When you are the lead artist of a security mishaps that ended up in a data breach affecting some 24 million people, consequences are bound to catch up with you. And they just have caught up with shoe retailer Zappos.com and the bigger online fish behind them, Amazon.com. The two companies are being sued by the customers affected by the data breach, being accused of negligence.

A woman from Texas seems to be the main promoter in this Kentucky lawsuit. She claims that she and millions of other customers were harmed by the exposure of their personal account information. Zappos and Amazon have not commented on the lawsuit as of earlier today. 

The Zappos data breach was made public on Sunday when the company emailed employees and customers to let them know that names, phone numbers and email addresses of customers might have been accessed in a hacker attack.  The same statement reassured them that credit card and payment information had not been stolen. Zappos also advised its customers to reset account passwords on their site and any other sites where similar passwords were being used.

The attorneys of the Texas woman are seeking class-action status on behalf of the 24 million affected customers, claiming the security breach was actually a violation of the federal Fair Credit Reporting Act. The sum the lawsuit seeks has not been specified, but it is in the range of millions of dollars in compensatory and exemplary damages for emotional distress and loss of privacy. It also seeks to have Zappos court-ordered to pay for credit monitoring and identity theft insurance, plus periodic audits, for all those affected by the data breach.

Only 55 of the data loss breaches have actually been reported

If you can’t stop data breaches, at least cover them up! This seems to be the data security code British authorities go by. Too bad for them there is something called Freedom of Information Act requests… A new report issued by privacy campaign group Big Brother Watch showed that councils across the UK experienced over a thousand data loss cases over a three year period – August 2008 to August 2011.

To get the information, the group sent 433 FOIs to local authorities and councils across the Great Britain and showed s shocking discrepancy between the reported 50 something incidents and the harsh reality. Not only did BBW uncover the data mishandling cases, they also requested information on what happened to the employees of said councils – if they had been disciplined, fired or prosecuted over the data breaches -, and inquired about the council’s response to each incident. 

According to the 395 replies received,

“We have uncovered more than 1,000 incidents across 132 local authorities, including at least 35 councils who have lost information about children and those in care,” said BBW in a statement accompanying its report (PDF). ”Highly confidential information has been treated without the proper care and respect it deserves. At least 244 laptops and portable computers were lost, while a minimum of 98 memory sticks and more than 93 mobile devices went missing.”

Only 55 of the incidents were subsequently reported to the Information Commissioner’s Office, which handles data loss complaints. In only 9 cases, those involved in the data breach were fired.

“I welcome this research by Big Brother Watch,” local government minister Grant Shapps told the data protection advocates. ”This reinforces the need for steps to protect the privacy of law-abiding local residents. Civil liberties are under threat from the abuse of town hall surveillance powers, municipal nosy parkers rummaging through household bins and town hall officials losing sensitive personal data on children in care.”

For a list of some of the most important data incidents included in the report, read the story published by the Register.

A whole lot was written on loss/theft of hardware (laptops, USB sticks, external hard drives, etc.) and we had thought that organizations would learn their lesson and encrypt sensitive data on such supports. Apparently, things aren’t quite like that and two recent incidents come to prove it.

A resident student at Vancouver Coastal Health lost a laptop and a USB stick (there is a high probability that the hardware was stolen) at the Toronto Airport. The information stored on the drives was password protected but it wasn’t encrypted.

A Vancouver Coastal Health official calls the incident ‘unfortunate’ and says that ‘This is the way physicians and other health care workers need to do their job. They need to use these devices.’ He admits that many professionals use laptops and that the agency has some issues handling mobile technologies.

Another mishap took place in the United Kingdom and the theft of a laptop that stored personal information of 100 young people who participated in inclusion programs. This laptop was in the house of a contractor of the Newcastle Youth Offending Team organization. The ICO (Information Commissioner’s Office) has established a fine for this organization for not encrypting the data. According to Sally-Anne Poole ‘Encryption is a basic procedure and an inexpensive way to ensure that information is kept secure.’ She underlines the fact that organizations working with contractors must make sure that the latter ones align to their security policies.

