10 of the Top Data Breaches of the Decade

How does iPad data breach compare to other recent security breaches?

ByABC News
June 13, 2010, 8:54 PM

June 14, 2010— -- The Internet cried foul last week when news broke that an AT&T security breach exposed the e-mail addresses of at least 100,000 owners of Apple's iPad 3G.

But industry observers are quick to point out that this is hardly the first -- and hardly the worst -- data breach that the tech world has ever seen.

"The fact is 114,000 is an impressive number and they're e-mail addresses. ... [But] that's almost public information," said Dan Tynan, a technology reporter and co-author of the technology humor site eSarcasm.

Some companies publish relevant e-mail addresses on their sites, and even when companies don't outright reveal addresses, it's often easy to guess them, he said.

"What these guys did was something that spammers do every single day," he said.

While it's discomforting when any personal information is compromised, Tynan said that this breach didn't expose seriously valuable information, such as social security numbers, bank account numbers or medical records.

But other security breaches over the past decade have disclosed the kind of information that could potentially threaten the people behind the data.

Since 2005, the Privacy Rights Clearinghouse, a San Diego-based non-profit, has maintained an exhaustive list of data breaches by corporations, government agencies and other institutions. While the Clearinghouse acknowledges that it doesn't include every breach, it says it makes an effort to list breaches of all kinds, including the number of people affected.

"It creates an awareness both among consumers that this kind of thing does happen. For business, governmental and other organizations, it reminds them of the fact that many people have entrusted them with very valuable information," said Paul Stephens, director of policy and advocacy for the organization. "And [it reminds them that] if they don't keep that information secure there will be consequences, both in terms of finances, remediating the breach, as well as the loss of trust by their customers."

People value information differently, he said, so it's difficult to say which breaches are more significant than others.

"They're all signficant," he said. But "It's comparing apples to oranges. In some cases it's financial, in some cases it's medical."

Still, in terms of the number of people affected, he said 10 especially large breaches come to mind.

Below, take a look at 10 of the biggest data breaches of the decade.

In what has been called the largest credit card crime of all time, in 2009, Heartland Payment Systems announced that hackers had broken into the computers it uses to process about 100 million transactions each month for 175,000 merchants.

Heartland, which is based in Princeton, New Jersey, processes card payments for restaurants and other businesses. The hack was uncovered in January, after Visa and MasterCard notified Heartland about suspicious transactions.

In August 2009, three men were indicted by a grand jury on charges related to masterminding a scheme to steal more than 130 million credit and debit card numbers and personally identifying information from Heartland, 7-Eleven Inc. and other companies.

Last month, Heartland agreed to pay MasterCard issuers $41.4 million to settle claims over the data breach, according to The Associated Press. In order for the deal to go through, 80 percent of MasterCard issuers who filed claimed must accept the settlement by June 25.

Though it is now eclipsed by the Heartland hack, a massive intrusion on TJX Company Inc.'s systems a few years earlier is significant because it was one of the first to show just how vulnerable retailers were. TJX Companies include T.J. Maxx, Marshalls and HomeSense.

In December 2006, the Framingham, Massachusetts-based TJX alerted law enforcement that cybercriminals had stolen more than 45 million customer records in 2003 and 2004. In January 2007 it went public with the news.

According to Information Week, within eight months, the company had spent more than $20 million investigating the incident, notifying customers and hiring lawyers to deal with the dozens of associated lawsuits. The hack alerted the industry to the threat of cybercriminals and pushed lawmakers to fast-track data security legislation, Information Week reported.