From January to June 2019, it was reported that there were approximately 4,000 publicly disclosed data breaches, all of which had resulted in close to 4.1 billion compromised records. (That is half of the amount of people living on Earth!) In 2020, the rate of data breaches had decreased slightly, but studies show that there is no sign of them slowing down. While data breach tactics are constantly evolving, there are a multitude of ways a company or individual can prevent their most sensitive and confidential information from being stolen.
We’ve broken down some of the more infamous data breachers below and included best practices to ensure that your data stays protected.
U.S. Department of Veteran Affairs
In May 2006, the U.S. Department of Veteran Affairs found themselves in the midst of some hot water when they publicly announced that a data breach had compromised the records of 26.5 million veterans. Among the private and sensitive information that was stolen were names, dates of birth, and Social Security numbers in addition to other personally identifiable information (PII), such as disability ratings.
The breach was caused by a Veteran Affairs data analyst who had taken a laptop and external hard drive home from the office that had contained the unencrypted information of all 26.5 million affected veterans. The laptop and hard drive were then stolen from the analyst’s home during a burglary which ultimately led to the breach.
While the department stated that there was no evidence to prove that the stolen information had been used illegally, unfortunately, that is not a risk one should be willing to take. It’s important to note that there is no statute of limitations on data breaches; just because the information wasn’t misused then, doesn’t mean it won’t happen in the future. Therefore, it is always safer to leave that sort of information at the office or to have a secure system in place if that information needs to be accessed remotely.
Marketing and data aggregation firm Exactis suffered a major breach in 2018 when a database containing sensitive information on 340 million individuals was accidentally released to a publicly accessible server. The stolen data totaled out to about 2TB worth of information on not only American individuals but businesses as well. (Remember: one-tenth of the Library of Congress can fit on a 1TB drive. Now double that!)
This breach, luckily, did not contain individuals’ credit card information or Social Security number, but it did contain names, email addresses, phone numbers, and even the ages and genders of a person’s children. This aspect of the breach is especially important to mention because even with a lack of financial or sensitive information, the information that was stolen can carry just as many negative consequences as it is all personally identifiable.
Having secured workspaces, servers, and data security protocols in place is just as vital to preventing a data breach as an in-house data destruction plan.
In 2011, military health program TRICARE announced that several of their computer tapes were stolen. The tapes in question were backup tapes of a military electronic health-record system that was in use from 1992 to 2011 and reportedly held the personal health information (PHI) of approximately 4.9 million subscribers.
The breach occurred when a TRICARE employee was tasked with transporting the tapes to an off-site storage facility as part of the company’s routine backup procedure, and the employee’s car was subsequently burglarized. While no financial information was held on the tapes, information pertaining to Social Security numbers, addresses and contact information, and even personal health data such as clinical notes, prescriptions, and laboratory tests were among the data stored.
While the military insurance carrier deemed the breach as a low risk to the affected individuals, only some of the information had been encrypted, meaning that most of the information would be fairly easy to pull and use for illegal purposes.
A common denominator in the data breaches above is not only human error but the misuse during storing and transporting of drives containing sensitive information. We understand that destruction does not always happen immediately after the drives and data are deemed end-of-life. Businesses may not have the proper equipment in-house or budget to outsource destruction, but it is this reason in particular why we at SEM stress that precautions and protocols should be in place to securely store and protect all data once it meets its end-of-life.
Whether the company is a small business, government agency, or health insurance carrier, all information and data should be locked up in a secure location, regardless of its end-of-life status. By leaving drives, whether encrypted or not, in unlocked office desk drawers, easily accessible boxes, or even in your personal vehicle and home, they are left vulnerable to hackers and thieves, and carelessness. We have more information on how to properly store your end-of-life data while awaiting destruction in this blog post.
When it comes to the destruction of data, it is always best practice to have an in-house destruction plan in place. At SEM, we have an array of various high-quality, high security NSA listed/CUI and unclassified magnetic media degaussers, IT crushers, and enterprise IT shredders to meet any regulation. Any one of our exceptional sales team members are more than happy to help answer any questions you may have and help determine which machine will best meet your company or federally regulated destruction needs.