websites. Notably, these breaches occurred after Sony had laid off many of its security personnel in the months preceding the attacks. Ultimately, Sony faced an ongoing customer relations fallout–as well as class-action lawsuits–over its failure to protect over 100 million user records. Owing to the frequency with which users reuse passwords, many Sony customers are now at risk from attackers using the stolen password data to access their accounts on other sites.

2. Epsilon. When companies outsource business processes, who’s ultimately responsible for the security of any shared customer data? Answer: the company that outsourced the job. That’s the lesson from the April breach of cloud-based email service provider Epsilon, which fell to a spear-phishing attack. The breach affected data from 75 of Epsilon’s clients–meaning, businesses that had trusted Epsilon with their customers’ data. “Epsilon has not disclosed the names of the companies affected or the total number of names stolen,” according to the PRC report. “However, millions of customers received notices from a growing list of companies, making this the largest security breach ever.” Conservative estimates are that 60 million customer emails addresses were breached.

3. RSA. One of the most high-profile breaches of 2011 didn’t involve consumer information, but rather one of the world’s most-used two-factor authentication systems. After attackers breached the systems of EMC’s RSA in April, stealing information relating to its SecurID system, the company drew fire for failing to detail exactly what had been stolen, or exactly how the attack put customers at risk of being exploited. RSA ultimately traced the attack to an unnamed nation state, and revealed that the exploit had relied on a very low-tech spear-phishing attack. One significant result of the attack has been that many companies are now retooling their security and training processes to help prevent these types of low-cost, easy-to-execute social-engeineering attacks from succeeding.

4. Sutter Physicians Services. Data from both Sutter Physicians Services and Sutter Medical Foundation was breached in November when a thief stole a desktop computer from the organization, which contained about 3.3 million patients’ medical details–including name, address, phone number, email address and health insurance plan name–stored in encrypted format. “The security lapse occurred on two levels: both the data itself (being unencrypted) and the physical location (stored in an unsecure location),” according to the PRC report. A class-action lawsuit lodged against the companies alleged that they also failed to inform affected patients about the breach in a timely manner.

5. Tricare and SAIC. In September, backup tapes containing SAIC (Science Applications International Corporation) data were stolen from the car of a Tricare employee. Much of that data related to current and retired members of the armed services, as well as their families. The breach led to a $4.9 billion lawsuit being filed, which aims to award $1,000 to each of the 5.1 million people affected by the breach. “The Tricare/SAIC breach is significant because not only are the victims at risk of medical identity theft, but financial identity theft as well. The breach begs several questions: Why were the backup tapes being transported in an employee’s personal vehicle? And why were those records not encrypted?” according to the PRC report.

6. Nasdaq. Not all breaches target massive quantities of customer data. Notably, attackers breached Directors Desk, a cloud-based Nasdaq system designed to facilitate boardroom-level communications for 10,000 senior executives and company directors. By monitoring Directors Desk, attackers may have had access to inside information, which they could have sold to competitors or perhaps used to make beneficial stock market trades.

Prepare For Breaches What’s the takeaway from the above six breaches? First, data breaches are a fact of life, and in all industries. Accordingly, security experts recommend that businesses have a data breach response plan formulated in advance. You should also have the right processes and technology in place to spot a breach.

But it’s important to proactively stop data breaches too. To help, the PRC report highlighted the importance that companies must place on creating “strict privacy and security policies,” as well as data retention policies. Furthermore, businesses could avoid “breaches” simply by properly encrypting all sensitive information. Notably, if encrypted data gets lost or stolen, it doesn’t count as a data breach or trigger consumer notification requirements.

Read the full InformationWeek article here.

So, our headline may be a bit misleading. It turns out that Acholonu was able to gain access to a massive amount of mail when he worked for a private contractor to the U.S. Postal Service. He was actually seen leaving work holding piles of credit card offers from the mail. He did not actually do any dumpster diving. But, he did get busted when investigators searched the trash bin outside of his apartment building and found the incriminating evidence.

