The Top 10 Data Breaches of 2007

By Scott Berinato

If there’s only one thing you’ll remember from 2007, it will be Britney Spears’ meltdown. But if there are two things you remember, it will be Britney and the thousands of data breaches that were reported in 2007, right? Right? Well, it’s what we’ll remember, and since we don’t necessarily do celeb gossip (unless you’ve got a good security angle…) we decided to offer up a review of the best and worst of Disclosure ’07.

Each breach gets rated on our nifty, unscientific "Class-Action Outrage Scale," judging the likelihood that ambulance-chasing lawyers could have a field day. Look out We estimate nine of 10 lawyers are outraged on behalf of your 1.3 million victims.

Our "D’oh! Factor" (thank you, Homer Simpson) reflects just how egregious and goofy the breach was. Take a look at how Swedish Urology Group earned itself five out of five Homers. Ick.

Some breaches on our list are serious. Some are funny. And some are just plain sad. But all of them were probably preventable. Alas.

10. -- New Job Posting on CISO for

Victims: 1.3 million

Class Action Outrage Scale: 9 out of 10 lawyers

D’oh! Factor: 2 out of 5 Homers

Hackers allegedly stole legitimate credentials from Monster’s job-seekers to plant malware on the site and execute a phishing scheme. Later we come to learn Monster waited five days to inform customers. When it did, the disclosure letter sounded like a legal CYA, referring to Monster as "The Company" and constantly reminding victims that this kind of things happens to companies all the time. The news hit right after Monster reported lower-than expected earnings and planned layoffs. Ouch!

9. Commerce Bank of Wichita, Kansas -- Now That’s Just Showing Off

Victims: 20

Class Action Outrage Scale: 0 out of 10 lawyers

D’oh! Factor: 1 out of 5 Homers

So Commerce discloses that a hacker gained access to a customer database, but that the bad guys only managed to ascertain 20 personal records. "The hacking was quickly detected and stopped, according to the bank," noted one news story. Twenty records? Anyone else get the sense this is some marketing scheme? You know, set up a breach and stop it quickly to show how effective your security is? PR Genius!

8. Indianapolis Power and Light -- Keeping the Lights on a Little Too Long Maybe

Victims: 3,000

Class Action Outrage Scale: 4 out of 10 lawyers

D’oh Factor: 4 out of 5 Homers

Names, addresses and Social Security numbers of 3,000 Indianapolis Power and Light customers were inadvertently posted online ... for up to four years. Of course, a power outage would have solved the problem.

7. TSA -- Doing DHS Proud!

Victims: 3,930

Class Action Outrage Scale: 7 out of 10 lawyers

D’oh! Factor: 3 out of 5 Homers

Two laptops with names, addresses, birthdays, Social Security numbers and commercial driver’s license numbers of truckers who transport hazardous materials are missing and considered stolen from TSA. Don’t worry, though. How easy could it be to pose as commercial truck driver transporting hazardous materials with only that information?

6. Shaw’s Supermarket -- ’What Should We Use for Passwords? Oh, I Know!’

Victims: 472 store employees

Class Action Outrage Scale: 2 out of 10 lawyers

D’oh! Factor: 5 out of 5 Homers

First, an "individual entered a secure area of the ... store and stole a desktop computer," according to a disclosure letter from the Salem, N.H., store. Doesn’t the fact that a person entered and stole something make it, um, a not secure area of the store? But hey, it was just a training computer. Well ... there is this: "The store associates log on to this system by using their Social Security numbers as passwords." Probably because bank account numbers are too hard to remember.

5. Swedish Urology Group -- Urine Trouble!

Victims: "Hundreds"

Class Action Outrage Scale: 1 out of 10 lawyers

D’oh! Factor: 5 out of 5 Homers

Doctors lost three hard drives containing patients’ personal information, and we mean personal!

4. The Nature Conservancy -- Think of It as Recycled Data

Victims: 14,000

Class Action Outrage Scale: 9 out of 10 lawyers

D’oh! Factor: 4 out of 5 Homers

Someone at the Conservancy was thinking locally but acting globally by apparently visiting a website of questionable provenance. The site was poisoned with malware. Soon, malicious hackers were clear-cutting names, home addresses, birthdates, Social Security numbers of employees and their dependents, and, yes, direct deposit bank account numbers. Let’s hope there’s been a climate change in the group’s security department.

3. TSA, Part II -- Still Doing DHS Proud!

Victims: 100,000

Class Action Outrage Scale: 3 out of 10 lawyers

D’oh! Factor: 4 out of 5 Homers

Thieves stole a computer hard drive with the names, Social Security numbers, dates of birth and bank account and routing information of current and former employees, including federal air marshals. Don’t worry, though. How easy could it be to pose as an air marshal with only that information?

2. Her Majesty’s Revenue and Customs -- One Regrets the Error

Victims: 25 million

Class Action Outrage Scale: 10 out of 10 lawyers

D’oh! Factor: 2 out of 5 Homers

Two CDs containing personal data on about 7 million families went missing in the mail, and the HMRC chancellor resigned. Frankly, we included it just so we could quote sentences like: "The chancellor seeks the advice of the Serious Organised Crime Agency," and “Mr Cable said he sincerely hoped the discs would not fall into the hands of ‘the criminal fraternity,’” and "Police have visited London rubbish tips in their hunt for missing computer discs." Makes the worst breach in Britain’s history sound kind of lovely.

1. TJX -- ’Sorry About That. Here’s a Gift Card. Come Back Soon for our Sale!’

Victims: Millions of bargain shoppers worldwide

Class Action Outrage Scale: 8 out of 10 lawyers

D’oh! Factor: 3 out of 5 Homers

No breach got more ink this year than TJX’s, which involved some, OK, tens of millions, OK, 50 million, all right all right around 100 million credit and debit card records. Priceless moments included TJX’s defense in press accounts that "our security was comparable to many other major retailers" and the portion of TJX’s proposed settlement with consumers in which the company would hold a three-day “Customer Appreciation Sale” and give some customers $30 store vouchers. (Sorry about the e. coli in the meat in our store; here’s a gift card to buy more meat in our store). After consumer advocates raised a stink, the vouchers were changed to $15 checks. Sad as the whole episode was for consumers, TJX’s stock has remained healthy. Don’t you just love a bargain?

Executive Editor Scott Berinato can be reached at

Related content:

With all those breaches, which skills were most in demand? An information security recruiter reports in "The Most-Wanted Security Skills of 2007 (and Beyond)."


Editor’s note: The comment field below does not work. Please send your feedback directly to the author.

Copyright © 2007 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)