Hurray, another end of the year list.

This one though (from Bank Info Security) is

not reviewing the top movies, songs, celebrities but, the miserable failures in
data security of 2008. With nine more days until the end of 2008, this post could
be pre-mature. Data breach threats show no regard for end of the year holiday
parties and frivolities.

The data breach incidents of 2008 include the old stand-bys of lost tapes and data
due to mistake and theft but also reveals an increased use of break in
technologies to steal information from data bases. Numerous "hacking" incidences
and infected computer systems not only resulted in millions of dollars in cost to
businesses but exposed large numbers of consumers to fraud. Stolen data has to go
some where and can be held in reserve for use at a later time, possibly changing
hands often before reaching a perpetrator. Data is a commodity. After all,
identity theft is a business - suppliers, middle men and end users are the norm,
just like in any business.

At least one of these breaches began in 2007 and continued into 2008 due to law
enforcement action. Last year's breaches while not lacking of hacking incidents,
were focused more on missing data. For comparison purposes, below the top 10 list
find links to stories looking back on 2007 and a link to a comprehensive multi-
year listing. APRPEH is currently taking predictions of data loss stories for the
end of 2009.

For accuracy purposes, it is important to recognize the difference between lost

back up tapes or disks and stolen computers, hard drives or data devices and must
be further differentiated from data lost due to hacking, viruses, malware - any
active invasion of data storage systems for the purpose of stealing information.
It is this last category with its obviously pernicious intent to steal data (vis a
vis hardware) which represents a greater threat equation for consumers. The 'how
was it stolen' question makes a huge difference in predicting whether or not
consumers are likely or unlikely to become victims of identity theft.

-----------------------------------------------------------------

Top 10 Security Breaches of 2008 - Bank Info Security

(http://www.bankinfosecurity.com/articles.php?art_id=1120&opg=1)
Ghost of Christmas Past (TJX) Still Casts Specter on Present and Future
Linda McGlasson, Managing Editor
December 22, 2008

From Hannaford to Countrywide to the Bank of New York Mellon, 2008 has been a year
of high-profile security breaches in or impacting the financial services industry.
Here's our list of the top 10 - and lessons that should be learned, so we aren't
back revisiting these issues in '09.

1. TJX Case Winds Up, Arrests Made

Earlier this year, The TJX Companies (parent of retailer TJ Maxx) settled in
federal court and paid out millions to its federal regulator, the Federal Trade
Commission, banking institutions, credit card companies and consumers to bring to
a close the court cases that had threatened to overwhelm the company.

The August arrest of 11 alleged hackers accused of stealing more than 40 million
credit and debit cards brings law enforcement closer to closing what is still the
largest hack ever. The U.S. Department of Justice brought charges against 11
alleged hackers from around the globe. Some of the hacking gang were nabbed and
brought to the U.S. to face trial alongside three U.S.-based defendants. Two of
the defendants, Christopher Scott and Damon Patrick Toey, have already pled guilty
in the case. Others including the ringleader, Alberto Gonzalez, await trial.

Lesson Learned: The wide-range of the perpetrators brings to light something that
those in the cyber intelligence realm have known for some time: Criminal hackers
are part of a very mature and multi-billion dollar industry that reaches around
the world. No organization is immune to the threat.

2. Bank of New York Mellon

An unencrypted backup tape with 4.5 million customers of the Bank of New York
Mellon went missing on Feb. 27, after it was sent to a storage facility. The
missing tape contains social security numbers and bank account information on 4.5
million customers - including several hundred thousand depositors and investors of
People's United Bank of Connecticut, which had given Bank of New York Mellon the
information so it could offer those consumers an investment opportunity.

Lesson Learned: For Bank of New York Mellon, know that when data is released to a
third-party that their security is as good or better than yours. Encryption isn't
just something that is good for the data held at an institution; it's also
something to consider for data that leaves the institution.

3. Hannaford Data Breach

In March, the Maine-based Hannaford Brothers grocery store chain announced that
4.2 million customer card transactions had been compromised by the hackers. More
than 1800 credit card numbers were immediately used for fraudulent transactions.

The affected banks and credit unions were forced to reissue the credit and debit
cards. Within two days of the breach announcement, two class action suits had been
filed on behalf of customers against the retailer. The retailer claims its systems
were PCI-compliant and had passed a PCI assessment shortly before the hack was
discovered.

Lesson Learned: The case is still open, and forensic reports by security
investigators brought in by Hannaford have not been made public. The PCI Security
Council has pledged that if the PCI requirements are found to be wanting in light
of the report, they will make changes to tighten the requirements. Cases such as
Hannaford may be the impetus behind legislation to require prompt notification of
a data security breach.

4. Countrywide Insider Theft

In August, a former Countrywide Financial Corp. senior financial analyst, Rene

Rebollo, was arrested and charged by the FBI for stealing and selling sensitive
personal information of an estimated 2 million mortgage loan applicants. How he
did it over a two-year period was to download about 20,000 customer profiles each
week onto flash drives, working on Sunday nights, when no one else was in the
office. Rebollo then took the excel spreadsheets to business center stores to
email to buyers.

Countrywide, now owned by Bank of America, was already facing money and reputation
issues because of the subprime loan meltdown before it faced the insider threat of
Rebollo.

Lesson Learned: While Countrywide and Bank of America now know firsthand what a
rogue insider can do, other institutions need to do a better job of monitoring
their employees and creating asset controls. As the economy continues to produce
layoffs, this threat may become even more so, as fearful employees look to cash in
on their trusted status and take data just in case they face unemployment.

