Data breach

From Wikipedia, the free encyclopedia - View original article

Jump to: navigation, search

A data breach is the intentional or unintentional release of secure information to an untrusted environment. Other terms for this phenomenon include unintentional information disclosure, data leak and also data spill. Incidents range from concerted attack by black hats with the backing of organized crime or national governments to careless disposal of used computer equipment or data storage media. Definition "A data breach is a security incident in which sensitive, protected or confidential data is copied, transmitted, viewed, stolen or used by an individual unauthorized to do so." Data breaches may involve financial information such as credit card or bank details, personal health information (PHI), Personally identifiable information (PII), trade secrets of corporations or intellectual property. According to the nonprofit consumer organization Privacy Rights Clearinghouse, a total of 227,052,199 individual records containing sensitive personal information were involved in security breaches in the United States between January 2005 and May 2008, excluding incidents where sensitive data was apparently not actually exposed.[1]


This may include incidents such as theft or loss of digital media such as computer tapes, hard drives, or laptop computers containing such media upon which such information is stored unencrypted, posting such information on the world wide web or on a computer otherwise accessible from the Internet without proper information security precautions, transfer of such information to a system which is not completely open but is not appropriately or formally accredited for security at the approved level, such as unencrypted e-mail, or transfer of such information to the information systems of a possibly hostile agency, such as a competing corporation or a foreign nation, where it may be exposed to more intensive decryption techniques.[2]

Trusted environment[edit]

The notion of a trusted environment is somewhat fluid. The departure of a trusted staff member with access to sensitive information can become a data breach if the staff member retains access to the data subsequent to termination of the trust relationship. In distributed systems, this can also occur with a breakdown in a web of trust.

Data privacy[edit]

Most such incidents publicized in the media involve private information on individuals, i.e. social security numbers, etc.. Loss of corporate information such as trade secrets, sensitive corporate information, details of contracts, etc. or of government information is frequently unreported, as there is no compelling reason to do so in the absence of potential damage to private citizens, and the publicity around such an event may be more damaging than the loss of the data itself.

Insider versus external threats[edit]

Those working inside an organization are a major cause of data breaches. Estimates of breaches caused by accidental "human factor" errors range from 37% by Ponemon Institute[3] to 14% by the Verizon 2013 Data Breach Investigations Report.[4] The external threat category includes hackers and state-sponsored actors.

Medical data breach[edit]

Some celebrities have found themselves to be the victims of inappropriate medical record access breaches, albeit more so on an individual basis, not part of a typically much larger breach.[5] Given the series of medical data breaches and the lack of public trust, some countries have enacted laws requiring safeguards to be put in place to protect the security and confidentiality of medical information as it is shared electronically and to give patients some important rights to monitor their medical records and receive notification for loss and unauthorized acquisition of health information. The United States and the EU have imposed mandatory medical data breach notifications.[6]


Although such incidents pose the risk of identity theft or other serious consequences, in most cases there is no lasting damage; either the breach in security is remedied before the information is accessed by unscrupulous people, or the thief is only interested in the hardware stolen, not the data it contains. Nevertheless, when such incidents become publicly known, it is customary for the offending party to attempt to mitigate damages by providing to the victims subscription to a credit reporting agency, for instance.

Major incidents[edit]

Well known incidents include:










  1. ^ a b c d e f g h i j k "A Chronology of Data Breaches", Privacy Rights Clearinghouse
  2. ^ When we discuss incidents occurring on NSSs, are we using commonly defined terms?, "Frequently Asked Questions on Incidents and Spills", National Archives Information Security Oversight Office
  3. ^
  4. ^
  5. ^ Ornstein, Charles (2008-03-15). "Hospital to punish snooping on Spears". Los Angeles Times. Retrieved 2013-07-26. 
  6. ^ Kierkegaard, P. (2012) Medical data breaches: Notification delayed is notification denied, Computer Law & Security Report , 28 (2), p.163–183.
  7. ^
  8. ^ "Target security breach affects up to 40M cards". Associated Press via Milwaukee Journal Sentinel. 19 December 2013. Retrieved 21 December 2013. 
  9. ^ Honan, Mat (2012-11-15). "Kill the Password: Why a String of Characters Can’t Protect Us Anymore". (Condé Nast). Retrieved 2013-01-17. 
  10. ^ Honan, Mat (August 6, 2012). "How Apple and Amazon Security Flaws Led to My Epic Hacking". Retrieved 26 Jan 2013. 
  11. ^ "Protecting the Individual from Data Breach". The National Law Review. Raymond Law Group. 2014-01-14. Retrieved 2013-01-17. 
  12. ^ Greenberg, Andy (9 June 2011). Forbes |url= missing title (help). 
  13. ^ [1]
  14. ^ Heartland Payment Systems Uncovers Malicious Software In Its Processing System
  15. ^ Lessons from the Data Breach at Heartland, MSNBC, July 7, 2009
  16. ^ GE Money Backup Tape With 650,000 Records Missing At Iron Mountain - Iron Mountain
  17. ^ BNP activists' details published - BBC News
  18. ^ "Bank of America settles Countrywide data theft suits"
  19. ^ "Countrywide Sued For Data Breach, Class Action Suit Seeks $20 Million in Damages", Bank Info Security, April 9, 2010
  20. ^ "Countrywide Sold Private Info, Class Claims", Courthouse News, April 05, 2010
  21. ^ "The Convergence of Data, Identity, and Regulatory Risks", Making Business a Little Less Risky Blog
  22. ^ Manning, Jeff (2010-04-13). "D.A. Davidson fined over computer security after data breach". The Oregonian. Retrieved 2013-07-26. 
  23. ^ "T.J. Maxx data theft worse than first reported". 2007-03-29. Retrieved 2009-02-16. 
  24. ^ data Valdez Doubletongued dictionary
  25. ^ AOL's Massive Data Leak, Electronic Frontier Foundation
  26. ^ data Valdez, Net Lingo
  27. ^ "Active-duty troop information part of stolen VA data", Network World, June 6, 2006

External links[edit]