The biggest security leaks for 2008 come with a new twist. It wasn’t enough for hackers to try to access sensitive information companies are storing about their employees or customers, they also wanted to get paid for doing it. Both the Korean auction site and Virginia Health received ransom notes from hackers demanding payment in exchange for the return of stolen information. But data breaches can also happen when companies don’t take security seriously like in the case of NARA.


Korean Auction Site Falls Victim to Data Breach

Internet Auction Co., a South Korean auction site owned by eBay, fell victim to a data breach in February 2008. Chinese hackers managed to obtain lots of information about the site’s customers and demanded a ransom note in exchange for the breached data.

It took 24 hours for the company to alert the users, during which time it was conducting business as usual. But since the hackers were able to get names, account information for refunds, email addresses, addresses, phone numbers, and national ID numbers, the damage was already done. All in all, this security breach affected about 18 million Koreans.

The Chinese hackers were able to infiltrate the system from the inside. They sent auction employees mass emails which automatically transferred user names and passwords to their computers when opened. The method called Cross Site Request Forgery (CSRF) is not new, but it seemed to be effective in that case.


Virginia Health Receives Ransom Note for $10 Million

The Virginia state website for the Virginia Prescription Monitoring Program was broken into by a hacker in April 2008. The hacker deleted the patient records on the site and replaced the homepage with a ransom note for $10 million for the return of those records. According to the ransom note, the hacker had 8,257,378 patient records and over 35 million prescriptions.

The website was used to help pharmacists track down prescription drug abuse. We couldn’t find any records of a resolution for this attack even though at the time criminal investigations were made by federal and state authorities. Presumably, the hackers were never caught.

Unfortunately, Virginia Health hasn’t been the only target of hackers and extortionists. However, when it comes to extorting money in exchange for data, companies would be stupid to give into the demands. After all, the hackers can still keep a copy of the data and demand more money in the future. And there is nothing stopping them from turning around and selling the information to someone else.


National Archives Exposes Data 70 Million Veterans

The National Archives and Records Administration (NARA) investigated a potential data breach in 2008 that possibly affected tens of millions of veterans. The issue involved a defective hard drive that was returned to its manufacturer even though it contained sensitive data.

On one hand, it’s commendable that the agency is trying to conserve resources. After all, sending the hard drive back to the vendor helped them avoid paying a $2,000 replacement fee. However, the problem is that the hard drive contained sensitive, unencrypted information about millions of veterans and should never have left the agency without properly deleting the information.

It’s unclear how many hard drives had been sent back that year and in preceding years. The hard drive in question was part of a set of six. It likely contained 18% of the database and a quick look-up table that included names and social security number for every veteran.

There has been no evidence that the information was misused; the company that manufactured the hard drives sent them to another vendor for destruction when they failed. But since investigations failed to prove that either the contractor or subcontractor took illegal or unethical actions that compromised the data, NARA does not believe a breach has occurred. Consequently, none of the veterans have been notified of this data loss.


Why Hackers Will Go after Sensitive Data and How You Can Protect Yourself

Hackers will always go after sensitive data because that’s where they can cause the most damage. Whether they intend to sell the information to 3rd parties, commit fraud or identity theft, or demand ransom notes from their victims, it’s clear that sensitive data is worth a lot. Therefore, if your company stores names, birth dates, social security numbers, or payment information on customers or employees, then you have to take steps to protect that information.

It’s more important than ever to spend time and effort on selecting the right providers to store your information. Time has shown that no company is completely immune against security attacks, but some have better protection in place than others. The difference between companies that take security seriously and the ones that don’t might mean having to ask employees or customers to reset their password or requiring them to watch their accounts for identity theft after a potential data breach. Obviously, more damage has been done in the latter case.


How eFileCabinet keeps your Information Secure

At eFileCabinet, we know that cybersecurity is your first priority. That’s why we have taken adequate steps to protect your files from harm. We encrypt all of the information you store with us, just in case. To reduce the likelihood of internal leaks, we also encourage you to set up role-based user permissions for your employees. Last but not least, your managers can verify the authenticity of your documents with our unalterable audit trail.