It is ironic. We really do think…

Rise In Child Identity Theft Prompts Push For Solutions
When Jennifer Andrushko applied for public aid two years ago, a state employee entered her son Carter’s Social Security number into a computer and discovered something strange: The boy appeared to have been earning wages for the past eight years. “I thought, ‘How could this be happening? He’s only three years old,’” Andrushko said. It turned out an undocumented immigrant had been using Carter’s number to acquire jobs since before he was born. But Carter proved relatively fortunate. Unlike many child identity theft victims who do not realize their credit is ruined until they reach adulthood, his case was caught while he was young, giving him time to recover his good name. Read the full Huffington Post article here.

Lax Security Exposes Voice Mail to Hacking, Study Says
It may be tempting to view the illegal interception of telephone voice mails, a practice that has roiled Britain and the News Corp. media empire of Rupert Murdoch, as an arcane tool employed by scofflaw journalists with friends in Scotland Yard. But according to a study to be presented Tuesday, cellphone users in Europe and the rest of the world may be just as vulnerable as the actor Hugh Grant and other celebrities to having their personal voice mail hacked — or worse — because of outdated mobile network security. Read more from the NY Times here.

Insurance Against Cyber Attacks Expected to Boom
Sony is still awaiting the final tally for losses related to its data breaches earlier this year. At last count, it had compromised 100 million customer accounts, and Sony anticipated the debacle would cost $200 million. With 58 class-action suits in the works, that may be wishful thinking. Now for the really bad news: Sony’s losses aren’t insured. In a lawsuit, Sony’s insurer, the Zurich American Insurance Company, reminded the company it does not own a cyber insurance policy. Sony’s policy only covers tangible losses like property damage, not cyber incidents. Read more from the NY Times here.

Stratfor Targeted by Hacking Group Anonymous
he loosely-associated band of hackers known as Anonymous claims to have targeted the global intelligence think tank Strategic Forecasting, known as Stratfor, boasting on the microblogging site Twitter that personal information, including credit card numbers, belonging to Stratfor clients had been stolen. As of Monday morning, Stratfor’s Website was down, with a placeholder page saying the site was undergoing maintenance and asking visitors to “check back soon.” Read more from eWeek here.

Medical Data Breaches Affected More Than 10 Million Americans In 2011
2011 has been a bad year for medical data breaches. The medical records of more than ten million Americans were exposed this year. The San Diego-based Privacy Rights Clearinghouse has issued a list of this year’s six most significant data breaches. The insurer Health Net suffered one of the worst, when nine data servers went missing from a Northern California data center in January. The servers contained records of nearly two million current and former policy holders. Read more from KPBS here.

Enterprise Data Breaches: Insider Threats That Cause Most Losses
Organizations are beefing up their network and data defenses to protect sensitive information and intellectual property from attackers. But enterprise management often forgets that their own employees and contractors can also pose a threat. A recent Symantec report found that approximately 65 percent of malicious data thieves are on their way out the door to join a competitor or start their own company. More than half of the data theft occurs within a month before an employee’s departure, according to the study. Check out more from eWeek here.

“The main thing in any business is honesty,” Poxxie said, without any trace of irony.

The Traverse City, Michigan-based Ponemon Institute, which researches data security, estimates that thieves annually steal 8.4 million credit-card numbers in the U.S. alone. How do cyberbandits, who have turned hacking into a volume business, unload all those numbers. A lot like Amazon.com, it turns out.

Customers on CVV2s can search for card numbers by bank, card type, credit limit and zip code, loading them into a virtual shopping basket as they go. The site offers the ability to search by bank identification number. That means customers can choose cards by institutions known to have weak security, Poxxie said. CVV2s even has an automated feature that lets clients validate the numbers in real time, to make sure the bank hasn’t canceled the card.

