DATA+LEAK

=Data breach=

A **data breach** is the unintentional release of [|secure information] to an untrusted environment. Other terms for this phenonmenon include **unintentional information disclosure**, **data leak** and also **data spill**. Incidents range from concerted attack by [|black hats] with the backing of [|organized crime] or [|national governments] to careless disposal of used computer equipment or data storage media. According to the [|nonprofit] [|consumer organization] [|Privacy Rights Clearinghouse], a total of 227,052,199 individual records containing sensitive personal information were involved in security breaches in the United States between January 2005 and May 2008, excluding incidents where sensitive data was apparently not actually exposed.

Definition
This may include incidents such as theft or loss of [|digital media] such as [|computer tapes], [|hard drives], or [|laptop computers] containing such media upon which such information is stored [|unencrypted], posting such information on the [|world wide web] or on a computer otherwise accessible from the [|Internet] without proper [|information security] precautions, transfer of such information to a system which is not completely open but is not appropriately or formally [|accredited] for security at the approved level, such as unencrypted [|e-mail], or transfer of such information to the [|information systems] of a possibly hostile agency, such as a competing corporation or a foreign nation, where it may be exposed to more intensive decryption techniques

Trusted environment
The notion of a trusted environment is somewhat fluid. The departure of a trusted staff member with access to sensitive information can become a data breach if the staff member retains access to the data subsequent to termination of the trust relationship. In distributed systems, this can also occur with a breakdown in a [|web of trust].

Data privacy
Most such incidents publicized in the media involve private information on individuals, //i.e.// [|social security numbers], //etc.//. Loss of corporate information such as [|trade secrets], sensitive corporate information, details of [|contracts], //etc.// or of government information is frequently unreported, as there is no compelling reason to do so in the absence of potential damage to private citizens, and the publicity around such an event may be more damaging than the loss of the data itself.

Consequences
Although such incidents pose the risk of [|identity theft] or other serious consequences, in most cases there is no lasting damage; either the breach in security is remedied before the information is accessed by unscrupulous people, or the thief is only interested in the hardware stolen, not the data it contains. Nevertheless, when such incidents become publicly known, it is customary for the offending party to attempt to mitigate [|damages] by providing to the victims subscription to a [|credit reporting agency], for instance.

Major incidents
Well known incidents include:

2009

 * In December 2009 a [|RockYou!] password database was breached containing 32 million user names and plaintext passwords, further compromising the use of weak passwords for any purpose.
 * In January 2009 [|Heartland Payment Systems] announced that it had been "the victim of a security breach within its processing system", possibly part of a "global cyber fraud operation".[|[][|3][|]] The intrusion has been called the largest criminal breach of card data ever, with estimates of up to 100 million cards from more than 650 financial services companies compromised.[|[][|4][|]]

2008

 * In January 2008, [|GE Money], a division of [|General Electric], discloses that a magnetic tape containing 150,000 [|social security numbers] and in-store [|credit card] information from 650,000 retail customers is known to be missing from an [|Iron Mountain Incorporated] storage facility. [|J.C. Penney] is among 230 retailers affected.[|[][|5][|]]
 * [|Horizon Blue Cross and Blue Shield of New Jersey], January, 300,000 members [|[][|1][|]]
 * [|Lifeblood], February, 321,000 [|blood donors] [|[][|1][|]]
 * [|British National Party] membership list leak,[|[][|6][|]]

2007

 * [|The 2007 loss of Ohio and Connecticut state data by Accenture]
 * [|TJ Maxx], data for 45 million credit and debit accounts[|[][|7][|]]
 * [|2007 UK child benefit data scandal]
 * [|CGI Group], August, 283,000 retirees from [|New York City] [|[][|1][|]]
 * [|The Gap], September, 800,000 job applicants [|[][|1][|]]
 * [|Memorial Blood Center], December, 268,000 [|blood donors] [|[][|1][|]]
 * [|Davidson County Election Commission], December, 337,000 voters [|[][|1][|]]

2006

 * [|AOL search data scandal] (sometimes referred to as a "Data //[|Valdez]//"[|[][|8][|]],[|[][|9][|]],[|[][|10][|]] due to its size)
 * [|Department of Veterans Affairs], May, 28,600,000 veterans, reserves, and active duty military personnel [|[][|1][|]],[|[][|11][|]]
 * [|Ernst & Young], May, 234,000 customers of [|Hotels.com] (after a similar loss of data on 38,000 employees of Ernst & Young clients in February) [|[][|1][|]]
 * [|Boeing], December, 382,000 employees (after similar losses of data on 3,600 employees in April and 161,000 employees in November, 2005) [|[][|1][|]]

2005

 * [|Ameriprise Financial], stolen [|laptop], December 24, 260,000 customer records