This page highlights recent examples of large scale exposure
of sensitive consumer information through hacking of databases
and corporate networks.
It covers -
The incidence and severity of insider and external IT
security breaches is contentious. The 2006 Ponemon Institute
survey in the US for example noted that around 80% of
the respondents indicated that an insider-related breach
was unreported. Over 61% indicated "careless"
or "untrained" employees and contractors cause
accidental data losses "frequently" or "very
frequently". 48% indicated that said deliberate violations
of IT security occur "frequently" or "very
frequently", although providing few specifics to
allow assessment of the seriousness of such violations.
Student Christopher Phillips hacked into the University
of Texas system in 2003, copying personal information
that included some 40,000 Social Security Numbers. He
was convicted by a federal jury in June 2005, with an
order to pay US$170,000 restitution for his crimes and
serve five years of probation.
In 2004 the University of California San Diego experienced
unauthorised access to four servers containing social
security numbers for 380,000 people. In the same year
at the University of California Berkeley the personal
records of 1,400,000 people were exposed through unauthorised
access to a researcher's networked personal computer.
In December 2006 the University of California, Los Angeles,
revealed that access by hackers to a restricted university
database had exposed private information of 800,000 current
and former faculty, staff and students. The intruder showed
a specific interest in names and Social Security numbers.
The database also contains birth dates and addresses.
In 2004, amid hyperbole about the benefits of offshoring
financial data processing and call centres to low wage
(and low regulation) regimes, twenty employees of MphasiS,
in the Indian city of Pune, were revealed to have withdrawn
some $US425,000 from Citibank accounts.
A year later three former MphasiS employees were arrested
for allegedly stealing US$350,000 from accounts of four
DSW and Ralph Lauren
US retail conglomerate DSW/Retail Ventures announced in
2005 that there had been unauthorised access to 100,000
customer records. A second breach at DSW occurred in the
same year, with unauthorised access to 1.3 million records.
Polo Ralph Lauren announced unauthorised access to 180,000
LexisNexis, part of the world's largest legal publisher,
reported in 2005 that there had been unauthorised access
over several weeks to 310,000 personal records
MasterCard and Visa
MasterCard International reported in 2005 that unauthorised
access to CardSystems Solutions database may have exposed
over 40 million credit card accounts, inc 14 million MasterCard
customers. It commented that
are actively monitoring the situation on a real-time
basis using our state-of-the-art fraud-fighting technologies.
In 2006 it was revealed that personal information for
over 17 million customers of the online payment service
iBill was available on the
net, being used by spammers and identity theft criminals.
The data appears to have been taken by an iBill employee.
It includes consumer names, phone numbers, addresses,
email addresses, IP addresses, credit-card types and purchase
amounts. iBill was the dominant payment intermediary in
the online adult content
NNSA and Nebraska
In September 2005 a hacker stole a file containing information
on 1,500 people working for the US Energy Department's
nuclear weapons agency. The incident is of interested
because the break-in at the National Nuclear Security
Administration in Albuquerque was not reported to senior
officials until nine months later and none of the people
were notified. The data theft involved names, Social Security
numbers, birthdates, codes showing where the employees
worked and codes showing their security clearances. Most
of the individuals worked for contractors; the list was
compiled as part of security clearance processing.
During the following year a hacker in the Nebraska child-support
computer system grazed data on 300,000 individuals and
In 2006 Linden Labs, operator of 'virtual world' Second
Life, warned that unauthorised access to its database
had compromised the passwords, names and addresses of
650,000 participants. (Credit card details were reportedly
encrypted and on a separate server.) Advice to change
passwords came too late for some Second Life
participants, who discovered that the crackers were busy
selling the virtual assets of those players.
TJX and Hannaford
In early 2007 US retailing giant TJX (with about 2,300
stores in the US, Canada and Europe) acknowledged that
an intruder had been gaining access since 2003 to a computer
system that contained customer information, including
names, addresses, phone numbers, birth dates, drivers'
license numbers, checking accounts linked to transactions
for returned merchandise and details of customer transactions
with cards issued by all the major credit card companies.
Much of the data was not encrypted.
In March 2007 Florida police arrested six people accused
of using the stolen credit card information to buy over
US$8 million worth of personal computers, flat-screen
televisions and other digital bling. The "gift card
scheme" involved the accused using the information
to purchase of gift cards while travelling across Florida,
subsequently redeeming the cards by buying electronic
from Wal-Mart and Sam's Club stores.
TJX subsequently revealed that 45.6 million credit card
numbers (for customers in the US, Canada, Ireland, UK
and Puerto Rico) were accessed in 2005, with at least
another 132,000 taken in 2006. TJX chief executive Carol
Meyrowitz said "I want our customers to know how
much I personally regret any difficulties you may experience
as a result of the unauthorised intrusion".
In 2008 US supermarket chain Hannaford Bros. reported
exposure of around 4.2 million credit and debit card numbers
"during the card authorization process", resulting
in upwards of 1,800 cases of fraud. The breach affected
over 271 stores, beginning on 7 December 2007 and not
being contained until 10 March 2007. Hannaford CEO Ronald
Hodge commented "We have taken aggressive steps to
augment our network security capabilities".
Acxiom and Monster.com
US data trading giant
Acxiom, profiled elsewhere on this site, experienced repeated
large scale data losses through hacking by associates
during 2001 and 2003. Market Intelligence Group systems
administrator Daniel Baas for example was sentenced to
45 months in federal prison in 2005 after he copied several
million unencrypted files onto disks stored at his home.
Spam facilitator Scott Levine
of Snipermail, cracked Acxiom's system in July 2003, copying
1.6 billion records with a supposed street value of US$7
In 2007 Symantec revealed that hacking of US job website
Monster.com had exposed personal data of hundreds of thousands
of users stolen, with harvesting of user names, email
addresses, home addresses and phone numbers. That data
was uploaded to a remote web server outside Monster.com's
control. Symantec indicated that there were over 1.6 million
entries with personal information regarding to several
hundred thousand candidates who had posted resumes to
the Monster.com site.
Negligence in management of the UK Medical Training Application
Service (MTAS), the central system used by several thousand
student and junior doctors in applying for jobs, saw exposure
of personal details of those applicants.
Channel 4 commented
the details of final year medical students applying
for hospital jobs were accessible by the general public.
We are not just talking names and address. We are talking
everything. Not only can we see what they wrote in their
applications; their addresses; their phone numbers;
who their referees are. We can also see if there were
white, heterosexual, gay Asian, Christian, Jewish or
Hindu, and we can also see if they have got police records
and what the crime was.
In 2008 South Korean police arrested four people over
the theft of data on 11 million customers of oil refiner
The theft, allegedly involving two employees of a GS Caltex
subsidiary, was discovered after a
CD and DVD containing the names, social security numbers
and email addresses of 11 million GS Caltex customers
were found in piles of garbage in Seoul. One of the suspects
reportedly alerted the media in an effort to boost the
market value of the data. An employee had burnt the records
onto disks at the firm's call centre, making six copies.
next page (tapes)