Sites like Poxxie’s make up the cyberunderworld’s version of a pirate’s cove, offering their online booty at cut-rate prices. Hundreds of millions of dollars in stolen data are bought and sold in underground’s chat rooms and forums every year, a fencing operation that becomes more robust annually, according to RSA, the security division of EMC Corp. CrackHackForum.com, one of the sites, even mimics EBay Inc., rating buyers and sellers with starred reviews.

Read the full SF Chronicle article here.

A U.S. District Judge has ruled to dismiss the majority of claims included in a multi-institution suit against Heartland Payment Systems, which in 2008 was hacked, ultimately compromising 130 million U.S. debit and credit cards.

The Heartland breach, announced in January 2009, was the first card processor breach to attract international attention. A multiparty complaint against Heartland ultimately resulted, after the Judicial Panel on Multidistrict Litigation consolidated individual suits filed by consumers and U.S. banking institutions seeking financial compensation for losses suffered as a result of systems breach.

But earlier this month, after more than two years of litigation, District Judge Lee Rosenthal dismissed the majority of those claims, saying the plaintiffs failed “to state a claim upon which relief can be granted.”

One exception, however, was noted in Rosenthal’s ruling. A violation of the Florida Deceptive and Unfair Trade Practices Act claimed in one of the banking institution suits may be amended. Rosenthal found that the banks’ and credit unions’ claim could be heard if amended to include more than one state’s law and inclusion of more specific details about alleged contractual violations.

Read the full BankInforSecurity.com article here.

In case you have not been following the whole brouhaha about the new TLC show All-American Muslim and how home retailer Lowes dropped its advertising support foe the show, here’s a quick update:  Anonymous has stepped in seeking vigilante justice by hacking the Florida Family Association (FFA).   The rogue hacker group targeted the FFA for its role in persuading the Lowes to drop its advertising support for the show.

The word is that hackers worked through 15 levels of security to achieve a small breach into the FFA’s online systems, prompting their webmaster to shut down the site to avoid further incursion.

For weeks, the FFA sent out numerous email alerts denouncing the program as “propaganda” that “hides the Islamic agenda’s clear and present danger to American liberties.

Though fret not, hip-hop mogul Russell Simmons has stepped in and has bought up the surplus advertising space for the show.

Twenty-three shoppers at the Lucky Supermarket chain were not so lucky when these types of skimming devices stole their identities.  When the store did “routine maintenance” at 19 of their locations, suspicious devices were attached to the self-service scanners.

One thing is for sure.  We will be exercising patience by waiting it out in the traditional check-out line.  As they say, patience is a virtue.

Goldblatt is the lead plaintiff in a class action lawsuit, filed Thursday against HP in California, claiming that the IT giant should have warned customers about the flaws ahead of time.

In a nutshell, the flaw is a pretty bad one. HP LaserJet printers built before 2009 will accept remote firmware updates without properly checking where they come from. This means that — at least in theory — a hacker could cook up a malicious firmware update and upload it to a printer to make it stop working, spy on print jobs, or maybe even set the printer on fire by overworking the printer’s fuser — the part of the printer that dries ink on the paper.

HP says that it’s never heard of its printers being hacked by criminals and that its printers have “thermal breakers” that would prevent this kind of hacker inferno. But the company has acknowledged the underlying problem in a security alert.

The lawsuit seeks unspecified damages to be paid out to HP LaserJet customers (InkJet printers can’t do the remote firmware upgrade).

But how could HP have known about the defects, which were discovered by researchers at Columbia University and publicized late last month in an MSNBC story? That’s where things get a little fuzzy. Goldblatt’s attorneys cite a 2010 report commissioned by HP and written by analyst firm Quocirca, that describes some high-level security risks to printers, without spelling out specific attacks.

Read the full Wired story here.

