With the recent unveiling of the intense Internet surveillance operation being carried out by the NSA, more people than ever are interested in keeping up to date on the latest laws, news, software, and other information related to maintaining privacy online. There is an immense number of blogs related to information security in all of its incarnations, so we have picked through the offerings to find you the best blogs that deal specifically with personal privacy law and technologies. These are listed mostly without any indication of which is better than any other and are instead separated into categories based on their focus. The focus of the blogs includes hacking methods, ways to protect yourself from identity theft, news on information security topics, and discussion about censorship and identity law.

Cream of the Crop

1. The Privacy Blog – In a list of privacy blogs, one named The Privacy Blog would clearly seem to fit the criteria. Luckily, it is also one of the best in the genre for details on privacy in the technological world. Updates are posted weekly, and most of the content is original. This includes a podcast for those who would rather listen to news on the latest security threats. Content covers security technologies, opinions on privacy and hacking litigation, and news related to privacy threats and tools. Check out their latest podcast to get a taste of the monthly episodes.
2. Electronic Frontier Foundation – The EFF is an organization dedicated to the defense of the right to privacy in a world where everyone from the hacker kid down the street to the government can snoop on you. Their Deeplinks blog includes almost everything related to privacy and personal rights with an impressive amount of content delivered daily. If there is news that remotely touches on electronic privacy – whether its copyright laws, government surveillance, hacker tricks, or even just swag – you can find it here, but the blog does have a marked legal focus. Check out this article on the issue of warrantless DNA acquisition.

Privacy on the Net

3. The Online Privacy Blog – This blog is run by the company Abine, an Internet privacy software developer with products like DeleteMe and DoNotTrackMe. The content is a mix of news about online privacy laws, security breaches, tips for keeping yourself secure while using social media and other common online services, and press releases for the company. Two articles a week is the rough release schedule. Check out a report on the surveillance capabilities of Microsoft’s next console, the Xbox One.
4. EPIC: Electronic Privacy Information Center – EPIC is an organization that provides information with a focus on online privacy, though they do branch out into related technological fields such as biometric data, drones, and other hot button issues. The majority of the site content is in their static information, but their news feed does provide short updates on current news and events. If you want to get a quick synopsis of privacy related news without excess analysis or reading, then their blog should come in handy. The rest of the site is also extremely valuable for its large amount of educational material. Check out their news report on a Supreme Court ruling on DNA privacy.
5. WIRED: Threat Level Blog – WIRED is a site renowned for its news and insights into the world of technology, and their Threat Level blog applies the same quality of content to the dedicated topic of privacy and the law within the context of technology. Thanks to WIRED being a news organization, the tone of the articles stays more subjective than personal or company blogs, though opinion always bleeds through in writing. Check out this opinion article on email privacy law and the lack of protection that electronic communications receive legally.
6. Freedom to Tinker – FtT posts focus on news related to technological privacy and law alongside a large amount of insightful commentary and opinion pieces. The number of writers is smaller than you will find on some bigger websites, while still being large enough to provide more variety of opinion than a single user blog and a decent update schedule. Check out this article from 2006 on wiretapping abuse and the NSA that foretells some of the recent privacy related news.
7. ACLU on Technology and Liberty – The ACLU is a well-known American organization dedicated to the preservation of civil liberties in every form they take. Their blog is a robust and well-developed collection of useful and informational content on a variety of topics, and because of the volume of information they cover, the blog has several subsections to help those looking for information on a specific topic. For online privacy related news, the Technology and Liberty section is where you want to go. Check out this article on metadata to see just how important it can be in light of the NSA surveillance issue.
8. Center for Democracy & Technology Blog – The CDT is an organization similar to the ACLU but with a focus on influencing policy related to the freedom to privacy and expression on the Internet. Unlike most of the above blogs, the CDT has a broad, worldwide view and will often discuss online privacy policy from nations other than the US. There is still more focus on American and EU news, but it is refreshing to get a glimpse of the world at large. Check out one of their weekly looks at global policy for news from Syria, Japan, China, Taiwan, and Australia.

Photo by Seth Anderson

Privacy Law & Policy

9. FCC Blog – The Federal Communications Commission is an organization with which most American are familiar due to its role in radio and television broadcasts as well as the Internet. As it is a government website, you can expect a lot of dry content and not so much in the way of unique viewpoints, but it is a good idea for Americans to stay abreast of an organization that influences their online privacy to a large degree. Check out this article detailing some of the consumer protection services the FCC offers.
10. Privacy Law Blog – The Privacy Law Blog is managed by the Proskauer law firm, a group with a focus on international privacy law. The blog content does trend to US and EU policy and law. The topics covered are usually about informing about laws concerning privacy, patents, and security and updates to them. Though the release schedule is low compared to some of the others on the list, they still tend to release an article every week. Check out this report on the conundrum of when European privacy law applies to American companies.
11. Privacy & Security Law Blog – The editors and contributors of this blog belong to the Davis Wright Tremaine law firm, a nationwide entity with over 500 associates. Their firm handles cases covering a wide variety of subjects, but the privacy and security blog is managed by their resident expert associates on the topic. Articles range from discussion on cybersecurity, discussion of data standards like HIPAA, and news related to changing laws regarding privacy and technology. Check out their report on a recently introduced federal data breach law.
12. Law and Terrorism – Gregory S McNeal is a security specialist and university professor who has received national recognition by news corporations, Congress, the military, and other notable organizations. His blog only features content he writes himself, leading to a low update rate with articles that trend towards his focus and activities at the time, but this does mean the content covers topics that might not be the focus of other privacy blogs at the time. Check out his article on drones and due process to see the focus of his latest work.
13. CERIAS Blog – The Center for Education and Research in Information Assurance and Security is an organization ran by several Perdue university professors and contributors. They broach topics ranging from the technical aspects of ensuring privacy in a digital world to the ethical, moral, and legal guidelines that govern the behavior of individuals and organizations when it comes to information privacy. The blogs content is updated one or two times a month, but every article is unique, lengthy, and full of useful information on security and privacy topics. Check out their objective look at NSA’s PRISM program.
14. beSpacific – Most of the content on beSpacific is collected news and information about privacy, law, technology, copyrights, and finance. Rather than a blog to go to for original content, beSpacific is an amazing resource and repository for documents, press releases, and other articles in the topics it covers. Content is added daily, and on many days you will find up to ten new posts. Check out the main page. There is no better way to get an idea of the bevy of information hosted on the blog.

