If there was anything even vaguely comforting about the data breaches that were announced this year, it was that many of them stemmed from familiar and downright mundane security failures.
Companies continued to be felled more by usual issues such as lost laptops, un-patched or poorly coded software, inadvertent disclosures and rogue insiders, rather than by sneaky new attack techniques or devastating new hacker tools.
Here’s a look back at five of the more notable breaches of the year:
TSA: Lessons in redaction
In what must arguably rank as one of the biggest security gaffes of this year, the Transportation Security Administration (TSA) accidentally posted on a public Web site a manual that contained complete details on its airport screening procedures.
The TSA manual included details for screening passengers, checking for explosives devices, special rules for handling the CIA, diplomats and law enforcement officials, and the technical settings and tolerances used by metal and explosive detectors used at airports.
The leak occurred when an improperly redacted TSA Standard Operations Procedures manual was posted on a federal Web site as part of a a contract bid solicitation process. Lawmakers called the gaffe “shocking” and “reckless,” as wells as a threat to national security.
Heartland Payment Systems: 2009’s breach poster child
Heartland makes the list simply by virtue of the spectacular size and scope of the data breach it disclosed in January.
The compromise stemmed from SQL injection errors that allowed hackers to break into the payment processor’s networks and steal data on approximately 130 million credit and debit cards over several months.
That number easily eclipsed the 94 million or so cards that were believed to have been compromised in the hack at TJX Companies Inc in 2007. It gave Heartland the dubious distinction of having announced the largest ever data breach in history.
Health Net: Delayed disclosure
It was bad enough that Health Net of the Northeast Inc. lost a hard drive containing seven years worth of unencrypted personal, financial and medical information on about 1.5 million customers. What made the loss worse was that the company did not disclose it for nearly six months after the drive went missing.
Along with medical records, the hard drive contained names, addresses and Social Security numbers of Health Net customers from Arizona, Connecticut, New Jersey and New York.
A new healthcare breach notification law that went into effect in November is designed to force companies to disclose such breaches sooner. But few are likely to do so because of a controversial “harm threshold” clause entered into the bill at the last moment.
U.S. GPO: Sharing nuclear secrets with the world
In an incident highlighting some of the dangers of the push to open government, a document containing sensitive details on U.S. civilian nuclear sites marked as “Highly Confidential Safeguards Sensitive,” by the President ended up being publicly posted on the Government Printing Office’s Web site.
The document contained detailed information on hundreds of civilian nuclear sites in the country, including those storing enriched uranium. It listed details on programs at nuclear weapons research labs at Los Alamos, Livermore and Sandia and may have been posted because of differences in the way government agencies classify and handle official documents.
RockYou Inc: Storing 32M passwords in plain text
Social networking application vendor RockYou Inc. became a virtual shoo-in to this list earlier this week after a data breach exposed usernames and passwords for over 32 million registered members.
While the number alone make the breach noteworthy, what makes it even more so was the fact that RockYou kept all of the passwords in plain text.
Since RockYou requires users to register with their Webmail addresses, the hacker behind the breach now has data that allows access to millions of Webmail accounts (unless the users change them).
With a growing number of crooks trying to steal legitimate credentials to break into all sorts of online accounts, RockYou’s failure to take even a basic precaution such as hashing passwords was notable to say the least.