Data Breach Count Reaches All-Time High, Includes New Facebook, H&R Block Breaches

Written by Evan Schuman
July 10th, 2008

The number of reported data breaches has been soaring, with the figure from the first six months of 2008 some 69 percent higher than the number from the identical period last year. Among those were little-known recent breaches of Facebook, H&R Block and BearingPoint.

The report from the non-profit San Diego-based Identity Theft Resource Center lists 342 data breaches since Jan. 1, 2008. Of those 342 breaches, about 12 percent were cyber thieves, 16 percent were insider theft, 15.2 percent were accidental exposure and 13.5 percent were subcontractor issues. Also, about 20 percent of the data breaches involved data "on the move," referring to laptops, thumb drives or PDAs.

The Identity Theft Resource Center "data breach count has reached an all-time high," the report said. "The actual number of breaches is more than likely higher, due to underreporting, and the fact that some of the breaches reported, which affect multiple businesses, are listed as a single event."

Among those breaches were:

  • Facebook Driver’s License Numbers Leak
  • When Facebook was installing a new software update in May, a code glitch displayed on the site the driver’s license numbers of two members, according to a letter from Facebook to those users.

    The two Maryland members who were affected had previously provided their driver’s license numbers as a form of authentication. A code glitch on May 2 caused an image of that number to be shown on Facebook for two hours, the letter said.

    "Once it was discovered, Facebook immediately fixed the software glitch," reads the letter. "In addition, Facebook has relocated the image of the driver’s license to a separate, secure database to ensure that such information is not inadvertently displayed in the future."

  • H&R Block: Users Able To Read Sensitive Conversations
  • A software application error with H&R Block’s Web site in April permitted users to read other users’ online conversations with their tax counselor, said a letter from the financial advising company to the affected users.

    H&R Block said that for a user to have viewed this information, they "would have had to perform a series of particular and unlikely steps within the online program."

    "In order for this error to occur, the message board user had to fit a specific user profile and would have had to perform a series of particular steps within the online program," said a letter from H&R Block corporate counsel Catherine J. Watson to the Maryland Attorney General’s Office. In a letter to consumers, the company further said such steps were "unlikely."

    The consumer letter said users may have been able to see such information as names, social security numbers, credit-card numbers, driver’s license numbers or financial numbers of other users. H&R Block offered those whose information may have been breached free identity monitoring for a year.

  • BearingPoint: Laptop With Personal Data Stolen
  • A burglar broke into the home of a BearingPoint employee last May, swiping a company-issued laptop that contained the names and Social Security numbers of six independent BearingPoint contractors, according to a letter sent to those contractors.

    The stolen laptop did not have any financial information about the contractors and the personal information on it requires two passwords and two forms of authentication to be accessed, the letter said. BearingPoint offered those contractors a free year of credit monitoring.

    "We have no reason to believe that the information stored on the stolen laptop was the target of the burglary or that the information has been misused," the letter said.


    Comments are closed.


    StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

    Most Recent Comments

    Why Did Gonzales Hackers Like European Cards So Much Better?

    I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
    Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
    A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
    The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
    @David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

    Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.