Data Breaches: Preparation, Damage Control and a Recent History

The TJX Companies, UCLA, Boeing, the Department of Veterans Affairs (VA), ChoicePoint, Bank of America, DSW Shoe Warehouse and T-Mobile.  These are just a few of the entities hit in recent years with high-profile data breaches, and they surely won’t be the last organizations to fall victim to such incidents.  Indeed, security breaches are as common in today’s business landscape as bad coffee and briefcases.  And the potential value to fraudsters of such information as names, social security numbers, dates of birth, addresses and the like—the key ingredients in the ID theft recipe—will keep thieves and criminals crawling back for more like spiders to the web.

Whether you and your enterprise have already experienced a data breach and know all too well how to put out the associated fires, or you think you’ve got the most secure systems in all of IT land, the following resources are sure to help you respond to and better prepare yourself for that inevitable data breach.

Bookmark this page because you never know when you’re valuable data is going to turn up in hands of someone you wouldn’t trust with your daily garbage. 

Check out our CIO News Alerts and Tech Informer pages for updated news coverage.

Editor’s Picks:

When the Dike Breaks: Responding to the Inevitable Data Breach (CSO magazine feature article)

Attorneys John Hutchins and Charles Palmer offer advice on how to be ready for a data breach.

Avoid a Meltdown: Reacting to a Security Breach (CSO magazine feature article)

How your company handles a data breach can make the difference between survival and extinction.  Here’s how to ensure you’re organization is ready to react.

How to Minimize the Impact of Laptop Theft (CIO.com column)

Here are three simple steps that can reduce your risk of confidential data loss and streamline remediation in the event of laptop theft or loss.

Get Smarter About Security Risks (CIO magazine column)

How much you should invest in protecting corporate data depends on how good you are at assessing the threat.  Here’s how to assess your risk intelligence.

Managing Reputation

(CSO magazine column)

The CSO role has risen to the top of the corporation, and with that rise has come personal risk. Here’s a look at the corporate and personal risks associated with data security breaches, and what savvy CSOs and CISOs can do to protect their companies and their reputations.

TJX Breach: Why This One’s Different (CIO.com blog post)

Banks have linked fraudulent credit card purchases to the security breach at TJX, during which hackers nabbed possibly millions of credit card numbers. Many security experts say that matching a specific incident of credit card fraud to a specific security breach is unprecedented.

TJX Security Breach Response Is Species of Ragtime (CIO.com blog post)

TJX screwed up royally in recent days. CIO.com resident Cranky Old Guy David Rosenbaum takes TJX Chairman to task in this blog post for the way he notified those potentially at risk of ID theft or fraud.  Check it out, and discover why he earns his moniker.

Crisis Management or Lack Thereof? (CSOonline.com blog post)

In this blog entry, CSO Publisher Bob Bragdon explains why TJX’s recent damage-control efforts following a large-scale data breach at the retailer are a perfect example of how NOT to handle a crisis.

The Never-Ending ChoicePoint Story (CSOonline.com column)

Is the record-breaking $15 million settlement between the Federal Trade Commission and ChoicePoint just a shot in the dark?   Fifteen-million is a big number but is it fitting, considering the size and scope of the associated data breach?  There’s no right or wrong answer; this is new territory, as CSO Senior Editor Sarah D. Scalet explains in the column. Read the piece for why she thinks the settlement is only an early act of the ChoicePoint drama.

Related Content from CIO Magazine, CSO Magazine and CIO.com:

Data Breaches Cost You More (CIO magazine article)

Data breaches continue to become more expensive: Costs to companies weigh in at a hefty average of $182 per compromised record. That’s a 30% increase over the 2005 average cost of $138.

U.S. Government Barely Earns Passing Grade in Cybersecurity (CIO.com news)

The Cyber Security Industry Alliance gave the U.S. government D grades on its cybersecurity efforts in 2006, and renewed its call for the U.S. Congress to pass a comprehensive data-protection law in 2007.

