Worst Security Breaches of 2009: Part I

The only comforting news in Computerworld’s 2009 year-ender on data breaches was that every one of them was caused by mundane security failures that are within any organizations’ ability to control.

A lost laptop here, a poorly coded or un-patched piece of software there, rogue insiders and inadvertent disclosures were to blame for these breaches, not sophisticated new hacking tools or attack techniques.

And thankfully, only one of the 5 occurred in health care, despite accelerating trends in the sector to store and transmit patient confidential information electronically.

This post reviews the top 2 entrants in Computerworld’s 2009 data breach “Hall of Shame.” Number 3 on its list is the Health Net fiasco which has been covered by EHRBloggers here. The last 2 gaffes, accidental disclosure of US civilian nuclear secrets by a Government-run Web site, and RockYou Inc’s loss of 32 million passwords that were stored in plain text, will be covered in Part II of this series.

#1. The TSA and the Unredacted SOP Manual
In a lapse that would be laughable if it weren’t so egregious, a contract official working for the Transportation Security Administration posted an improperly redacted version of the organization’s Standard Operations Procedures on a public Web site as part of a TSA contract solicitation bid.

The document contained detailed information on airport screening procedures and protocols used by officials at 450 US airports, including how to screen passengers and check for explosive devices, special procedures for handling CIA operatives, law enforcement officials and diplomats, and the technical settings and tolerances used by metal and explosive detectors at airports.

The TSA claimed the document was outdated, but the incident stirred up a hornet’s nest in Washington, where lawmakers viewed the breach as a threat to national security.

According to Barry Murphy, who works for Murphy Insights, a consultancy specializing in records management, e-discovery and content archiving, electronic redaction errors typically result from basic misunderstandings about how electronic redaction works.

"If I put a lot of black magic marker on paper, I am actually covering the data so that it is redacted," Murphy explained in an interview with ComputerWorld. But "in the digital world that is not true."

Obscuring text in a word processor by placing black boxes over it, for example, does not redact it, Murphy continued. The text can still be indexed, and remains searchable and easily retrieved by simply copying and pasting the redacted portion to another document.

Another common mistake that companies make, Murphy said, is to overlook metadata or otherwise hidden information and revision histories that are routinely embedded in PDF files and Microsoft Word documents. Blacking out text or even deleting it does not void this metadata. The only way to assure that key data is truly removed from such files is to use redaction tools specially designed for this purpose.

#2. Heartland Payment Systems Breaks a Record
Heartland made Computerworld’s list by smashing the record for the largest breach of credit card information in history.

Last January, the Princeton-based credit and debit card service provider announced that hackers had broken into its systems sometime during the previous year and inserted malware designed to steal card data carried on its networks.

The thieves used an SQL injection attack which allowed them to steal information for nearly 130 million credit and debit cards over several months. The previous record had been the theft of information from about 94 million cards from TJX Companies Inc in 2007.

SQL injection attacks had been used to carry out at least 10 thefts in the years before the Heartland heist.

Heartland claimed that no merchant data, cardholders' Social Security numbers, unencrypted personal identification numbers (PIN), addresses or telephone numbers had been compromised.

But Avivah Litan, an analyst with Gartner, Inc. claimed the hackers "made off with the gold" by stealing so-called Track 2 data from the magnetic stripe on the back of cards, which is all that’s required to create bogus cards.

Last summer, the US Department of Justice charged an American citizen, Albert Gonzalez and 2 Russians with the theft.

"More radical security moves" need to be taken by the payment industry as a whole, Litan concluded. The security requirements contained in the industry-supported Payment Card Industry Data Security Standard are not stringent enough, she added.

Glenn Laffel MD, PhD
Sr. Vice President, Clinical Affairs, Practice Fusion