- Data breach
A data breach is the intentional or unintentional release of secure information to an untrusted environment. Other terms for this phenomenon include unintentional information disclosure, data leak and also data spill. Incidents range from concerted attack by black hats with the backing of organized crime or national governments to careless disposal of used computer equipment or data storage media. Definition "A data breach is a security incident in which sensitive, protected or confidential data is copied, transmitted, viewed, stolen or used by an individual unauthorized to do so." Data breaches may involve financial information such as credit card or bank details, personal health information (PHI), Personally identifiable information (PII), trade secrets of corporations or intellectual property. According to the nonprofit consumer organization Privacy Rights Clearinghouse, a total of 227,052,199 individual records containing sensitive personal information were involved in security breaches in the United States between January 2005 and May 2008, excluding incidents where sensitive data was apparently not actually exposed.
This may include incidents such as theft or loss of digital media such as computer tapes, hard drives, or laptop computers containing such media upon which such information is stored unencrypted, posting such information on the world wide web or on a computer otherwise accessible from the Internet without proper information security precautions, transfer of such information to a system which is not completely open but is not appropriately or formally accredited for security at the approved level, such as unencrypted e-mail, or transfer of such information to the information systems of a possibly hostile agency, such as a competing corporation or a foreign nation, where it may be exposed to more intensive decryption techniques.
The notion of a trusted environment is somewhat fluid. The departure of a trusted staff member with access to sensitive information can become a data breach if the staff member retains access to the data subsequent to termination of the trust relationship. In distributed systems, this can also occur with a breakdown in a web of trust.
Most such incidents publicized in the media involve private information on individuals, i.e. social security numbers, etc.. Loss of corporate information such as trade secrets, sensitive corporate information, details of contracts, etc. or of government information is frequently unreported, as there is no compelling reason to do so in the absence of potential damage to private citizens, and the publicity around such an event may be more damaging than the loss of the data itself.
Although such incidents pose the risk of identity theft or other serious consequences, in most cases there is no lasting damage; either the breach in security is remedied before the information is accessed by unscrupulous people, or the thief is only interested in the hardware stolen, not the data it contains. Nevertheless, when such incidents become publicly known, it is customary for the offending party to attempt to mitigate damages by providing to the victims subscription to a credit reporting agency, for instance.
Well known incidents include:
- In April 2011, Sony experienced a data breach within their Playstation Network. It is estimated that the information of 100 million users was compromised.
- In December 2009 a RockYou! password database was breached containing 32 million user names and plaintext passwords, further compromising the use of weak passwords for any purpose.
- In January 2009 Heartland Payment Systems announced that it had been "the victim of a security breach within its processing system", possibly part of a "global cyber fraud operation". The intrusion has been called the largest criminal breach of card data ever, with estimates of up to 100 million cards from more than 650 financial services companies compromised.
- In January 2008, GE Money, a division of General Electric, discloses that a magnetic tape containing 150,000 social security numbers and in-store credit card information from 650,000 retail customers is known to be missing from an Iron Mountain Incorporated storage facility. J.C. Penney is among 230 retailers affected.
- Horizon Blue Cross and Blue Shield of New Jersey, January, 300,000 members 
- Lifeblood, February, 321,000 blood donors 
- British National Party membership list leak,
- The 2007 loss of Ohio and Connecticut state data by Accenture
- TJ Maxx, data for 45 million credit and debit accounts
- 2007 UK child benefit data scandal
- CGI Group, August, 283,000 retirees from New York City 
- The Gap, September, 800,000 job applicants 
- Memorial Blood Center, December, 268,000 blood donors 
- Davidson County Election Commission, December, 337,000 voters 
- AOL search data scandal (sometimes referred to as a "Data Valdez", due to its size)
- Department of Veterans Affairs, May, 28,600,000 veterans, reserves, and active duty military personnel,
- Ernst & Young, May, 234,000 customers of Hotels.com (after a similar loss of data on 38,000 employees of Ernst & Young clients in February) 
- Boeing, December, 382,000 employees (after similar losses of data on 3,600 employees in April and 161,000 employees in November, 2005) 
- ^ a b c d e f g h i j k "A Chronology of Data Breaches", Privacy Rights Clearinghouse
- ^ When we discuss incidents occurring on NSSs, are we using commonly defined terms?, "Frequently Asked Questions on Incidents and Spills", National Archives Information Security Oversight Office
- ^ Heartland Payment Systems Uncovers Malicious Software In Its Processing System
- ^ Lessons from the Data Breach at Heartland, MSNBC, July 7, 2009
- ^ GE Money Backup Tape With 650,000 Records Missing At Iron Mountain - Iron Mountain
- ^ BNP activists' details published - BBC News
- ^ "T.J. Maxx data theft worse than first reported". msnbc.com. 2007-03-29. http://www.msnbc.msn.com/id/17853440/. Retrieved 2009-02-16.