See ID – Photo by Bryan Rosengrant

Privacy & Identity

15. Privacy Rights Clearinghouse – The PRC is a nonprofit organization based out of California whose mission is to “engage, educate and empower individuals to protect their privacy.” The blog itself is not updated frequently, but the amount of information available regarding privacy concerns on the site in general is staggering. Check out this article for a few simple tips on keeping your privacy private.
16. Bruce Schneier’s Blog – Bruche Schneier is an internationally renowned security specialist, a member of the board of directors of the EFF, and has published multiple books concerning security and cryptography. His blog content includes recordings of his speaking events, articles and opinions written by him, links to interesting security and cryptography articles, and important news on the same. All of his articles are well-cited and in a format that makes them both look professional and easily understood. His insights are great, and if you like his blog then you should definitely check out his published work. Check out his comparison of the privacy abuse of online companies to the Game of Thrones.
17. Identity Theft Blog – The entire purpose of this blog and the other portions of its site is to educate people on the dangers of identity theft and how to protect themselves from those who would steal their information and put it to nefarious use. The updates are a bit slow, averaging two posts to the blog per month, but the extra content value in the rest of the site more than makes up for it. If you want to get educated on identity law, identity theft tactics, and how to protect yourself from identity theft, stop by this site. Check out this article showing how something as simple as filling in the information necessary for an insurance quote can give up compromising data.
18. Spaf Blog – The Spaf Blog contains content written or reposted by Professor Eugene H. Spafford, an educator who specializes in digital forensics, privacy, and information security. He is also the founder and director of the CERIAS web blog listed in the above section. The original content is published roughly on a monthly schedule, but reposting occurs daily. There are over 5,000 article links on the over 500 pages of the blog. Check out the very first page for links to over a dozen high quality privacy articles.
19. IdentityWoman – The alter ego of Kaliya Hamlin, IdentityWoman, is an intensely active force in the field of privacy information security. Her grammar and punctuation may not be perfect – meaning grammar nuts should avoid the blog – but it is to be expected given the busy schedule the super-heroine keeps. The content on the blog ranges from videos of her talks at various conferences (and “un”conferences), updates on notable privacy events, and her work in an astounding number of IT groups, consortiums, and organizations. Check out the collection of her speaking appearances for some good audio on user-centric identity.

Safety Awareness Week 2011 – NASA Goddard Space flight Center

Security

20. Krebs on Security – Brian Krebs got into information security for the same reasons many people do these days: thanks to the attacks of hackers on his personal computer network. This sparked a long career of security writing for the Bachelor of Arts, including a long stint as a major security author for the Washington Post with several front page appearances. As far as the blog goes, it is one of the best for quality, the amount of information presented, and originality. The frequency is also very good for the general quality and being a personal blog. Check out his article on the Styx exploit package and the article detailing the story behind its creation and marketing for a look at the brazen offering of script-kiddie tools.
21. 1 Raindrop – This blog, written and maintained by Gunner Peterson, focuses on security more from a business standpoint than it does on individual privacy and identity. The posts are long and informative, but they assume some familiarity with security issues and the technologies from which they derive. This makes it not so friendly to newcomers to the world of security, but it is more useful to those who want high level information. The blog is updated roughly three to four times a month with mostly original articles of notable length. Check out this article on mobile APIs and security, a useful and important consideration for any business.
22. CERT – The US government’s Computer Emergency Readiness Team’s site does not officially call itself a blog, but the main page is comprised of time-ordered updates that keep you posted on the latest patches for notable applications like WordPress, Adobe, Java, and Google apps. The site should be on every CEO’s and CISO’s short list to check frequently to see if they happened to miss any important updates. They also occasionally post security bulletins and information from themselves and large IT companies. In addition to their tracking of security updates, the site features a number of resources on protecting yourself from online threats and general security information. Check out the National Cyber Awareness System, a springboard for links to information on security.
23. Bleeping Computer – While the main page does feature a blog roll of updates and articles, Bleeping Computer is far more than just a security blog. The blog updates themselves are standard fare for a security focused blog, though the focus is clearly on education and teaching for people who might not be as tech savvy as some professionals or enthusiasts.  Once you have gotten your daily update, swing over to the forums and other information resources to get help on understanding and fixing computer problems ranging from security issues to day to day malfunctions. A great overall resource for computer users of all skill levels. Check out their guide on how to remove a tricky bit of disguised malware that disguises itself as antivirus software.
24. Malware Don’t Need Coffee – While the writing style is haphazard and points to someone using English as a second language, there is no better blog out there if you want to know everything there is to know about the latest malware and exploit kits on the streets. The posts are extremely tech heavy, so less savvy readers will likely need to do additional research when reading. Posts come roughly every two weeks, but they are loaded with content and worth the wait. Check out this detailed and lengthy article on the ransomware called Urausy.
25. InfoWorld’s Security Articles – InfoWorld is a news site, similar to Wired, which focuses on everything technology. Just like Wired, they also feature a dedicated section for security related articles. As with other news sites, you can expect frequent updates and original content with a more neutral tone overall. You can also branch out from security related articles into general technology news when you finish getting updated. This is a great resource to keep on hand and check daily. Check out this article on bug bounties, the new method larger IT companies are using to hunt down security vulnerabilities in their applications.

