When hackers break into social networking sites, medical records databases or entertainment companies, experts say it’s consumers who often end up paying the price.
Systems such as Sony’s gaming network, which was breached this year, have become increasingly attractive for cyber criminals, especially now that video gaming accounts contain such valuable personal details, says Adam Levin, chairman and founder of Identity Theft 911, an identity and data risk management company. “The Sony breach last April merely underscores something obvious: Gaming networks and similar sites are delicious targets.”
Breaches cost organizations millions of dollars, which tends to trickle down to consumers, says Evan Brown, an associate in law firm Hinshaw & Culbertson. “It is inevitable that the costs will be passed on,” he says. Apart from investigative costs, he says, many companies that are the target or victim of a data breach offer credit monitoring services to affected individuals.
The number of personal files being compromised is also on the rise, though the amount of actual cyber crimes this year is lower than last year. Some 30.4 million records were compromised in 2011 in 535 separate breaches, according to the Privacy Rights Clearinghouse. That’s up from 12.3 million in 2010.
Not all breaches involved sophisticated hackers. Those at Sutter Physicians Services in October and military healthcare program Tricare Management Activity in September were the result of the theft of hardware and software, respectively. They underscore the importance of not forgetting the low-tech protections like encrypting files and not leaving back-up disks unattended, Brown says.
Others didn’t involve social security numbers, but did have implications for password security. “Capturing a customer list containing thousands of email/password combinations represents a potential threat to online bank accounts and other web-based services,” says Steve Fox, senior security auditor at IT security business Coalfire.
Pay Dirt asked a range of security experts for the worst breaches of the year. Here they are in no particular order:
The letter begins politely as all letters do delivering bad news. Sony’s came with those three little words at the top: “Customer Service Notification.” That’s when you should sit down. It’s usually all downhill from there. Announcements like these informing you that your data has been breached are becoming all too common.
Sony’s letter addresses customers thus: “Dear Valued Sony Online Entertainment Customer.” That’s humble, polite, dignified: 10/10 for a good start. In short, the letter says that the data breach of 77 million PlayStation users now extends to 24.6 million Sony Online Entertainment customers.
Jonathan Bernstein, president of Bernstein Crisis Management, was put off by the technical and sometimes confusing “corporate-speak” in Sony’s letter. “The theft itself undermines Sony’s perceived competency,” he says, “but I think they did a good job, overall, of factually communicating how they were getting back on top of the situation.”
Pay Dirt has already given some rules of thumb for customers whose information was breached. There will be an increasing amount of letters like these from other companies in the months and years to come, so here are the top 5 tips on how best to translate them.
Pay Dirt examines the millions of consumer decisions Americans make every day: What to buy, how much to pay, whether to rave or complain. Lead written by Quentin Fottrell, the blog examines these interactions, providing readers with news, insight and tips on shopping, spending, customer service, and companies that do right – and wrong – by their customers. Send items, questions and comments to firstname.lastname@example.org or tweet @SMPayDirt.