A data breach is the intentional or unintentional release of secure information to an untrusted environment. Other terms for this phenomenon include unintentional information disclosure, data leak and also data spill. Incidents range from concerted attack by black hats with the backing of organized crime or national governments to careless disposal of used computer equipment or data storage media.
Definition: "A data breach is a security incident in which sensitive, protected or confidential data is copied, transmitted, viewed, stolen or used by an individual unauthorized to do so." Data breaches may involve financial information such as credit card or bank details, personal health information (PHI), Personally identifiable information (PII), trade secrets of corporations or intellectual property.
According to the nonprofit consumer organization Privacy Rights Clearinghouse, a total of 227,052,199 individual records containing sensitive personal information were involved in security breaches in the United States between January 2005 and May 2008, excluding incidents where sensitive data was apparently not actually exposed.
Many jurisdictions have passed data breach notification laws, requiring a company that has been subject to a data breach to inform customers and take other steps to remediate possible injuries.
This may include incidents such as theft or loss of digital media such as computer tapes, hard drives, or laptop computers containing such media upon which such information is stored unencrypted, posting such information on the world wide web or on a computer otherwise accessible from the Internet without proper information security precautions, transfer of such information to a system which is not completely open but is not appropriately or formally accredited for security at the approved level, such as unencrypted e-mail, or transfer of such information to the information systems of a possibly hostile agency, such as a competing corporation or a foreign nation, where it may be exposed to more intensive decryption techniques.
ISO/IEC 27040 defines a data breach as: compromise of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to protected data transmitted, stored or otherwise processed.
The notion of a trusted environment is somewhat fluid. The departure of a trusted staff member with access to sensitive information can become a data breach if the staff member retains access to the data subsequent to termination of the trust relationship. In distributed systems, this can also occur with a breakdown in a web of trust.
Most such incidents publicized in the media involve private information on individuals, i.e. social security numbers, etc.. Loss of corporate information such as trade secrets, sensitive corporate information, details of contracts, etc. or of government information is frequently unreported, as there is no compelling reason to do so in the absence of potential damage to private citizens, and the publicity around such an event may be more damaging than the loss of the data itself.
Insider versus external threats
Those working inside an organization are a major cause of data breaches. Estimates of breaches caused by accidental "human factor" errors range from 37% by Ponemon Institute to 14% by the Verizon 2013 Data Breach Investigations Report. The external threat category includes hackers and state-sponsored actors. Professional associations for IT asset managers work aggressively with IT professionals to educate them on best risk-reduction practices for both internal and external threats to IT assets, software and information.
Medical data breach
Some celebrities have found themselves to be the victims of inappropriate medical record access breaches, albeit more so on an individual basis, not part of a typically much larger breach. Given the series of medical data breaches and the lack of public trust, some countries have enacted laws requiring safeguards to be put in place to protect the security and confidentiality of medical information as it is shared electronically and to give patients some important rights to monitor their medical records and receive notification for loss and unauthorized acquisition of health information. The United States and the EU have imposed mandatory medical data breach notifications.
Although such incidents pose the risk of identity theft or other serious consequences, in most cases there is no lasting damage; either the breach in security is remedied before the information is accessed by unscrupulous people, or the thief is only interested in the hardware stolen, not the data it contains. Nevertheless, when such incidents become publicly known, it is customary for the offending party to attempt to mitigate damages by providing to the victims subscription to a credit reporting agency, for instance, new credit cards, or other instruments. In the case of Target, the 2013 breach cost Target a significant drop in profit, which dove an estimated 40 percent in the 4th quarter of the year.
Notable incidents include:
- In February 2015, Anthem suffered a data breach of nearly 80 million records, including personal information such as names, social security numbers, dates of birth, and other sensitive details.
- In June 2015, The Office of Personnel Management of the U.S. government suffered a data breach in which the records of 4 million current and former federal employees of the United States were hacked and stolen.
- In August 2014, nearly 200 photographs of celebrities were posted to the image board website 4chan. An investigation by Apple found that the images were obtained "by a very targeted attack on user names, passwords and security questions".
- In September 2014, Home Depot suffered a data breach of 56 million credit card numbers.
- In October 2014, Staples suffered a data breach of 1.16 million customer payment cards.
- In November 2014 and for weeks after, Sony Pictures Entertainment suffered a data breach involving personal information about Sony Pictures employees and their families, e-mails between employees, information about executive salaries at the company, copies of (previously) unreleased Sony films, and other information. The hackers involved claim to have taken over 100 terabytes of data from Sony.
- In October 2013, Adobe Systems revealed that their corporate data base was hacked and some 130 million user records were stolen. According to Adobe, "For more than a year, Adobe’s authentication system has cryptographically hashed customer passwords using the SHA-256 algorithm, including salting the passwords and iterating the hash more than 1,000 times. This system was not the subject of the attack we publicly disclosed on October 3, 2013. The authentication system involved in the attack was a backup system and was designated to be decommissioned. The system involved in the attack used Triple DES encryption to protect all password information stored."
