PCI & HIPAA Data Breaches of 2012: Lessons Learned

Here’s a review of the top 2012 data breaches within both the PCI and HIPAA compliant industries, and a quick analysis of what went wrong so you can easily learn from their lessons without accruing the associated costs and legalities.

3.8 Million Tax Records Stolen in Largest State Agency Attack
Both Social Security and credit card numbers were stolen from the South Carolina Department of Revenue by hackers in August. A phishing email enabled hackers to steal credentials from users and eventually steal 74 GB of encrypted and unencrypted data.

Lessons learned: Encryption is a requirement for all organizations (including federal) that store credit card data and therefore need to meet PCI DSS compliance standards. One step ahead of encryption is administrative security, including training staff on security issues, which can prevent users from clicking on phishing emails and allowing the initial breach to occur. Check with any third-parties to ensure their staff is also properly trained.

Server Hack Leads to HIPAA Violation by Utah Department of Health
In April, 780,000 individuals were affected in a server hack at the authentication level that allowed hackers to access and steal SSNs and personal health records from the Utah Department of Health. One server was not configured according to normal procedure, and this allowed hackers to access the system.

Lessons learned: Technical staff in particular need proper HIPAA compliance training to ensure servers are configured correctly, especially servers that may contain ePHI (electronic protected health information) at rest. The state of Utah remediated by hiring an auditing firm to conduct independent security/HIPAA audits across all of their state agencies, suggesting they had not undergone one prior to the event. They also assigned a privacy and security officer to the department of health and improved security controls by adding network monitoring and intrusion detection.

Global Payments Inc. PCI Data Breach Affects 1.5 Million
Nearly 1.5 million consumers were affected by hackers accessing Global Payments Inc.’s payment processing system in January and February.

Lessons Learned: While the details of the system breach have been kept under wraps, the lesson to be learned here is to do your due diligence in confirming all third-party vendors are, in fact, PCI compliant. Global Payments is a widely used electronic transaction processing company that had been listed on Visa’s Global Registry of service Providers. They were removed after the attack. Even if your providers claim to be PCI compliant, it’s your job to check the requirements against their actual documented policies and technical services, if applicable, to keep credit card data secure.