- ^ data Valdez Doubletongued dictionary
- ^ AOL's Massive Data Leak, Electronic Frontier Foundation
- ^ data Valdez, Net Lingo
- ^ "Active-duty troop information part of stolen VA data", Network World, June 6, 2006
- "Most Recent Data Breaches", TeamSHATTER, updated regularly
- "A Chronology of Data Breaches", Privacy Rights Clearinghouse, updated twice a week
- "Identity Theft Resource Center - Data Breaches", Updated weekly with statistical analyses
- "Data Loss Database Open Security Foundation's research project documenting data loss incidents worldwide.
- "Office of Inadequate Security", Breach incidents reported in the media and from primary sources, worldwide.
- "Personal Health Information Privacy", Breach incidents from the health care sector, worldwide.
- "Notices of Security Breaches", New Hampshire Department of Justice
- "Maryland Notice of Information Security Breaches", Maryland Attorney General's Office
- "Breaches Affecting 500 or More Individuals", Breaches reported to the United States Department of Health and Human Services by HIPAA-covered (Health Insurance Portability and Accountability Act) entities.
- "Information That Matter", A data breach responsible disclosure project associated with OWASP Singapore.
- "The Breach Blog", Data breach commentary and analysis.
- "SC Magazine Data Breach Blog", The SC Magazine Data Breach Blog.
Wikimedia Foundation. 2010.
Look at other dictionaries:
data breach — UK US noun [C] ► an occasion when private information can be seen by people who should not be able to see it: » The depth and breadth of the bank account data breach is shocking, the governor said in the statement … Financial and business terms
personal data breach — asmens duomenų saugumo pažeidimas statusas Aprobuotas sritis elektroniniai ryšiai apibrėžtis Pažeidimas, dėl kurio atsitiktinai arba neteisėtai sunaikinami, prarandami, pakeičiami, be asmens sutikimo atskleidžiami asmens duomenys arba sudaroma… … Lithuanian dictionary (lietuvių žodynas)
Data erasure — (also called data clearing or data wiping) is a software based method of overwriting data that completely destroys all electronic data residing on a hard disk drive or other digital media. Permanent data erasure goes beyond basic file deletion… … Wikipedia
Data spill — is a somewhat ironic term, derived from such phrases as oil spill, toxic or hazardous waste spill, etc. , for the unintentional release of secure information to an insecure environment. Other terms for this type of incident are data breach, data… … Wikipedia
Data loss prevention software — Data Loss Prevention (DLP) is a computer security term referring to systems that identify, monitor, and protect data in use (e.g. endpoint actions), data in motion (e.g. network actions), and data at rest (e.g. data storage) through deep content… … Wikipedia
Data loss prevention products — Data Loss Prevention (DLP) is a computer security term referring to systems designed to detect and prevent the unauthorized transmission of information from the computer systems of an organization to outsiders. It is also referred to by various… … Wikipedia
Data integrity — in its broadest meaning refers to the trustworthiness of system resources over their entire life cycle. In more analytic terms, it is the representational faithfulness of information to the true state of the object that the information represents … Wikipedia
Data General — Industry Computer Fate Acquired Successor EMC Corporation Founded 1968 … Wikipedia
Data security — is the means of ensuring that data is kept safe from corruption and that access to it is suitably controlled. Thus data security helps to ensure privacy. It also helps in protecting personal data. Data security is part of the larger practice of… … Wikipedia
Data protection (privacy) laws in Russia — is a rapidly developing branch of the Russian legislation. All the basic legal acts in this field have been enacted most recently, mainly in the 2005 2006. The present article is an attempt to summarise the substance and main principles of the… … Wikipedia