Company Blogs

Most of these companies function in the Information Security world in some form or fashion. They usually maintain fairly decent blogs as a way to generate site traffic, keep their users informed, and to increase their appearance as “leaders” in the field. You do have to watch out for product placement in some of them, but they are self-motivated to provide good and reliable information that keeps people coming back.

26. Fortinet Blog – Fortinet is a company that produces physical and virtual firewalls alongside other network security equipment and applications. The blog sees regular contributions from five different writers, keeping things both fresh and current. Article topics are typically educational pieces on malicious IT attack forms, patch updates for major IT organizations, and security and privacy related news.Check out this post on how to determine if a seemingly innocuous email in your inbox might just be a phishing attempt or other scam.
27. FireEye Blog – FireEye is an Information Security company with a focus on antimalware applications, penetration testing, and overall system protection. Their blog focuses on the latest trends and tools in malicious cyber activity, and there is a definitive slant towards tech-heavy articles. A great resource, but those less inundated in the world of IT may have to spend some time with Google to get the full value that the articles represent. The speed of their updates is a bit slow for a company blog, averaging two to three posts a month. Check out this informative post concerning a Trojan that recently swept across Asia.
28. Kaspersky Blog – Kaspersky is most widely known for their antivirus and antimalware applications. There is a bit more “Yay Kaspersky products!” in this blog compared to some of the other companies, but it still manages to get balanced out by the actual information. Check out their article detailing the dangers and costs of employees misusing networked devices while on the job.
29. SANS Securing the Human – SANS is a company that works to increase security on what is most often the biggest weak point in a network, the human user. On their blog, you will usually find articles relating to attacks that attempt to take advantage of the user, such as phishing attempts and other social engineering scams. They also have a monthly newsletter full of extra material. Check out their look at passwords, one of the biggest mistreated tools in keeping things secure.
30. TrendMicro Blog – Like Kaspersky, TrendMicro focuses on malware detection, prevention, and removal software. The blog itself tends to focus on preventative measures against malware and other security related issues. The update schedule is fairly slow for having multiple writers, but there is no rehashed content. Check out a post on the dangers of media overflow when it comes to your pictures and other digital information that ends up stored on the Internet, forever.

Forensic Science

West Midlands Police Forensic Science Lab – Photo by West Midlands Police

1. Anti-Polygraph Blog – Opened: April 2006 with regular updates in the last few years. Style and Focus: Detailed and supported articles about the ways in which polygraph tests are used and abused, information about the deficiencies of the technology, and news. Also very active on Twitter. What to Read: Polygraph Countermeasures: What Polygraph Operators Say Behind Closed Doors, for a glimpse at the concerns even polygraph operators have with the reliability of the technology.
2. Zeno’s Month – Opened: July 2004, with biweekly or monthly posts since then. Style and Focus:   Much more of a personal blog than an informative one, this blog, run by a forensic scientist, touches a bit on his work and life. Expect vacation adventures to be mixed in with news and conference details related to the forensics industry. What to Read: October 2012: Some Challenges in Digital Evidence, for a glimpse at what forensic science was concerned with and preparing for in late 2012.
3. FSN: Forensic Science News – Opened: April 2008 with post frequency varying but highly active since then. Style and Focus: This frequently updated blog provides opinionated responses to news and events related to forensics from the point of view of a professional forensic scientist. Well written and timely responses to criminal cases and forensic news and advances. What to Read: Institutional Bias Examined, for a great introduction to how insidious institutional bias can be and some thoughts on how it plays out.
4. All About Forensic Science – Opened: May 2012 with fairly regular posts each month. Style and Focus: Despite the busy look of this site, it contains a wealth of information for individuals looking at entering the field of forensics. Regular posts focus on information relevant to potential forensic students or those with a casual interest. Posts are short and sweet but informative. What to Read: Mathieu Orfila, for a wonderful brief bio on one of the forefathers of forensic medicine.
5. UF Forensic Science Blog – Opened: March 2012, fairly consistent with bimonthly posts. Style and Focus: This blog provides its readers with reasonably fascinating posts covering different types of forensic science along with forensic analysis in the news. Not the most frequently updated and the author is not a native English speaker (and it shows in the writing), but it is worth a gander. What to Read: Untying the Knots, for a quick and dirty overview of the importance of forensic knot analysis and the rarity of such expects (with a link for more information).
6. Forensic Odontology: Bitemark Evidence – Opened: January 2011 with regular updates about once a week since. Style and Focus: With a minimalist look and easy to navigate interface, this blog welcomes readers to explore the world of bite mark evidence, with a focus on educating readers to the potential negative legal ramifications of relying on it as evidence. The author is a highly experienced professional forensic odontologist, with plenty of background to provide invaluable expertise to the posts. What to Read: Ted Bundy Bitemarks and Richard Milone: How DNA, bitemark research and failed cases have changed bitemark analysis, for an examination of how these high profile cases used bitemark evidence questionably and how it is used today.
7. Forensic DNA Testing Blog – Opened: December 2007 with irregular posts since then. Style and Focus: This blog allows posts from both DNA Diagnostic Center staff and clients that concern forensic DNA testing. While DDC moderates the posts, the authors can vary and thus the style of writing as well. The blog is easy to navigate and contains a wealth of information for readers interested in keeping up news, advancements, and case studies involving forensic DNA. What to Read: New DNA Test Predicts Eye Color, for a quick article introducing a new advancement in forensic DNA analysis – the ability to predict eye color from samples left at crime scenes. Not strong enough as a sole source of information, but an asset to an investigative team.
8. Forensic Astrology – Opened: July 2007 with irregular posts that appear at least once a month since. Style and Focus: Admittedly, this site is a bit of an outlier amidst genuine scientific research blogs and companies and the site reinforces this general feel with its dark background and starry banner, but the information presented makes for an interesting read. The author has a 30 year background in utilizing astrology to analyze case files with an eye for forensics and provides detailed case file information, often sent in by readers, as well as the process by which astrology is used to hunt for new details in the case. Even if you do not buy into the premise of astrology, the blog is worth a look. What to Read: Shemika Cosey – Young Lady Leaves Her Aunts Home and Disappears, for a typical case study that details the process of forensic astrology and paints a narrative of what might have happened in this disappearance.
9. GunSim Ballistics Blog– Opened: March of 2009 with irregular but generally biweekly posts since then. It has slowed a bit recently. Style and Focus: No-nonsense style reminiscent of the early days of the internet, this blog’s pared down appearance suits the straight forward information it provides to readers. It focuses specifically on technology and software used in ballistics testing with helpful tips on getting the most out of it, news, and more.  What to Read: Zero in the warm, shoot in the cold, for a quick look at how ballistics information can help improve cold weather sharpshooting.
10. Empirical Legal Studies – Opened: February 2006 with regular and frequent posts ever since.  Style and Focus: Another early internet era styled site, this collaborative effort was founded by a group of professors from a few different Law Schools with the intent to bring together empirical methodologies and legal theory. Posts can greatly vary in length, but are usually well-written and informative. They bring commentary to news, changes in legal policy, useful resources, and more. What to Read: Kahan on National Research Council critique of multivariate regression, for review of one professor’s concerns about the potential problems in research and how they influence policy view.

