Biggest Breaches of 2009

There have been 356 data breaches so far in 2009, according to the Identity Theft Resource Center (ITRC). And 46 of those breaches have involved financial institutions - up from 34 at this same time last year.

In reviewing these 46 incidents (see interactive timeline w/details of each breach), one finds good news and bad, according to ITRC executive director Linda Foley.

The good news, Foley says, is that, based on percentages, financial institutions consistently have lower percentages of data breaches than other organizations. "This means they're doing a better job of controlling and protecting their data," she says.

The bad news is when financial institutions - or their third-party service providers -- are breached ... it's big. Example: the Heartland Payment Systems breach, which resulted in the compromise of 130 million credit and debit cards. Financial data -- bank account numbers, social security numbers, and other personal identifying information - is invaluable to hackers, and its loss is costly to consumers.

Granted, there aren't any other breaches on the Heartland scale, but there still have been some significant ones: Namely, an incident in February, when a defunct payments gateway was found to hold roughly 19,000 active credit card numbers. And then in May, a Countrywide insider breach resulted in potential compromise to 4,000 account numbers. And then there are the many breaches where the number of records exposed is unknown.

Click to Get Updates on the Latest Information Security News

Company* Title* Email* Subscription Type: HTML Text Healthcare Enews General Healthcare Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Government Enews General Government Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Banking Enews General Banking Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Credit Union Enews General Credit Union Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Need Help?

What happens when organizations are breached? Opening new lines of credit is the most frequent financial crime, with 67 percent of identity theft victims reporting this happened to them in 2008, Foley says. Last year, fraud cost consumers $1.8 billion, according to the Federal Trade Commission, and 26 percent of consumer complaints were related to identity theft.

Types, Timeline of Breaches
Including Heartland -- the poster child for 2009 data breaches -- the 46 financial services-related breaches tracked by the ITRC this year are divided into seven types:

• Insider theft: 12 breaches;
• Skimming: 8;
• Missing paper documents: 10 of the breaches
• Exposure of data on the Internet: 4;
• Accidental breaches: 2;
• Stolen or missing hard drives/laptops: 5;
• Outside network intrusions: 2;
• Unknown cause: 3.

A review of breaches shows that May so far has been the busiest month of 2009 with 10 reported breaches. March is the second-busiest month, with 8 reports, while August so far has seen 7.

Breach data is collected by the ITRC through multiple ways, including from state attorneys general offices, news media and other data breach reporting entities. To see the ITRC's entire analysis of data breaches across industry, visit the nonprofit organization's website.

Examples of Breaches
Each of the 46 breaches involving financial institutions is detailed in the accompanying timeline and listing. Here is just a sampling of the types of incidents the ITRC has collected:

Insider Theft - A man posed as an Air Force reservist got 4,000 account numbers from Countrywide Financial in Forth Worth, TX and used them to steal $500,000 over a two-year period. Investigators tracked the case to his accomplice, a female customer service rep at Countrywide. Along with the account numbers being used, personal identities were compromised in the scheme, say investigators, who arrested Isaac McCrumby, 29 an unemployed R&B singer, in April. McCrumby used a fake Air Force ID to cash the bogus checks and pass bad credit cards.

Skimming - A band of thieves rigged Sovereign Bank ATMs in Staten Island, NY in May with skimmers so that they could steal account and password information from bank customers. The thieves placed hidden cameras to film victims typing in PIN codes.

Paper Documents Missing/Found - On Aug. 4, a Holiday Inn in Wichita, KS reported finding client records from a defunct local mortgage-brokerage firm, Morrison Financial Corp., in its dumpster. Information included Social Security numbers, bank accounts and photocopies of drivers' licenses and checks. The mortgage company shared parking with the hotel.