Support DataLossDB
OSF needs your support! You can support OSF's DataLossDB in several ways, such as contributing news articles about data loss incidents or by updating older incidents as new information becomes available. Financial donations, which will support hosting, hardware upgrades, and advertising are also appreciated.
Sony had HOW many breaches?
2011-06-05 by Dissent
The Sony breaches have generated a lot of discussion. Some of it has centered on Sony's shocking failure to encrypt passwords and it being all-too-vulnerable to SQLi compromises (if those posting the data publicly are accurate as to how they compromised certain databases). Sony undoubtedly has a lot of explaining to do if it hopes to have future assertions of industry-standard security taken seriously.
To date, the two largest incidents affected over 100 million records. But were the PSN and Sony Online Entertainment (SOE) attacks two separate incidents or were they really one breach? Should DataLossDB.org have recorded one breach with over 100 million affected, or two incidents involving 77 million and 24.6 million, respectively? Or should we just treat the last 45 days' incidents as one #EPIC #FAIL and one big incident? In light of our mission to track unique breaches, the question is not trivial.
When news of the second incident broke, the first thought was to update the PSN entry and add another 24.6 million to that counter. But as more details emerged, it seemed clear that we should treat it as a separate incident. The attack had occurred on different days than the PSN attack, the data compromised were on different networks, it seems quite likely the different networks had different security measures involved (Sony later testified that databases with credit card data were treated with higher security), we did not know if the same individuals were involved in both attacks, and the company itself was reporting it as a second incident previously unknown to them and not as an update to the other breach. Our impression that these were two unique incidents was subsequently supported by the reports made to the New Hampshire Attorney General's Office for each incident (here and here).
Despite what we thought was an accurate way to track these breaches, one commenter to DataLossDB.org questioned our decision to treat the reports as two unique incidents. A researcher with Javelin Strategy commented that treating this as two incidents instead of one benefited Sony: they would not appear ranked 2nd in our list of all-time largest breaches on our home page. Since these incidents had the same parent corporation, he suggested, they should be treated as one aggregated incident.
While those points may appear reasonable to some, we find them unpersuasive. First, we do not make decisions based on whether an entity benefits or suffers from a particular decision. We make decisions based on whether the available information supports aggregating the data for a particular incident or not. In this case, although it is the same parent corporation, the available information does not support aggregation. In other cases, such as a Wellpoint breach that was initially entered as distinct incidents, when my research revealed that there was only one incident and that what appeared to be a second incident was really due to Wellpoint's vendor not fully securing the web sites after the first report, I recommended that those incidents be combined, and they will be. But other than a common target - Sony - where is there any evidence that this was just one incident? There is none.
We recognize that not everyone will agree with our decision, and that's fine. Should new information become available that suggests that a one-incident approach is more appropriate for these incidents, we will edit our entries.
As always, we welcome constructive thoughts about how to make the database more useful to stakeholders, but we do not expect all of our decisions to please everyone.
Recent Articles
- » 2011-04-05 - Epsilon Bingo
- » 2011-03-30 - The DataLossDB project welcomes Dissent!
- » 2010-09-07 - Open Security Foundation Announces New Advisory Board
About OSF Data Loss
DataLossDB is a research project aimed at documenting known and reported data loss incidents world-wide. The effort is now a community one, and with the move to Open Security Foundation's DataLossDB.org, asks for contributions of new incidents and new data for existing incidents. For any questions about this site or the data contained within the site, please contact curators@datalossdb.org.
Latest Incidents
| records | date | organizations |
|---|---|---|
| 608 | 2012-02-03 | Unknown Organization, E*Trade Securities Ltd. |
| 0 | 2012-02-02 | Netfleet Domain Names |
| 0 | 2012-02-02 | East Lothian Council |
| 1,000 | 2012-02-02 | Unknown Organization, Basildon Council |
| 50 | 2012-02-02 | Staples Business Depot |
| 2,038 | 2012-02-02 | Security Savings Systems Inc., Derry Township |
| 250 | 2012-02-01 | Greene County |
| 0 | 2012-02-01 | Flores Mexican Restaurant |
| 787 | 2012-02-01 | Texas Police Association |
| 4,933 | 2012-02-01 | Obiblio |
Search
Largest Incidents
| records | date | organizations |
|---|---|---|
| 130,000,000 | 2009-01-20 | Heartland Payment Systems, Tower Federal Credit Union, Beverly National Bank |
| 94,000,000 | 2007-01-17 | TJX Companies Inc. |
| 90,000,000 | 1984-06-01 | TRW, Sears Roebuck |
| 77,000,000 | 2011-04-26 | Sony Corporation |
| 40,000,000 | 2005-06-19 | CardSystems, Visa, MasterCard, American Express |
| 40,000,000 | 2011-12-26 | Tianya |
| 35,000,000 | 2011-07-28 | SK Communications, Nate, Cyworld |
| 35,000,000 | 2011-11-10 | Steam (Valve, Inc.) |
| 32,000,000 | 2009-12-14 | RockYou Inc. |
| 26,500,000 | 2006-05-22 | U.S. Department of Veterans Affairs |
From the Blotter
| date | title |
|---|---|
| 2012-01-28 | Feds accuse 3 of ID theft and tax fraud |
| 2012-01-27 | Pennsylvania woman who said she was abducted gets 8 years for ID theft, fraud |
| 2012-01-27 | Credit Card/ ID-Theft at Record Levels: Fight Back! |
| 2012-01-24 | Feds target South Florida for identity theft prevention |
| 2012-01-24 | Massive identity theft scheme nets up to $5 million |
| 2012-01-23 | Identity theft insurance not always worth the cost |
| 2012-01-22 | Consumer Reports: Debunking ID-theft hype |
| 2012-01-21 | 12 indicted in multi-state identity theft ring |
| 2012-01-19 | Second fraud case linked to UVic data theft in B.C. |
| 2012-01-18 | Data Theft Doesn’t Always Mean Being Hacked |
Latest Fringe Incidents
| records | date | organizations |
|---|---|---|
| 40,000 | 2012-02-02 | Blacknight Internet Solutions Ltd |
| 1,136 | 2012-02-02 | Metropolitan Police Service (Scotland Yard) |
| 0 | 2012-01-30 | Midlothian Council |
| 70 | 2012-01-29 | The Above Network, LLC |
| 0 | 2012-01-26 | Unknown Organization, Naperville Unit District 203 |
| 0 | 2012-01-25 | Telefónica UK Limited |
| 8 | 2012-01-22 | Big Al's Sports Grill |
| 0 | 2012-01-20 | Manpower UK Ltd |
| 300,000 | 2012-01-19 | Arizona State University |
| 24,200 | 2012-01-16 | David Morgan |
Breach Types:
- Disposal Computer | Disposal Document | Disposal Tape | Disposal Drive
- Email | Fax | Fraud Se | Hack
- Lost Computer | Lost Document | Lost Drive | Lost Laptop
- Lost Media | Lost Mobile | Lost Tape | Missing Document
- Missing Laptop | Missing Media | Snail Mail | Stolen Computer
- Stolen Document | Stolen Drive | Stolen Laptop | Stolen Media
- Stolen Mobile | Stolen Tape | Unknown | Virus
- Web |
Sponsored By:
Use of the DataLossDB, and its exports, RSS feeds, reports, or other materials produced on this site by the Open Security Foundation requires authorization and potential licensing arrangements. For more information, please e-mail officers@opensecurityfoundation.org with a brief summary of how you would like to use this information; product, service, research, etc.
© 2005 - 2012, Open Security Foundation, All Rights Reserved.