Forensic Medicine

Medical evidence collection – Photo by Army Medicine

11. Forensic Science for Nurses – Opened: February 2011 with consistent weekly posts. Style and Focus: RN Patricia Bemis provides her readers with straightforward, to the point blog posts that give other nurses tips on how to preserve potential evidence, information on forensic nursing, and news related to the field. She also discusses the importance of keeping forensics in mind as a nurse of any stripe. What to Read: Evidence Collection in the ED, for a quick review of simple steps ED nurses can take to preserve potential evidence.
12. Digital Pathology Blog – Opened: Active since 2007. Style and Focus: More like an information hub than a typical blog, this site features regular posts from experts in digital pathology on news, advancements, cast studies, and educational information. The site is a bit busy, but easy to navigate and features a lot of resources for those with an interest in the field. What to Read: The Anxiety of the Biopsy from NY Times Health Blog, for Dr. Kaplan’s response to a NY Times article on the mental health effects biopsies can have on patients.
13. Forensic Medicine with Dr. Cox – Opened: Started September of 2009 with semi-sporadic posts, generally once a month. Style and Focus: While sporadically updated, this blog is nevertheless a wonderful resource for those with an interest in forensics, particularly with a medical bent. Written by professional forensic pathologist and neuropathologist, Dr. Cox, each post is designed to inform and instruct readers on an aspect of forensics. Often, the blog posts are short introductions to longer papers linked in the post. What to Read: Human Skeletal Remains – An Introduction to Forensic Anthropology, for an introduction to a well-written and informative article introducing readers to the important concepts in forensic anthropology.

Forensic Museums and Historians

Forensic Anthropology Lab – National Museum of Natural History – Photo by Leticia (Tech Savvy Mama)

14. Crime Museum’s Criminal Convictions Blog – Opened: February 2009 with consistent weekly posts since. Style and Focus: This blog is run by a museum and readers can expect highly entertaining, detailed, and well-written posts covering crime, criminals, and forensics. Recently, they posted the story of a potential real-life inspiration for the American mythical hero the Lone Ranger. The site itself is well designed and easy to navigate and offers readers more than just a lively and engaging blog. What to Read: The Vidocq Society: ‘The Heirs of Sherlock Holmes’? A glimpse into first real life French undercover detective agency and the fascinating character who helped found it, former criminal reformed into detective, Eugene Vidocq.
15. The Writer’s Forensics Blog– Opened: May 2009 with regular posts since. Style and Focus: This blog’s intended audience is writers who want realistic, informative advice and information on forensics. It includes general writing advice, like how to make your first few pages shine, and detailed information on a whole range of forensic science. A fascinating read if you have an interest in forensics at all. The design is clean and easy to navigate, with lots of resources and great organizational tools. What to Read: Connecticut Massacre Not New, Just Disturbing, for a quick and dirty guide to the assorted classifications of multiple murderers and real-life examples of such.
16. Jen J. Danna ~ Forensic Crime Writer – Opened: April 2011 with regular posts since, generally updated Tuesday evenings. Style and Focus: Another writer’s blog, this one expands beyond simply advice for authors, it chronicles this author’s journey in writing, provides information on research, writing processes, and the path to publication. She also does an excellent job in covering forensic science and how it can be effectively used in writing. She has a particular focus on forensic anthropology. What to Read: Forensic Case Files: Cannibalism in Jamestown in the Early 17^th Century, for a gruesome look, figuratively and literally, at some of the evidence illuminating the meal-times at Jamestown colony, courtesy one 14 year old immigrant.