It’s so simple and cheap to track the use of portable devices and encrypt sensitive data stored on them, that we really ask ourselves why don’t organizations do it?

Let’s hope that at least legal constraints will force private data handlers to implement solutions and politics to maintain their data safe and secure.

While data breaches are as common as any other daily occurrence in the business and individual worlds, the large security incidents don’t happen as often, especially if you think that one of the breaches in the top ten all time largest data exposures dates back to 1984. 2011 is not yet over and it already is the poster child of this top we all want to see unchanged.

2011 is the only year with three major data loss incidents in the top ten: Sony Corporation with 77 million records exposed, SK Communications, Nate, Cyworld with 35 million and again Sony Corporation through their Sony Online Entertainment division with close to 25 million records exposed. Luckily for us, although it featured large incidents, 2011 did not create as many victims as 2009 with its two incidents, Heartland Payment Systems, Tower Federal Credit Union, Beverly National Bank which share the number one position in the infamous top with 130 million records exposed and RockYou Inc. with another 32 million. 

Here’s the ultimate data breach top, the place where you never want to see your company’s name or that of any other company that has your data stored:

1. Heartland Payment Systems, Tower Federal Credit Union, Beverly National Bank – 130 million records (2009)
2. TJX Companies Inc. – 94 million records (2007)
3. TRW, Sears Roebuck – 90 million records (1984)
4. Sony Corporation – 77 million records (2011)
5. CardSystems, Visa, MasterCard, American Express – 40 million records (2005)
6. SK Communications, Nate, Cyworld – 35 million records (2011)
7. RockYou Inc. – 32 million records (2009)
8. U.S. Department of Veterans Affairs – 26,5 million (2006)
9. HM Revenue and Customs, TNT – 25 million records (2007)
10. Sony Online Entertainment, Sony Corporation – 24,6 million (2011)

Endpoint security developer CoSoSys has released a new version of their data loss prevention, device control and endpoint security solution for Windows and Mac OS, Endpoint Protector. Offering enhanced protection, increased effectiveness and the fastest implementation time in its segment, the out-of-the-box Hardware and Virtual Appliance is now available for small, medium and large companies and organizations.

Coming with a long list of new features targeting better security, reliability, ease of use and better adapting to company structures and organization charts, Endpoint Protector 4 is designed to protect networks ranging from 20 computers (endpoints) to more than 5.000 endpoints.

Some of the top benefits of this latest Endpoint Protector solution are:

• Seamless integration in business processes
• Saving time and money when the solution is installed
• Increased security through enhanced protection
• Reducing allotted resources of the security staff
• Optimum security through enhanced stability
• Enhanced protection through complex, adaptable end efficient security
• Reliable security through enhanced monitoring and policy control

We have recently written quite a few pieces on hacking, hacker-caused data breaches, and other such incidents. As we kick off the week and this first month of fall, more pieces of news along the same line come to our attention.

Two students hacked into the Birdville Independent School District’s servers and ran across a file containing 14,500 student names, ID numbers as well as social security numbers.

Borlas.net was also the playground of hackers. After managing to access their files, the hackers responsible for the security breach also leaked names, passwords, emails and phone numbers of nearly 15,000 registered users.

Another school district, El Paso, was also targeted by hackers. The accessed names, birth dates, social security numbers and addresses of both students and district employees.

Fans of the Star War Galaxies MMORPG game were targeted by hackers. The ObSec group hacked into a fan site and leaked 21,000 email addresses and 23,000 passwords.

The Texas Police Chiefs Association (an organization related to law enforcement could not have missed this list of incidents) was also hacked into and those responsible leaked 25 email accounts of members, along with contents.

If this keeps up, hacking will become the main cause for data loss this year. And as bigger and smaller such groups keep making the news and few are ever caught, they really have no reason to stop.