Further information: Adobe Systems § Source code and customer data breach
- In late November to early December 2013, Target Corporation announced that data from around 40 million credit and debit cards was stolen. It is the second largest credit and debit card breach after the TJX Companies data breach where almost 46 million cards were affected.
- In 2013, Edward Snowden published a series of secret documents that revealed widespread spying by the United States National Security Agency and similar agencies in other countries.
- In the Summer of 2012, Wired.com Senior Writer Mat Honan claims that "hackers destroyed my entire digital life in the span of an hour” by hacking his Apple, Twitter, and Gmail passwords in order to gain access to his Twitter handle and in the process, claims the hackers wiped out every one of his devices, deleting all of his messages and documents, including every picture he had ever taken of his 18-month-old daughter. The exploit was achieved with a combination of information provided to the hackers by Amazon's tech support through social engineering, and the password recovery system of Apple which used this information. Related to his experience, Mat Honan wrote a piece outlining why passwords cannot keep users safe.
- In October 2012, a law enforcement agency contacted the South Carolina Department of Revenue (DoR) with evidence that Personally Identifiable Information (PII) of three individuals had been stolen. It was later reported that an estimated 3.6 million Social Security numbers were compromised along with 387,000 credit card records.
- In April 2011, Sony experienced a data breach within their PlayStation Network. It is estimated that the information of 77 million users was compromised.
- In March 2011, RSA suffered a breach of their SecurID token system seed-key warehouse, where the seed keys for their 2-Factor authentication system were stolen, allowing the attackers to replicate the hardware tokens used for secure access in corporate and government environments.
- In June 2011, Citigroup disclosed a data breach within their credit card operation, affecting approximately 210,000 or 1% of their customers' accounts.
- Thruout the year 2010, Chelsea Manning (then known as Bradley Manning) released large volumes of secret military data to the public.
- In December 2009 a RockYou! password database was breached containing 32 million user names and plaintext passwords, further compromising the use of weak passwords for any purpose.
- In May 2009 the United Kingdom parliamentary expenses scandal was revealed by The Daily Telegraph. A hard disk containing scanned receipts of UK Members of Parliament and Peers in the House of Lords was offered to various UK newspapers in late April, with The Daily Telegraph finally acquiring it. They published details in installments from 8 May onwards. Although it was intended by Parliament that the data was to be published, this was to be in redacted form, with details the individual members considered "sensitive" blanked out. The newspaper published unredacted scans which showed details of the claims, many of which appeared to be in breach of the rules and suggested widespread abuse of the generous expenses system. The resulting media storm led to the resignation of the Speaker of the House of Commons and the prosecution and imprisonment of several MPs and Lords for fraud. The expenses system was overhauled and tightened up, being put more on a par with private industry schemes. The Metropolitan Police Service continues to investigate possible frauds, and the Crown Prosecution Service is considering further prosecutions. Several MPs and Lords apologised and made whole, partial or no restitution, and retained their seats. Others who had been shamed in the media did not offer themselves for re-election at the United Kingdom general election, 2010. Although numbering less than 1,500 individuals, the affair received the largest global media coverage of any data breach (as at February 2012).
- In January 2009 Heartland Payment Systems announced that it had been "the victim of a security breach within its processing system", possibly part of a "global cyber fraud operation". The intrusion has been called the largest criminal breach of card data ever, with estimates of up to 100 million cards from more than 650 financial services companies compromised.
- In January 2008, GE Money, a division of General Electric, disclosed that a magnetic tape containing 150,000 social security numbers and in-store credit card information from 650,000 retail customers is known to be missing from an Iron Mountain Incorporated storage facility. J.C. Penney is among 230 retailers affected.
- Horizon Blue Cross and Blue Shield of New Jersey, January, 300,000 members 
- Lifeblood, February, 321,000 blood donors 
- British National Party membership list leak,
- In Early 2008, Countrywide Financial (since acquired by Bank of America) allegedly fell victim to a data breach when, according to news reports and court documents, employee Rene L. Rebollo Jr. stole and sold up to 2.5 million customers' personal information including social security numbers. According to the legal complaint: "Beginning in 2008 - coincidentally after they sold their mortgage portfolios under wrongful and fraudulent 'securitization pools,' and coincidentally after their mortgage portfolio went into massive default as a result thereof - Countrywide learned that the financial information of potentially millions of customers had been stolen by certain Countrywide agents, employees or other individuals." In July 2010, Bank of America settled more than 30 related class-action lawsuits by offering free credit monitoring, identity theft insurance and reimbursement for losses to as many as 17 million consumers impacted by the alleged data breach. The settlement was estimated at $56.5 million not including court costs.