Computer Forensics

Photo by West Midlands Police

17. Computer Forensics Blog – Opened: August 2008 with very frequent posts ever since, generally more than twice a week. Style and Focus: This highly active blog is a fantastic resource for any computer forensics professional or individual interested. They keep readers informed of product information, news, and events while also providing lots of tips and guides to improve one’s computer forensic tool bag. What to Read: Four Focus Areas of Malware Analysis, for an informative post briefly explaining one method of analyzing malware.
18. Digital Forensics Blog – Opened: November 2010 with sporadic updates, generally once a month. Style and Focus: While this blog isn’t frequently updated, it does provide excellent information and tips targeting other computer forensic personnel. The author provides advice born from practice, events relevant to the field, news, advancements, and more. What to Read: No Partition Table? No Problem, for a helpful post targeting newer computer forensic professionals who need a way around disks lacking partitions they need to mount.
19. Random Thoughts of Forensics – Opened: February 2010 with posts generally updated once a month. Style and Focus: More of a personal blog than one designed to provide a great deal of professional advice and resources, it provides a glimpse into the journey of one student of computer forensics and includes his experiences with different forensics techniques and triumphs along with personal and professional experiences alike.What to Read: Tools in the Toolbox Mandiant Red Curtain, a quick and dirty overview of a free software for Incident Responders analyzing malware.
20. Didier Stevens – Opened: June 2006 with regular posts from that point forward. Style and Focus: This is not a blog for those with a casual interest, it is full of technical details and step-by-step instructions designed to share ideas, tactics, and resources with other professionals.  Regularly updated and  on a wide variety of related topics, this is a highly useful tool for any computer professional interested in forensics. What to Read: Quickpost: TeamViewer and Proxies, a quick and dirty how-to post.
21. Windows Incident Response Blog – Opened: December 2004 with very active and regular posts, at least one a week, frequently more. Style and Focus: This long running blog is focused on providing resources to professionals involved in computer and digital forensics with Windows systems. Most posts are focused on explaining different analysis approaches or techniques, but it also informs readers of news updates, products, and events. What to Read: There Are Four Lights: The Analysis Matrix, for an explanation of analysis matrix and how it can be used to more effectively analyze data.
22. Forensic Focus Blog – Opened: November 2007, generally updates often. Style and Focus: Focused on providing news and tools for other computer forensic professionals, this blog features well written and tool-packed articles, interviews with folks in the industry, news, reviews, and more. The site itself is slightly busy, but well organized and easy to navigate. What to Read: Generating computer forensic supertimelines under Linux: A comprehensive guide for Windows-based disk images, for a guide to the assorted solutions available to assist with creating digital forensic timelines with code files.
23. Forensic 4:cast – Opened: January 2008 with regular and fairly consistent weekly updates. Style and Focus: This sleek and well-designed site offers its visitors a wealth of information related to digital forensics delivered in podcast format with discussions from a range of industry experts. They also run a regular newsletter that supplements the information provided in the podcasts. They also host the 4:cast awards to acknowledge great forensic tools, resources, and individuals in the field.   What to Read: How to do the worst job possible, presenting a very poorly written forensic report.
24. Mobile & Technology eDiscovery – Opened: November 2006, with somewhat sporadic posts, but generally at least one a week since open. Style and Focus: While it doesn’t present the most elegant design ever, the blog delivers excellent content for readers involved or interested in digital forensics. It features regular articles on tools, best practices, resources, case studies, and more.  What to Read: Signal Strength and Distance, for a discussion on what cellular signal strength and distance is and how to discuss it in court.
25. CSItech– Opened: May of 2008, with bimonthly posts since. Style and Focus: The clean layout allows readers to focus on the content, which is focused on informing readers about newly developed tools and tactics designed to improve the computer forensics industry. Expect lots of reviews and guides on using new tech and practices. What to Read: Password extraction fun, for a good review of a program that can help uncover passwords on devices first responders need to access quickly.

