Impact: Confidential information of 1.3 million job seekers stolen and used in a phishing scam.
Hackers broke into the U.S. online recruitment site's password-protected resume library using credentials that Monster Worldwide Inc. said were stolen from its clients. Reuters reported that the attack was launched using two servers at a Web-hosting company in Ukraine and a group of personal computers that the hackers controlled after infecting them with a malicious software program. The company said the information stolen was limited to names, addresses, phone numbers and e-mail addresses, and no other details, including bank account numbers, were uploaded. But one problem was that Monster learned of the breach on Aug. 17, but didn't go public with it for five days. Another, reported by Symantec, was that the hackers sent out scam e-mails seeking personal financial data, including bank account numbers. They also asked users to click on links that could infect their PCs with malicious software. Once that information was stolen, hackers e-mailed the victims claiming to have infected their computers with a virus and threatening to delete files unless the victims met payment demands.
Date: July 2007
Impact: An employee of FIS subsidiary Certegy Check Services stole 3.2 million customer records including credit card, banking and personal information.
Network World reported that the theft was discovered in May 2007, and that a database administrator named William Sullivan, said to own a company called S&S Computer Services in Largo, Fla., had been fired. But the theft was not disclosed until July. Sullivan allegedly sold the data for an undisclosed amount to a data broker, who in turn sold it to various marketing firms. A class action lawsuit was filed against FIS and one of its subsidiaries, charging the companies with negligence in connection with the data breach. Sullivan agreed to plead guilty to federal fraud charges and was sentenced to four years and nine months in prison and ordered to pay a $3.2 million fine. On July 7, 2008, a class-action settlement entitled each person whose financial information was stolen to up to $20,000 for unreimbursed identity theft losses.
This story, "The 15 Worst Data Security Breaches of the 21st Century" was originally published by CSO.