5. GE Money Backup Tape Goes AWOL

Early in January, Iron Mountain said it could not find a backup tape that belonged
to GE Money, containing information on J.C. Penney customers and 100 other
retailers.

The tape was stored in an Iron Mountain vault, says an Iron Mountain statement
issued about the loss, and had been requested by GE Money in October 2007. The
tape contained the personal information of about 650,000 J.C. Penney customers and
the other 100 retailers. GE Money processes credit cards for those retailers. As a
records and archive company that specializes in records management, Iron Mountain
was at a loss to explain the tape's whereabouts.

Iron Mountain said it was an unfortunate case of a misplaced tape, but asserts
that there was no evidence that the information was obtained and used by
unauthorized persons. The missing tape also included about 150,000 social security
numbers.

Lesson Learned: While GE Money paid for credit monitoring for the 650,000 credit
card holders, Iron Mountain may have learned to better monitor where media is
located. For the rest of companies that hold information of a personally
identifiable nature, there is another reason to keep it safe from prying eyes. The
cost of an average data breach can hit a company's bottom line. According to a
study conducted by the Ponemon Institute, an independent information security and
privacy research group, data breaches are costing businesses an average of $197
per customer record, up from $182 in 2006.

6. RSA Report: Half-Million Banking ID's Stolen

In November, security vendor RSA said it found a single Trojan that had taken more
than 500,000 online banking accounts credentials, credit cards and other
resources. The company's Fraud Action Research Team added that the hacking gang
behind the Trojan may have been operating for as long as three years. The
compromised data came from hundreds of financial institutions around the world.

Lesson Learned: The Trojan Sinowal is so tricky that the average institution or
customer would not even know that they are infected with it. Taking a
professional, defense-in-depth approach to protecting a network and customers is
the best remedy.

7. Compass Bank Hard Drive Stolen, 1 Million Accounts Taken

At the sentencing of a former bank programmer at Compass Bank in Birmingham, AL.

in March, it was revealed that the accused had stolen a hard drive with 1 million
customer records and used it to commit debit-card fraud. James Kevin Real is now
serving a 42-month sentence and was ordered to pay back the more than $32,000 that
he and an accomplice withdrew from Compass Bank customer accounts. The bank
claimed that the customer records contained limited information, but Real was able
to create 250 counterfeit debit cards. He used 45 of them to access and withdraw
cash before being arrested.

At the time of Real's sentencing, Alabama was one of 11 states that didn't require
companies to automatically notify customers of data breaches.
Lesson Learned: Compass Bank dodged a bullet in terms of cost on this breach. It
would have had to notify all 1 million customers of the compromise of their data
had the hard drive theft been in a state that requires notification. Other than
the 250 customers that Real took money from, no other customers were notified of
the data loss. That means that 999,750 of the other 1 million customers weren't
notified of the potential risk.

8. Ski Resort Okemo Suffers Hannaford-Like Data Breach

In an attack similar to what hit Hannaford Brothers in March, the Okemo Ski Resort
in Vermont said in April it had been hit by hackers that installed malicious
software to capture credit card data as it was being processed at the resort. Law
enforcement officials at the time said they were investigating as many as 50 other
similar incidents in the Northeast.

Lesson Learned: PCI compliance is like a driver's license -- it may mean that a
retailer has passed the test for compliance, but doesn't necessarily mean it is in
compliance.

9. Retailer Montgomery Ward

Six months after a breach happened at the parent company of the Montgomery Ward
website, the company Direct Marketing Services finally began notifying customers
that their credit card information was stolen in the hack. At least 51,000 records
were stolen out of a database in December, 2007.

Direct Marketing said it had promptly contacted its payment processor and Visa and
MasterCard, and it also notified the U.S. Secret Service.

Lesson Learned: Direct Marketing Services was forced into contacting the customers
after the company CardCops, an investigative firm that tracks credit card thefts
for the financial services industry, found more than 200,000 payment cards being
offered for sale on an Internet chat room often visited by card thieves. Better to
take the public relations role and confess the breach than possibly face data
breach notification lawsuits by consumers and state attorney generals.

10. More Than $5 Million Taken By ATM Capers

The Automatic Teller Machine capers are hitting everywhere. In June, two men were
charged with making hundreds of withdrawals from New York City ATMs, grabbing
$750,000 in the process, using stolen information from a previous computer
intrusion into a Citibank server that processes ATM withdrawals. One of the same
accused also allegedly took $5 million in withdrawals from iWire prepaid
MasterCard accounts.

Lesson Learned: While Citibank denied the indictment's charge that their server
had been breached and blames a third-party transaction processor for the
compromise, it still meant it had to notify and reissue new debit cards to those
customers that the bank believed were exposed to increased risk.

The Top 10 Data Breaches of 2007 - CSO Online

(http://www.csoonline.com/article/216878/The_Top_Data_Breaches_of_?page=1 Opinion)

2007 Data Breaches Not As Bad As We Think - Baseline Mag

(http://www.baselinemag.com/c/a/Projects-Security/2007-Data-Breaches-Not-As-Bad-
As-We-Think/)

Data breaches: 2007 IT failure superstar - ZDnet

(http://blogs.zdnet.com/projectfailures/?p=558)

Chronology of Data Breaches from Privacy Rights Clearing House

(http://www.privacyrights.org/ar/ChronDataBreaches.htm)