Forensic Technology & Techniques

Fingerprint – Image by CPOA

26. Crime Scene Training – Opened: December 2010 with fairly consistent, frequent posts. Style and Focus: This very well organized blog has been regularly providing advice, insight, product reviews, and more targeting any investigators who do any part of their work directly at the crime scene. Articles are informative and practically useful. What to Read: Avoiding Hazards at the Crime Scene, for a well-written, thorough, and extremely handy article for any forensic tech who goes on scene.
27. The Truth about Forensic Science – Opened: February 2010, with frequent and regular updates. Style and Focus: This blog targets DUI lawyers and criminal defense attorneys and helps educate its readers on the different types of forensic evidence that can be brought to a trial, with a focus on weaknesses and defenses against them. The blog is authored by a highly respected criminal defense and DUI attorney. What to Read: Limitations of Forensic Odontology, for an overview of the problems with forensic odontology.
28. The Hacker Factor Blog – Opened: November of 2006, with fairly regular posts at least once a month since then. In the last two years, it has trended towards weekly updates. Style and Focus: This blog is a treasure, with entertaining and informative posts that are often designed to generate discussion amidst the readers. The primary focus is on the tools and techniques designed to help computer techs of all sorts, but it occasionally drifts into completely unrelated but often fascinating territory.  What to Read: Chasing Rainbows, for a really fascinating article discussing super-senses.
29. Forensic Methods – Opened: August 2009 with sporadic but fairly regular posts since then. Style and Focus: The layout of this blog makes it feel more like a digital magazine than a traditional blog, and its posts take a non-traditional spin too. Some are simply quick Twitter updates; others are snippets of a great article found elsewhere with a shortened link to the primary article. Still, the original content here is not to be missed; the articles are well-written and informative and often offer a behind the scenes glance at the writing process. What to Read: Digital Forensics Magazine: Big Brother Forensics, for an article on an article, also a brief introduction to the potential ramifications of geo-location technologies.
30. Forensic Resources – Opened: July 2011 with frequent posts, often more than once a week, since then. Style and Focus: A sleek and well-written blog providing detailed information about forensic science, including techniques, news, legal issues, and advancements. It caters primarily to attorneys based in North Carolina, but is a worthy read for anyone who needs to increase their armchair knowledge of the science. What to Read: Improving Arson Investigations, a resource-filled article pointing readers towards new developments in science that shook up fire investigation.

Cold Cases & Wrongful Convictions

31. Defrosting Cold Cases– Opened: November of 2009 with prolific posting habits, though slightly slower in recent months. Style and Focus: The blogger clearly cares about justice for victims who have been left behind by time. Posts are frequently focused on bringing light to cold cases that may have been gathering dust, telling the stories of the victims, and sharing information about the crimes. The author also focuses on wrongful convictions and forensic information that may help solve some of these cases. The site is beautifully designed, easy to navigate, and the articles are well-written. What to Read: In Loving Memory: Jimmy Stanaway, for a heartfelt memorial to a cold-case victim, providing a personal face to a dusty file.
32. The Wrongful Convictions Blog – Opened: It’s hard to pinpoint the open date of this blog, but it is currently highly prolific, with often multiple posts in a day. Style and Focus: Informative, well-written, and prolific, this blog features a panel of expert authors from a variety of backgrounds to bring readers the latest in news about wrongful convictions, including forensic analysis changes, case studies, legal changes, and more. The site is a little difficult to navigate, as it lacks a proper archive; users can search, or sort through categories to find what they are after. What to Read: Calculating Bad Math’s Contribution to Wrongful Convictions, for an interesting analysis of how a judge or jury’s failure to comprehend mathematics might lead to miscarriages of justice.

Fraud & Crime Blogs

Fraud Tech on a $20 – Image by Jack Spades

33. The Fraud Files Blog– Opened: November 2005, with prolific and regular posts since. Style and Focus: This blog is focused on fraud of all kinds, from small to massive, on a national scale. Expect lots of links to related information, quality writing, and informative posts. What to Read: MckMama House Fire is Not Suspicious In the Least.
34. Expert Witness Blog – Opened: March of 2007, with near daily posts. Style and Focus: Most posts are very brief and present readers with information about what expert witnesses are testifying about in trials around the nation. Some posts focus on preparing witnesses for trial, news, or other relevant information. What to Read: Environmental Health Expert Witnesses & Hanford Nuclear Reservation, for a typical post example.
35. Grits for Breakfast – Opened: January 2004, with highly prolific and regular posts since then. Style and Focus: A very well-respected blog focused on Texas criminal justice. The author has been recognized for his excellence from a number of Texas newspapers, organizations, and other criminal justice bloggers and even won a handful of awards over the years. Except quality writing, well-researched content, and no-nonsense (and often contrary) opinion delivered near daily. What to Read: A forensic science ‘blockbuster’ and limits of accreditation, taking a glance at several forensic science news articles and points to the shaky ground some forensic data is built upon.

Forensic Anthropology & Psychology

Bones in the Monasterio de San Francisco, Lime, Peru. Photo by Phil Whitehouse.

36. Forensic Psychologist – Opened: April of 2007, with at least a post a week consistently since then. Style and Focus: The site itself is a little aged, but that has no impact on the quality of its contents. Blogger Karen Franklin, Ph.D. is an experienced forensic psychologist and adjunct professor who has served as a criminal investigator and legal journalist. She has the chops and the ability to write effectively about what she knows. Her posts cover news, resources, case studies, methodologies, and more in the fields of criminology, forensic psychology, and psychology law. What to Read: Beware “voodoo” brain science, for an examination of some of the controversial claims made by proponents of brain imaging as a way to distinguish potentially dangerous traits in an individual.
37. Mind Hacks – Opened: November 2004 with consistent and prolific posts since. Style and Focus: Clean design with easy navigation introduces readers to a site loaded with information presented from very prolific bloggers. Posts focus on the fascinating world of neuroscience and psychology. Well-written responses to news articles, explanations of weird brain quirks, neuroscience history and notable figures, and much more can be found here. What to Read: A brief history of narcoanalysis, for a fascinating introduction to the use and history of the administering of ‘truth drugs’ to elicit supposedly truthful confessions.
38. Smith Forensic – Opened: September of 2004 with consistent and prolific posts since. Style and Focus: This blog offers a simple, clean style and easy navigation with a focus on forensic pathology as presented by blogger Harold Levy, a Toronto Star investigative journalist who gained an interest through his reporting on once famed doctor Charles Smith. His blog examines flawed pathology and delves into the cases they impact around the world. He also examines junk science and its impact in criminology broadly.  What to Read: Marvin Wilson: How Texas is using literature rather than scientific methodology to kill a clearly retarded man – to circumvent the U.S. Supreme Court. – For a heart-rending examination of an abuse of the justice system, forensic science, and one man’s life.
39. Bones Don’t Lie – Opened: Style and Focus: Written by mortuary archaeology and bioarchaeology graduate student Katy, this blog shares her discoveries, like a recent dig in Oakington containing the burials of over 100 Saxons. She also writes about forensic techniques, archeological history, news, and more on a blog that is beautiful and easy to navigate. What to Read: Displaying the Famous Political Dead, for an interesting glimpse into the practice of preserving the notable dead for public display.

