Types of Data Breaches (Not from Hacking)

When it comes to data breaches, the odds are stacked against us, especially for highly regulated businesses. According to Ponemon, data breaches cost organizations in the U.S. an average of $225 per record compromised. More heavily regulated industries experience higher costs. Healthcare tops the list at $380 per capita, followed by financial services ($336), services ($274), life science ($264), and industrial ($259).

Not all data breaches are the result of hacking. We’ve outlined a few recent data breaches that were caused by other means in regards to improper disposal or irresponsible resale. Businesses need to be aware of the many types of breaches to protect themselves from it happening to them:

RESALE WITHOUT WIPING

• In 2017, used government computers from the City of Houston were sold to the highest bidder through online auction, packed with private, personal information. Of the 38 computers examined, 23 still had hard drives inside full of information.
• A 2014 story reports a Canadian man holding Ernst & Young’s customer and business data ransom for thousands of dollars. He found data loaded on two servers that he bought in 2006 for just $300.
• In 2013, Affinity Health Plan agreed to pay a $1.2 million settlement in a largely publicized HIPAA breach after their used photocopiers were purchased by CBS during an investigatory report. The devices contained confidential medical information of close to 350,000 individuals. In addition to the payment, Affinity was required to implement a corrective action plan requiring certain measures to safeguard all ePHI.
• A 2006 breach left Idaho Power Co. scrambling to track down 4 hard drives that had been sold by their scrap vendor on eBay without having been wiped first. The disks contained hundred of thousands of confidential documents, employee names, SSNs and confidential memos to the CEO.

IMPROPER DISPOSAL

• In 2017, a ShopRite pharmacy in Millville, New Jersey discovered an electronic signature device was disposed of without first being wiped. Information included names, birth dates, phone numbers, signatures and other medical prescription data.
• A 2017 settlement resulted in nationwide retailer Big Lots paying more than $3.5 million in civil penalties, costs, environmental projects and hazardous-waste minimization activities for improperly landfilling electronics and hazardous waste.
• In 2018, Home Depot was fined $27.8 million for illegally dumping hazardous waste including electronics, batteries, and fluorescent bulbs and not protecting customer identity.
• In 2007, Chicago based Loyola University discarded a computer that held Social Security numbers of 5,800 students before its hard drive was erased.
• A 2012 incident involved South Shore Hospital paying $750,000 for shipping three boxes of the 473 un-encrypted backup computer tapes off-site to be erased without verifying the company had proper safeguards in place to handle such information. The tapes contained names, social security numbers, financial account numbers and medical diagnoses of 800,000 individuals.

Businesses large and small can take precautions to minimize the risk of a data breach. Security policies must defend against both offline and online threats. Here are a few basic steps to get started:

1. Secure Storage — Keep documents and data-containing devices physically secured in a locked bin or area with limited, controlled access.
2. Secure Disposal and Destruction — Both documents and hardware should be securely disposed of through shredding (paper and hard drive disks) or erasure (hard drives, digital media devices). Be sure to use an R2 or e-stewards certified vendor for any disposal, shredding, wiping or resale services to guarantee all data is securely destroyed.
3. Electronic Security — User authentication and system protection including passwords, firewalls and  anti-virus programming.
4. Human Capital Security — Background checks, proper training and security policies, termination protocols will prevent human error, negligence or intention.

SEAM based in Sioux Falls, South Dakota can help businesses ensure their hardware is securely disposed of and data is completely destroyed. We offer hard drive shredding both onsite and off, safe electronics recycling, data wiping and value recovery through certified resale services. Contact us today for electronics recycling and data shredding.