We knew when we started the Primary Sources Archive that we'd find some interesting incidents. There was little doubt that what we were seeing reported in the media was a fraction of what was really going on, and we continue to feel that even what we find in the media, and primary sources, still represents a fraction of what really goes on. We did not exactly anticipate finding enormous un-reported breaches via primary sources, however.
We recently launched a small initiative to get primary sources via volunteer contributors from across the 50 states. One volunteer recently submitted a batch of files to us, obtained through a FOIA equivalent request to the state of Illinois. Of those, most were incidents we already knew about, with some exceptions, and one rather large exception.
It would seem that Walmart experienced a significant breach in mid-2007 that we had never heard of in the media. A former employee left Walmart with personnel data of over 48,000 Walmart associates residing in the state of Illinois. That is an enormous number of records for just one state.
In reading the language of the document obtained, it would seem that the breach wasn't exclusively affecting residents of Illinois, leading us to ask, who else was affected, and why haven't we seen this elsewhere? If we make the assumption that the breach was nationwide, then it may have affected over a million people. Considering Walmart employs 1.8 million people, the numbers aren't terribly off.
- Number Affected in Illinois * Population of the USA / Population of Illinois = Number Affected in USA
- 48,000 * 300,000,000 / 12,852,548 = 1,120,400
That assumes that the breach isn't localized, and that population is a reliable metric for measuring data loss incidents, neither of which is known. Regardless, this is a significant breach, and we never heard of it until now.
We have several FOIA equivalent requests out for data during that timeframe which may shed more light on the incident, but we found it interesting enough to post now.
As an aside, and while on the topic of older breaches, the Oldest Data Loss Incidents contest is still underway. We have great prizes available, so be sure to compete!