Forensic Companies

40. Forensic Technology Newswire – Opened: April 2009 with frequent but irregular posts. Style and Focus: Their style is much more like a newsfeed than a personal blog, they keep readers up to date on how their products are being used and received around the world, as expected from a company blog, but they do so with solid and informative writing.  What to Read: CSI: Miami & Real Forensics: We Won’t Get Fooled Again, for a post examining the relationship between CSI and real life crime solving.
41. Forensics Blog (BCIT)– Opened: July 2010 with consistent weekly posts since. Style and Focus: A simple interface greets visitors in this Forensic Institute’s blog focused on forensic education, Canadian forensics, news, events, and advancements in forensic science. Most posts are short and sweet. Those local to the area will also find timely related job postings and course updates. What to Read: Forensics’ Grad Bringing Backpacks to the Homeless, for a lovely quick bio on a recent BCIT graduate doing good for her community.
42. The Forensic Group – Opened: Style and Focus: Clean and straightforward writing designed to inform and educate readers on the methods and developments in computer forensics tactics and technology. Some news and events are introduced as well as case studies. Clean interface but somewhat difficult to navigate. What to Read: Computer Forensic Artifacts: Windows 7 Shellbags, for an informative introduction to how Win7 Shellbags can be used to trace activity and contents in computer forensics.

Forensic Imagery & Artists

1940 Mugshot – Image by Lisa Bailey

43. Four And Six – Opened: June 2011 with regular posts, about one a week, consistently since day one. Style and Focus: Four and Six offers its readers a clean style with useful posts ranging from image forensics techniques to thoughtful posts on ethical treatment of imaging tools and news and information related to image tampering.   What to Read: The Case of the Pole in the Middle of the Road, for a nifty inside glimpse into what photographic forensic investigation.
44. Forensic Video and Image Analysis – Opened: September 2007 with consistent and prolific posts ever since. Style and Focus: An absolutely fantastic resource for anyone who is involved or interested in image forensics, this highly active blog provides readers with information or resources on tools, software, product reviews, technique basics, image forensic cases, educational opportunities, and a mix of personal insight. Very informative, well-written, and easy to navigate. What to Read: Learn new Photoshop features in a click, for an introduction to a free and handy tool available to improve your Photoshop CS6 experience.
45. Ask a Forensic Artist – Opened: January 2010 with regular and prolific posts since. Style and Focus: This well-designed blog is a great tool for other forensic artists, those who want to be, and those who are just simply fascinated by the process. It includes techniques, news, educational opportunities, fascinating interviews from other forensic artists, and more. What to Read: The “Pencil Trick” for Edentulous Skulls… Debunked, for a great breakdown of what the pencil trick is, and why it doesn’t at all work as it is supposed to, with photographic evidence.

The information technology age has brought with it a new opportunity for the criminally minded. Unfortunately, our government agencies and corporations have not always been as guarded as they could be against those determined to gain access to the vital data they store. Through a combination of hacking and social engineering techniques, digital thieves have made off with identity information, hampered affairs of state, and even stolen millions of dollars. Here are 20 of some of the most damaging, notorious, or notable data breaches presented in chronological order.

1. Card Systems – 2005

Card Systems is a third-party processor of credit card information based in Tuscon, AZ. In June of 2010, a hacker slipped a data-mining bug into their system through security holes and stole data over time from roughly 40 million cards. This data breach happened in large part because the company was storing cardholder’s account numbers and their security codes, in direct violation of MasterCard rules, which allowed the hacker to collect it.  The information gathered was suitable only to steal money from the credit holder’s accounts, not to steal identities. At the time, it was the largest data breach to date.

2. US Veteran’s Affairs Laptop Heist – 2006

In 2006, burglars broke into the home of a VA employee who had taken his company laptop home, in violation of that agency’s regulations. Fortunately, the thieves responsible for stealing the laptop in question had no idea what they had gotten their hands on and deleted all the relevant information. When FBI agents recovered the laptop, they found it had been cleared and reformatted for quick resale, thus protecting the millions of veterans whose information had been stored. The data in question included Social Security numbers, names, addresses, and birthdays for millions of veterans, current service members, reservists, and their spouses. It did represent the largest data breach from a government agency in US history, and raised a lot of questions about how we enforce and protect the highly sensitive data government employees have access to.

<

3. TJX Companies Inc – 2007

TJX Companies is a large retailer that includes a number of retail chains like HomeGoods, Marshalls, T.J. Max, and others. Over the course of several years, predominantly in 2003 and 2006, an unknown number of hackers made stole millions of transaction data. Of note, it took TJX over two months after the data breach was discovered to talk about the true size and scope of what occurred with the media, and even delayed discussing their awareness of it with affected banks and customers. In the end, 45.6 million card numbers were stolen and data from over 450,000 merchandise return receipts were also taken. This represented another major wake-up call for the industry. It took TJX seven months after the theft to recognize it, and retracing the hacker’s steps proved challenging since they lost much of the trail in normal data purges.

