Data spill

From Wikipedia, the free encyclopedia

Data spill is a somewhat ironic term, derived from such phrases as oil spill, toxic or hazardous waste spill, etc., for the unintentional release of secure information to an insecure environment. Other terms for this type of incident are data breach, data leak, etc. According to the nonprofit consumer organization Privacy Rights Clearinghouse, a total of 227,052,199 individual records containing sensitive personal information were involved in security breaches in the United States between January 2005 and May 2008, excluding incidents where sensitive data was apparently not actually exposed. ^[1]

Contents 1 Definition 2 Data privacy 3 Consequences 4 Major incidents 4.1 2008 4.2 2007 4.3 2006 4.4 2005 5 References 6 External links

[edit] Definition

This may include incidents such as theft or loss of digital media such as computer tapes, hard drives, or laptop computers containing such media upon which such information is stored unencrypted, posting such information on the world wide web or on a computer otherwise accessible from the Internet without proper information security precautions, transfer of such information to a system which is not completely open but is not appropriately or formally accredited for security at the approved level, such as unencrypted e-mail, or transfer of such information to the information systems of a possibly hostile agency, such as a competing corporation or a foreign nation, where it may be exposed to more intensive decryption techniques.^[2]

[edit] Data privacy

Most such incidents publicized in the media involve private information on individuals, i.e. social security numbers, etc.. Loss of corporate information such as trade secrets, sensitive corporate information, details of contracts, etc. or of government information is frequently unreported, as there is no compelling reason to do so in the absence of potential damage to private citizens, and the publicity around such an event may be more damaging than the loss of the data itself.

[edit] Consequences

Although such incidents pose the risk of identity theft or other serious consequences, in most cases there is no lasting damage; either the breach in security is remedied before the information is accessed by unscrupulous people, or the thief is only interested in the hardware stolen, not the data it contains. Nevertheless, when such incidents become publicly known, it is customary for the offending party to attempt to mitigate damages by providing to the victims subscription to a credit reporting agency, for instance.

[edit] Major incidents

Well known incidents include:

[edit] 2008

• In January 2008, GE Money, a division of General Electric, discloses that a magnetic tape containing 150,000 social security numbers and in-store credit card information from 650,000 retail customers is known to be missing from an Iron Mountain Incorporated storage facility. J.C. Penney is among 230 retailers affected.^[3]
• Horizon Blue Cross and Blue Shield of New Jersey, January, 300,000 members ^[1]
• Lifeblood, February, 321,000 blood donors ^[1]

[edit] 2007

• The 2007 loss of Ohio and Connecticut state data by Accenture
• 2007 UK child benefit data scandal
• CGI Group, August, 283,000 retirees from New York City ^[1]
• The Gap, September, 800,000 job applicants ^[1]
• Memorial Blood Center, December, 268,000 blood donors ^[1]
• Davidson County Election Commission, December, 337,000 voters ^[1]

[edit] 2006

• AOL search data scandal (sometimes referred to as a "Data Valdez"^[4],^[5],^[6] due to its size)
• Department of Veterans Affairs, May, 28,600,000 veterans, reserves, and active duty military personnel ^[1], ^[7]
• Ernst & Young, May, 234,000 customers of Hotels.com (after a similar loss of data on 38,000 employees of Ernst & Young clients in February) ^[1]
• Boeing, December, 382,000 employees (after similar losses of data on 3,600 employees in April and 161,000 employees in November, 2005) ^[1]

[edit] 2005

• Amerprise Financial, stolen laptop, December 24, 260,000 customer records ^[1]

[edit] References

1. ^ ^{a b c d e f g h i j k} "A Chronology of Data Breaches", Privacy Rights Clearinghouse
2. ^ When we discuss incidents occurring on NSSs, are we using commonly defined terms?, "Frequently Asked Questions on Incidents and Spills", National Archives Information Security Oversight Office
3. ^ GE Money Backup Tape With 650,000 Records Missing At Iron Mountain - Iron Mountain
4. ^ data Valdez Doubletongued dictionary
5. ^ AOL's Massive Data Leak, Electronic Frontier Foundation
6. ^ data Valdez, Net Lingo
7. ^ "Active-duty troop information part of stolen VA data", Network World, June 6, 2006

[edit] External links

• "Attrition.org Data Loss Archive and Database", attrition.org
• "Notices of Security Breaches", New Hampshire Department of Justice
• "A Chronology of Data Breaches", Privacy Rights Clearinghouse, updated twice a week