Large data breaches garner a lot of media attention, but sometimes the quantity of records lost is not as important as the sensitivity of information they contain. The breach of a database that contains 300 million names is less serious, for example, than compromising a database that contains the names, Social Security numbers, and dates of birth of only 30 people. Obviously, hackers can do a lot more damage with sensitive information than with a list of random names. This article will cover three large-scale security breaches involving sensitive data.
Massachusetts Hospital Compromises Data on 800,000 Individuals
In February of 2010, South Shore Hospital in Massachusetts shipped three boxes containing 473 unencrypted computer tapes to a company called Archive Data Solutions. Archive Data Solutions was hired to erase the data on the tapes and resell the tapes to other customers.
What Archive Data Solutions didn’t know was that the tapes contained the personal information of about 800,000 individuals. The information included names, Social Security numbers, financial account numbers, and medical diagnoses. And none of the information on the tapes was encrypted.
It’s unclear for how long South Shore Hospital had been handling confidential data in this manner. But when two of the three boxes destined for Archive Data Solutions were lost in transit, the security breach turned into a public scandal.
In the end, South Shore Hospital settled a lawsuit concerning this data breach for $750 million dollars. About a third of this was spent on beefing up the hospital’s security measures, another third is earmarked for an education fund, and the rest is part of a civil penalty.
3 Million Bank Accounts Hacked in Iran
Khosrow Zarefarid discovered a security flaw in the Iranian banking system that affected over 22 different banks. He reported the vulnerability along with 1,000 account numbers to each of the banks’ managers. Unfortunately, none of them took notice.
To prove his point, Zarefarid later exposed 3 million account numbers, card numbers, and PIN numbers on his blog. While it doesn’t appear that he used the information to steal any money, this is obviously a serious security threat. Unfortunately, the banks didn’t react the way they should have.
The banks issued a warning to their customers to change their PIN numbers. Some banks temporarily froze the affected bank accounts. But none of them determined to fix the security issues to prevent another hack like this. After all, changing the PIN number won’t stop Zarefarid or someone else from accessing the same bank information in the future.
While Central Bank officials in Iran downplay the threat by stating that it’s not serious, Google removed Zarefarid’s blog. Posting personal and confidential information about other people violates the blog’s policies. Unfortunately, banking customers in Iran might not have any choice but to continue banking in the same system that won’t address obvious security flaws. Hopefully, public exposure will encourage the banks to investigate further and take appropriate security measures.
22.1 Million People’s Personal Information Exposed
The Office of Personnel Management (OPM), which is the U.S. government’s personnel management agency, admitted that data on 22.1 million people was stolen from its servers. This breach is one of the most damaging breaches on record partly based on its scale but more so due to the sensitivity of the data that was stolen.
Of the data of those exposed, 19.7 million people applied for security clearances. They included current, former, and prospective federal contractors and employees plus the spouses or co-habitants of these applicants. The only group of employees that’s missing from this collection of data is undercover CIA agents.
Stolen information included Social Security numbers, residency and educational history, employment history, information about immediate family members, health history, criminal history, financial history, drugs use, and romantic history. The data even included 1.1 million fingerprints.
According to the Office of Personnel Management, anyone who underwent a background investigation after 2000 was included in these records. People who underwent an investigation before then may also be impacted, but it’s less likely.
The prime suspect is China’s Ministry of State Security. At this particular point, there has been no indication that the records were misused, but none of the information expires. Presumably, the sensitive information can be used at any point in the future to blackmail the victims or exert undue influence over them by exploiting their weaknesses.
The Importance of Keeping Sensitive Data Safe
As you have seen, cyber security is even more important when sensitive data is at risk. If your company stores sensitive information about employees, contractors, customers, or business partners, then you need to make sure you can keep it safe. Ideally, your company should limit the amount of sensitive data it collects to avoid unnecessary exposure and data loss.
Additionally, it makes sense to restrict access to sensitive data to the people who really need it. Never give managers administrative access just because they’re managers. Last but not least, it’s important to keep all of your information safe and secure in an encrypted database.
How eFileCabinet Protects Your Documents
eFileCabinet takes cyber security seriously. We help you protect your documents by encrypting every file you store with us. We also help you set up role-based user access to limit the information your employees have access to. Last but not least, you can verify the authenticity of your documents with the unalterable audit trail available to high-level administrators.