Hospitals, healthcare services providers, health insurance companies, all those operating in the healthcare segment seem to be particularly vulnerable to data breaches. Their patients and employees’ private details seem to be a frequent target for theft and easy to lose. It seems like this entire industry segment has no idea how to keep their data safe or how to properly dispose of it.

To recent incidents highlight this serious security issue affecting healthcare players. The first incident occurred at Texas Health Partners and Texas Health Flower Mound Hospital. A laptop was stolen from an employee of Texas Health Partners and it happened to contain private details about hospital patients. While the information was not encrypted, the laptop was at least password protected. The stolen notebook contained various details on patients, including name, addresses, medical history and lab test information.  The number of affected patients has not yet been disclosed.

A second incident reveals where the information stolen or lost by hospitals might end up. A year and a half after a computer disappeared from a chiropractor working at a private clinic, the laptop in question was found in a ditch. It contained medical records of thousands of patients, and all this data was not encrypted or password protected.

What can you do? Make sure you ask the hospitals and healthcare companies you work with about their data protection policies and practices. As not all hospitals are hit by data breaches, although it might seem that way given the large number and frequency of such incidents, some of them do know how to prevent the loss or theft of your confidential records.

The beginning of August has been extremely rich in data breaches caused by stolen or misplaced flash drives, hard drives and laptops, most of them unencrypted, as it almost always happens. Some of them are quite recent, in other cases it has taken over 5 months for those in question to let the affected parties know about the incidents.

The first breach in chronological order affected Lewisham Homes Limited and Wandle Housing Association Ltd and it involved a contractor’s flash drive that got lost in a pub. Apparently, mixing drinking and having fun with sensitive information does not lead to a tasty cocktail, it leads to details of over 26,000 tenants being lost. The silver lining of the incident is that only 800 people should worry about bank details. August 5 was by far the most prolific day for security breach reports with several such incidents being reported on that very day, two of which had to do with missing drives and computers. In the first case, two unencrypted laptops with patient information were stolen from the Harley Street Clinic. In the second case, a hard drive with medical information of over 600 patients was left in a cab by a doctor in a great hurry.

Another laptop was stolen from the Office of the Telecommunication Authority, which contained personal data of more than 500 people. It was closely followed by another flash drive, again unencrypted, belonging to a hospital that a doctor managed to lose. It contained 474 maternity patients’ names and medical details.

So, my advice to you: make sure everything is encrypted: your portable hard drives, your flash drives, your laptops and anything else you can think of. Better to prevent data loss than deal with it after the security breach has occurred. If you need help finding a device control and data loss prevention solution, we’re always here to help!

According to datalossdb.org, a site belonging to the Open Security Foundation, that publishes the latest news regarding data loss and data breaches, the month of 2011 with the largest number of such incidents was June, when 90 cases were recorded.

The causes of these incidents were very diverse: from the ever-present theft of computers, laptops or hard drives and other portable devices, to fraud, hacking attacks, personal information disclosed on websites, viruses, documents thrown in the dustbin, etc.

The most significant breach from June was the one produced at Sony Pictures, when the LulzSec hackers have accessed one million records of Sony clients in Belgium and the Netherlands.

An employee of the California Department of Health thought it would be a great idea to access and copy to a portable drive personal information belonging to 9,000 former and current state employees.  The security breach discovered within the department involved names, dates of birth, and addresses stored in compensation records of the affected parties.

The California Department of Health is currently running an investigation on the scope and extent of the breach. In the mean time, the person responsible for the unauthorized removal of personal records from the institution is on administrative leave, answering all the questions needed to understand the incident. 

The data breach was discovered due to a state security detection system, which alerted officials of potentially suspicious activity back in April. The department stated they have upgraded their security to prevent future such security incidents.

Is there an easy way to prevent such breaches? An endpoint security and data loss prevention solution, if it’s a top line one, involves file tracing, telling IT departments who copied what and to which device. It also prevents the use of unauthorized portable drives and in the case of certain products it actually allows the creation of file lists, granting access to only those that are safe for use.