10 of the Top Data Breaches of the Decade

How does iPad data breach compare to other recent security breaches?

June 13, 2010, 8:54 PM

June 14, 2010— -- The Internet cried foul last week when news broke that an AT&T security breach exposed the e-mail addresses of at least 100,000 owners of Apple's iPad 3G.

But industry observers are quick to point out that this is hardly the first -- and hardly the worst -- data breach that the tech world has ever seen.

"The fact is 114,000 is an impressive number and they're e-mail addresses. ... [But] that's almost public information," said Dan Tynan, a technology reporter and co-author of the technology humor site eSarcasm.

Some companies publish relevant e-mail addresses on their sites, and even when companies don't outright reveal addresses, it's often easy to guess them, he said.

"What these guys did was something that spammers do every single day," he said.

While it's discomforting when any personal information is compromised, Tynan said that this breach didn't expose seriously valuable information, such as social security numbers, bank account numbers or medical records.

But other security breaches over the past decade have disclosed the kind of information that could potentially threaten the people behind the data.

Since 2005, the Privacy Rights Clearinghouse, a San Diego-based non-profit, has maintained an exhaustive list of data breaches by corporations, government agencies and other institutions. While the Clearinghouse acknowledges that it doesn't include every breach, it says it makes an effort to list breaches of all kinds, including the number of people affected.

"It creates an awareness both among consumers that this kind of thing does happen. For business, governmental and other organizations, it reminds them of the fact that many people have entrusted them with very valuable information," said Paul Stephens, director of policy and advocacy for the organization. "And [it reminds them that] if they don't keep that information secure there will be consequences, both in terms of finances, remediating the breach, as well as the loss of trust by their customers."

People value information differently, he said, so it's difficult to say which breaches are more significant than others.

"They're all signficant," he said. But "It's comparing apples to oranges. In some cases it's financial, in some cases it's medical."

Still, in terms of the number of people affected, he said 10 especially large breaches come to mind.

Below, take a look at 10 of the biggest data breaches of the decade.

In what has been called the largest credit card crime of all time, in 2009, Heartland Payment Systems announced that hackers had broken into the computers it uses to process about 100 million transactions each month for 175,000 merchants.

Heartland, which is based in Princeton, New Jersey, processes card payments for restaurants and other businesses. The hack was uncovered in January, after Visa and MasterCard notified Heartland about suspicious transactions.

In August 2009, three men were indicted by a grand jury on charges related to masterminding a scheme to steal more than 130 million credit and debit card numbers and personally identifying information from Heartland, 7-Eleven Inc. and other companies.

Last month, Heartland agreed to pay MasterCard issuers $41.4 million to settle claims over the data breach, according to The Associated Press. In order for the deal to go through, 80 percent of MasterCard issuers who filed claimed must accept the settlement by June 25.

Though it is now eclipsed by the Heartland hack, a massive intrusion on TJX Company Inc.'s systems a few years earlier is significant because it was one of the first to show just how vulnerable retailers were. TJX Companies include T.J. Maxx, Marshalls and HomeSense.

In December 2006, the Framingham, Massachusetts-based TJX alerted law enforcement that cybercriminals had stolen more than 45 million customer records in 2003 and 2004. In January 2007 it went public with the news.

According to Information Week, within eight months, the company had spent more than $20 million investigating the incident, notifying customers and hiring lawyers to deal with the dozens of associated lawsuits. The hack alerted the industry to the threat of cybercriminals and pushed lawmakers to fast-track data security legislation, Information Week reported.

U.S. Department of Veterans Affairs -- 2009

The personal information for as many as 76 million veterans might have been compromised when a defective hard drive was sent for repair and recycling without first having the data on it erased.

In October 2009, the National Archives and Records Administration investigated the Veterans Affairs agency for the potential data breach, Wired magazine reported at the time.

The hard drive was used for the system veterans used to request health records and discharge papers, and included millions of Social Security numbers, Wired said.

In June 2005, news broke that a security breach at CardSystems, an Atlanta-based third-party processor of payment card transactions exposed more than 40 million card accounts to potential fraud. Of those, 68,000 Mastercard accounts, 100,000 Visa accounts and 30,000 accounts from other brands are known to have been used by hackers, according to the Privacy Rights Clearinghouse.

In May 2006, U.S. Veterans Affairs officials disclosed that a laptop containing personal information for millions of veterans had been stolen in a burglary from the home of an agency employee in Maryland.

The agency estimated that about 17.5 million veterans were at risk and reportedly offered to cover the cost of monitoring their credit for one year, to the tune of $160.5 million.

Fortunately, about a month later, the FBI announced it had recovered the laptop and the personal information had not been compromised.

Bank of New York Mellon -- 2008

The personal information for more than 12.5 million people was potentially compromised when the Bank of New York Mellon lost of box of computer data tapes with information such as Social Security numbers, names, addresses and possibly bank account numbers.

The six to 10 tapes were lost en route to a storage facility, Reuters reported in 2009.

In February 2008, Connecticut officials disclosed the breach, saying more than 4.5 million people were affected. In August 2008, the number was raised to 12.5 million.

A year later, the bank agreed to pay Connecticut $150,000 as part of a settlement and provide credit monitoring and fraud alerts for the affected people for 36 months. It also agreed to reimburse customers for funds stolen as a result of the breach, Privacy Rights said.

In 2007, Certegy Check Services, a St. Petersburg, Florida-based financial services firm, disclosed that an employee stole customer records that included credit card, bank account and other personal information, according to Privacy Rights.

Though the company first estimated that the breach affected about 2.3 million people, later it upped the number to 8.5 million.

The employee responsible for the breach pleaded guilty to fraud and conspiracy charges and was sentenced to time in jail as well as a multi-million dollar fine.

In April 2010, Certegy agreed to donate $125,000 to the Florida Attorney General's Seniors vs. Crime Program and $850,000 for the state's investigative costs and fees related to the case.

TD Ameritrade, the Omaha-based online trading and investing company, revealed in 2007 that information for more than 6.3 million customers was stolen when one of its databases was hacked.

According to Privacy Rights, the company said at the time that names, e-mail addresses, phone numbers and addresses were lifted in the breach, which meant that customers received spam as a result.

In 2008, CheckFree Corp., an Atlanta-based online bill paying company, reported that hackers hijacked several of the company's Internet domain names and redirected customers to a Web site hosted in Ukraine that tried to install malware on peoples' computers.

At the time, the company estimated that about 160,000 people were exposed to the malicious site. But because hackers compromised the company's domain name, as many as 5 million people might have been affected, according to the Privacy Rights Clearinghouse.

Hannaford Bros. Co., a Scarborough, Maine-based supermarket chain, disclosed in 2008 that a security breach affected hundreds of its stores in the Northeast and Florida. The company reported about 1,800 cases of alleged fraud related to the breach.

According to Privacy Rights, as many as 4.2 million people could have been compromised by the intrusion, which resulted in stolen credit and debit card numbers.