The Profits in Privacy (CIO magazine feature article)

Contrary to popular belief, protecting the privacy of customer data and making a profit are not mutually exclusive goals. This article lists several leading companies that have accomplished both, as well as how they pulled it off.

The Five Most Shocking Things About the ChoicePoint Debacle (CSO magazine feature article)

Personal information of nearly 145,000 people wasn’t stolen from ChoicePoint–it was sold to inadequately vetted bogus businesses.  Read this article for more information on the massive data breach.

TJX Companies, the firm that operates retail outlets T.J. Maxx, Marshall’s and HomeGoods, in February stated that a data breach it revealed in January may have occurred a year earlier than investigators initially thought and millions more customers may have been exposed.

Massive TJX Security Breach Reveals Credit Card Data (CSOonline.com news)

The TJX Companies in January announced a massive computer breach on a portion of its network that handles credit card, debit card, check and merchandise transactions in the United States and abroad.

U.S. Tops 100M Records Exposed on Boeing Privacy Breach (CIO.com news)

In December 2006, Boeing disclosed that a laptop containing records on roughly 382,000 of its current and former employees—some of which were unencrypted—had been stolen from an employee’s vehicle.  That stolen laptop pushed a widely watched tally of U.S. data breach victims past the 100 million mark.

UCLA Data Breach Exposed Records on 800K (CIO.com news)

In December of 2006, a data breach at the University of California, Los Angeles (UCLA) exposed records containing personal information—including some names, Social Security numbers and birth dates—on roughly 800,000 current and former students and faculty members, as well as a number of people who applied to the school but never ended up attending.

Data Theft at the VA (CSOonline.com online feature)

In the spring of 2006, personal records on roughly 26.5 million veterans, stored in a laptop computer, were stolen from the home of a data analyst working for the Department of Veterans Affairs. In the aftermath and following investigations, there have been resignations, firings and a wholesale rethinking of how the government and private agencies should be protecting personal information.  Check out this collection of news stories to see how the event unfolded, from the initial breach announcement to the agency’s various clean-up efforts.

Feds Make Progress With Fund for ChoicePoint Victims—But Barely (CSOonline.com news)

Ten months after the landmark settlement that established a $5 million redress fund for consumers impacted by the ChoicePoint privacy breach, the U.S. Federal Trade Commission (FTC) started collecting information on what the breach actually cost identity theft victims.  The FTC also spent the first part of the $5 million fund, not on consumer compensation but on a contract “redress administrator” who will help gather data and crunch numbers about costs incurred by the victims.  Read on for more on how the FTC addressed the breach.

ChoicePoint Identity Theft Victims to Be Compensated (CSOonline.com news)

The U.S. Federal Trade Commission (FTC) has begun mailing claim forms to more than 1,400 identity-theft victims who spent money to clear up identity-theft problems due to a security breach at data broker ChoicePoint in early 2005.

AOL Releases Data on Web Searches (CIO.com news)

In the summer of 2006, AOL caught heat for releasing details of Internet searches performed over a period of three months by hundreds of thousands of its subscribers. The data, apparently made available for research purposes, was quickly removed from the Web; however, other sites that posted the information had pages cached by Google’s search engine, so the data was still available after being removed by the ISP.

Google: AOL Breach Wouldn’t Happen at Our Company (CIO.com news)

Following the high-publicized release of a database of online search histories that got AOL into so much hot water in the summer of 2006 could never happen at Google, CEO Eric Schmidt proclaimed.  Read this article for his reasons why not.

A data scandal roll call in the fall of 2005 included big names in nearly every industry.  For instance, Bank of America, LexisNexis, Time Warner, DSW Shoe Warehouse, T-Mobile and the University of California, Berkeley all experienced data security breaches that year.  And those were only the instances in which personal data was stolen and, therefore, the breach was reported. Some experts say that there are hundreds if not thousands of other, less-publicized cases in which sensitive personal data has been compromised.  Read this article for what this means to CIOs.

Check out our CIO News Alerts and Tech Informer pages for updated news coverage.