Top Ten—Data Breaches that Made the News

By Annette Leonard

Many information security incidents are newsworthy, especially when they involve compromise of personal, financial and/or medical information.

Here is our “Top Ten” list of data breaches that have made the news over the past few years. While some of these compromises may have resulted from very sophisticated attack methods, others were traceable to basic lapses in good security practices—the very things the RMF security controls are intended to address.

10. Sony Online Entertainment (2013). 

Personal contact information and credit card information was stolen from over 100 million users of the PlayStation and Sony Online networks.

9. Adobe Systems (2013). 

Millions of customer records were stolen from a backup system with inadequate encryption.

8. Home Depot (2014). 

Point of sale systems were infected with malware posing as antivirus software; over 50 million card numbers were exposed.

7. Ameriprise Financial (2005). 

A laptop containing over 250,000 customer records was stolen; files on this laptop were not properly encrypted.

6. Tricare (2011). 

Several million users of the government health service had their medical information compromised due to “employee error” on the part of a contractor.

5. Anthem (2015). 

Tens of millions of records containing personal information were stolen from this health insurance company

4. Edward Snowden (2014).

A former government contractor illegally removed and published classified documents from the National Security Agency (NSA).

3. National Archives and Records Administration (2008).

76 million records of military veterans were inadvertently exposed when a malfunctioning hard drive was sent out for repair without being properly sanitized.

2. Target Stores (2013-2014).

Over 40 million credit and debit card numbers were stolen by unauthorized access to the electronic cash register system that was apparently traced to a utility monitoring system that had an uncontrolled connection to the stores’ data networks.

1. Office of Personnel Management (OPM) (2015).

Several million records on government employees, including applications for security clearances, were exfiltrated by hackers possibly tied to a foreign government. It has been reported that many of the systems in use at OPM had known security weaknesses, but had not been upgraded or replaced due to “lack of funds”.

Access control, physical security, media protection, encryption, system interconnection, supply chain protection, employee training … the list goes on. Each of these types of security controls (or lack thereof) somehow played a role in this list of notorious data breaches.

And they’re all part of RMF!


IT Dojo offers a comprehensive course on the transition from DIACAP to RMF.  Please take a look at our RMF training courses here.