Welcome to the Monday Morning News Kick Off post from the ITAC blog. As always, we have pulled together a vast array identity theft, date breach and cyber security news you need to start the work week. At the risk of sounding like a broken record, there is always no shortage of news to share. Why is this? Well, with 2011 being the “Year of the Data Breach,” cyber-related news has become virtually ubiquitous. Fortunately, we will serve as a filter for you, offering only the most compelling stories. We hope you enjoy and happy Monday!

Patient Data Breaches Surge as Hospitals Scrimp on Security
Data breaches at U.S. health-care providers are increasing as hospitals adopt electronic medical records and mobile technology without spending enough on security to ensure patient privacy, a research group said. The frequency of data breaches at health organizations jumped 32 percent in 2011 from a year earlier, costing the industry an estimated $6.5 billion, according to a study released today by the Ponemon Institute LLC, a Traverse City, Michigan-based information-security research group. Read the full Bloomberg/BusinessWeek story here.

Network Breaches Herald More Advanced Attacks in 2012
If 2011 was “the year of the hack,” as it was dubbed by Richard Clarke, former White House cyber-security czar, would 2012 be the year enterprises apply the lessons learned and stop the attacks? Apparently not, as security experts are predicting even more sophisticated attacks for 2012. Attacks in 2011 fell into four categories: cyber-crime, hacktivism, cyber-espionage and cyber-warfare, according to Clarke. Defense contractors, government agencies, and other public and private organizations reported network breaches where attackers stole intellectual property, financial data and other sensitive data. Hacktivist groups such as Anonymous and LulzSec demonstrated how much damage they can cause large organizations by employing fairly well-known techniques against the application layer. Read the full eWeek story here.

RIM Looks Into Hacking Claims
Research in Motion Ltd. said Wednesday it is investigating claims by online hackers that they have been able to access some of the proprietary systems, software and tools that run the company’s BlackBerry PlayBook tablet computer. Several hackers bragged in social-media posts early this week that they were successful in “jail breaking” the PlayBook. Jail breaking, also called rooting, is a common practice in which hackers gain access to the inner workings of phones, tablets and other devices. They then make this information widely available to others, who can use it to create unauthorized code or fashion homemade applications for the devices, much to the manufacturers’ chagrin. Read the full WSJ story here.

Florist Admits to Stealing Customers’ Identities
A Glendale florist and his wife pleaded no contest Thursday to multiple charges of identity theft after they were accused of stealing financial information from customers who shopped at their Glenoaks Boulevard shop, officials said. Vahik Ghookasian and his wife, Hilda, both 60, had originally pleaded not guilty to 14 felony counts of identity theft, but changed their plea in Burbank Superior Court. A no-contest plea is the equivalent of a guilty plea in criminal court, but cannot be used as evidence of liability in a civil trial. Read the full LA Times article here.

Identity Theft Victim Almost Sent to Jail Mistakenly
An Albuquerque man learned his identity was stolen when a lawyer called to notify him about a felony charge he didn’t commit. The Public Defenders Office called the man to talk about a criminal case against him and that he might want to accept a plea deal. However the guy was totally innocent. The Albuquerque Police Department arrested Alan Uffer, 52, for posing as the other man during an arrest in March. At the time, Uffer, under the other man’s name, was charged with commercial burglary, possession of burglary tools and aggravated assault. Read the full KOB-TV story here.

Massive Fines Planned in European Data Breach Crackdown
The European Commission could directly impose severe fines against companies that breach European data protection laws, sources confirm. The new European Data Protection Directive, set to be unveiled next month in January, will contain provisions for the Commission to impose fines of up to 5 percent of a company’s global turnover. In a similar case, under current European law, the Commission can fine companies that breach its antitrust laws up to 10 percent of its global turnover; regardless of where they are headquartered. Fines imposed by the Commission in line with the new directive could amass billions of dollars worth of revenue for large companies, such as Google, Microsoft, or Facebook, even in their native U.S. homeland. Read the full ZDNet post here.