- D. A. Davidson & Co. 192,000 clients' names, customer account and social security numbers, addresses and dates of birth
- The 2007 loss of Ohio and Connecticut state data by Accenture
- TJ Maxx, data for 45 million credit and debit accounts
- 2007 UK child benefit data scandal
- CGI Group, August, 283,000 retirees from New York City 
- The Gap, September, 800,000 job applicants 
- Memorial Blood Center, December, 268,000 blood donors 
- Davidson County Election Commission, December, 337,000 voters 
- AOL search data scandal (sometimes referred to as a "Data Valdez", due to its size)
- Department of Veterans Affairs, May, 28,600,000 veterans, reserves, and active duty military personnel,
- Ernst & Young, May, 234,000 customers of Hotels.com (after a similar loss of data on 38,000 employees of Ernst & Young clients in February) 
- Boeing, December, 382,000 employees (after similar losses of data on 3,600 employees in April and 161,000 employees in November, 2005) 
- "Chronology of Data Breaches", Privacy Rights Clearinghouse
- When we discuss incidents occurring on NSSs, are we using commonly defined terms?, "Frequently Asked Questions on Incidents and Spills", National Archives Information Security Oversight Office
- Risk of Insider Fraud: Second Annual Study. Ponemon.org (2013-02-28). Retrieved on 2014-06-10.
- Verizon Data Breach Investigations Report | Verizon Enterprise Solutions. VerizonEnterprise.com. Retrieved on 2014-06-10.
- Welcome to IAITAM. Iaitam.org. Retrieved on 2014-06-10.
- Ornstein, Charles (2008-03-15). "Hospital to punish snooping on Spears". Los Angeles Times. Retrieved 2013-07-26.
- Kierkegaard, P. (2012) Medical data breaches: Notification delayed is notification denied, Computer Law & Security Report , 28 (2), p.163–183.
- "2010 Annual Study: German Cost of a Data Breach" (PDF). Ponemon Institute. February 2011. Retrieved 2011-10-12.
- "Data breach at health insurer Anthem could impact millions". 15 February 2015.
- "Apple Media Advisory: Update to Celebrity Photo Investigation". Business Wire (StreetInsider.com). September 2, 2014. Retrieved 2014-09-05.
- Melvin Backman (18 September 2014). "Home Depot: 56 million cards exposed in breach". CNNMoney.
- "Staples: Breach may have affected 1.16 million customers' cards". Fortune.com. December 19, 2014. Retrieved 2014-12-21.
- James Cook (December 16, 2014). "Sony Hackers Have Over 100 Terabytes Of Documents. Only Released 200 Gigabytes So Far". Business Insider. Retrieved December 18, 2014.
- Goodin, Dan. (2013-11-01) How an epic blunder by Adobe could strengthen hand of password crackers. Ars Technica. Retrieved on 2014-06-10.
- "Target security breach affects up to 40M cards". Associated Press via Milwaukee Journal Sentinel. 19 December 2013. Retrieved 21 December 2013.
- Honan, Mat (2012-11-15). "Kill the Password: Why a String of Characters Can’t Protect Us Anymore". Wired.com (Condé Nast). Retrieved 2013-01-17.
- Honan, Mat (August 6, 2012). "How Apple and Amazon Security Flaws Led to My Epic Hacking". Wired.com. Retrieved 26 Jan 2013.
- "Protecting the Individual from Data Breach". The National Law Review. Raymond Law Group. 2014-01-14. Retrieved 2013-01-17.
- "Public Incident Response Report" (PDF). State of South Carolina. 2012-11-12. Retrieved 2014-10-10.
- "South Carolina: The mother of all data breaches". The Post and Courier. 2012-11-03. Retrieved 2014-10-110. Check date values in:
- Greenberg, Andy (9 June 2011). "Citibank Reveals One Percent Of Credit Card Accounts Exposed In Hacker Intrusion". Forbes. Retrieved 2014-09-05.
- Making Business a Little Less Risky: The Convergence of Data, Identity, and Regulatory Risks. LessRiskyBiz.blogspot.com (2011-06-13). Retrieved on 2014-06-10.
- Heartland Payment Systems Uncovers Malicious Software In Its Processing System
- Lessons from the Data Breach at Heartland, MSNBC, July 7, 2009
- GE Money Backup Tape With 650,000 Records Missing At Iron Mountain - Iron Mountain
- BNP activists' details published - BBC News
- "Bank of America settles Countrywide data theft suits"
- "Countrywide Sued For Data Breach, Class Action Suit Seeks $20 Million in Damages", Bank Info Security, April 9, 2010
- "Countrywide Sold Private Info, Class Claims", Courthouse News, April 05, 2010
- "The Convergence of Data, Identity, and Regulatory Risks", Making Business a Little Less Risky Blog
- Manning, Jeff (2010-04-13). "D.A. Davidson fined over computer security after data breach". The Oregonian. Retrieved 2013-07-26.
- "T.J. Maxx data theft worse than first reported". msnbc.com. 2007-03-29. Retrieved 2009-02-16.
- data Valdez Doubletongued dictionary
- AOL's Massive Data Leak, Electronic Frontier Foundation
- data Valdez, Net Lingo
- "Active-duty troop information part of stolen VA data", Network World, June 6, 2006
- "Data Loss Database" is a research project aimed at documenting known and reported data loss incidents world-wide.
- "Most Recent Data Breaches", TeamSHATTER.com, updated regularly
- "A Chronology of Data Breaches", Privacy Rights Clearinghouse, updated twice a week
- "Breaches Affecting 500 or More Individuals", Breaches reported to the U.S. Department of Health and Human Services by (HIPAA-covered) entities