4. TD AmeriTrade – 2007

Once again, a company with a major data leak chooses to withhold this information to its customers for half a year before disclosing it. In this case, AmeriTrade was made aware at least as early as October of 2006 when customers began to complain of stock-related spam emails. That led to a lawsuit in May of 2007 when two of its customers actually sued the company for the breach. Each client had an email addressed used exclusively with TD AmeriTrade and when those inboxes began to fill up with unwanted ads, they immediately knew where the leak had come. The problem was even noted on BoingBoing in June of that same year, when they featured a review of AmeriTrade which noted similar email spam to their dedicated address. Despite this, the company kept the information close to the chest until September when a court order would have forced them to step forward anyway. The lawsuit suggested that the data breach could have potentially leaked sensitive customer data like Social Security numbers and other information that could be used in identity theft. There was also a concern that the company might attempt to destroy information that would display their negligence. The company then requested a two week break from court proceedings, was granted it, and used that time frame to ‘discover’ the breach and notify the press and their clients. It became very clear that they choose to respond not out of a sense of responsibility to their clientele, but purely because they’d been caught and could no longer contain the story.

5. Certegy – 2007

This case was pretty much a cut-and-dry case of more traditional data theft – a disgruntled employee sold information to a data broker. The details that make this case worth examining is how the company presented the scope of the problem initially and how they recovered. They claimed after it happened that only 2.3 million records were stolen and that the public should not be concerned, because these records were all going to ‘legitimate marketing firms.’ A few months later it was revealed through a filing with the Securities and Exchange Commission that the true number of stolen records was in the range of 8.5 million. Of those records, roughly 5.7 million included checking account records, and 1.5 million included credit card records that could be used for identity theft and fraud. In the end through a settlement with the Florida Attorney General, consumers were granted a two year period to report and receive reimbursement for expenses related to theft from the incident, and they were given credit monitoring at the company’s expense. Further, the company restructured how it handled information security, doing a comprehensive review of internal and external risk, implementing a range of safeguards, and scheduling regular tests and monitoring programs to detect weaknesses and catch issues before they became problems.

6. Monster – 2007

Monster actually had a recurring problem with data breaches between 2007 and 2009. Three separate times they suffered data breaches in which millions of customer’s personal data was stolen or had their job listings infected with malware. Users affected also saw targeted phishing emails encouraging them to download malicious software or tempting them to accept jobs working as mules for online criminal organizations. One of the malicious Trojans left behind by the attacker’s encrypted files on the affected user’s computer and left a text file demanding payment to the attackers to recover the data. Each attack was perpetrated by hackers abusing security weaknesses in their information security structure. Each time, Monster delayed informing its users that there was a breach after becoming aware of it. Each time, Monster swore to do better. Unfortunately, as Monster learned, big talk is not enough to deter hackers. Actual improvements in infrastructure actually have to be accomplished, not just discussed.

7. Bank of New York Mellow – 2008

Another case of traditional theft leading to a massive data leak, Bank of New York Mellon discovered a missing box of data storage tapes in February and again in April of 2008. Each time, these tapes were being transported by third party vendors from one location to another when they went missing. Surprisingly, these tapes containing vital customer information were not at all encrypted. In addition, the bank did not inform potentially affected customers for three months. Initially, the breach was believed to have affected over 4 million individuals and included names, addresses, and Social Security numbers. Later that year, the bank notified 12 and a half million customers that their data had been stolen. All affected customers were offered two years of free credit monitoring and identity theft insurance worth up to $25,000.

8. CheckFree – 2008

At the time of the attack, CheckFree was the largest e-bill payment system on the internet, controlling between 70-80% of the US online bill pay market. This made it a prime target for smart hackers. For several hours, hackers managed to redirect visitors from the legitimate site login page to a site based in Ukraine that attempted to install software designed to steal customer’s passwords. CheckFree at the time had more than 24 million users, so the attack had the potential to be devastatingly effective. This attack was not due to a problematic infrastructure on CheckFree’s part. The hackers had legitimate codes to access CheckFree’s website, suggesting they either successfully phished that information from a CheckFree employee or utilized password-stealing malware. This same website in Ukraine attacked at least 71 other domains at the same time. The attack was noticed and responded to promptly by CheckFree, who had plugged the leak the same day. They promptly informed their customer base, instructed them how to detect malware infection, and arranged for every affected customer to receive a free copy of VirusScan Plus from McAfee.

9. Hotmail – 2009

In another phishing scam, about 10,000 Hotmail users had their passwords stolen. Much like the CheckFree incident, users were redirected to a site resembling the Windows Live Hotmail login screen. Users who were fooled into entering in their password and user account found their information later posted on Pastebin.com, a site originally designed to allow web developers to easily share tidbits of code. This same site had a list of over 30,000 Gmail, Yahoo! Mail, AOL, Comcast, and Earthlink email accounts and passwords. Microsoft responded quickly upon learning of the breach, sending out emails to warn affected customers of the potential problem and forcing password resets on all affected accounts. As with CheckFree, this was not a failure of Hotmail’s own data security, but a successful phishing venture.

10. Heartland Payment Systems – 2009

Thought to be the largest data breach of a payment processor, the 2008 attack of Heartland Payment Systems affected roughly 130 million customers and raised a few questions about the effectiveness of PCI standards of the time. The CEO Robert Carr adamantly reported that Heartland was in full compliance with PCI standards and was certified as such. The PCI Security Council contested his claims, suggesting that the breach was a result of an SQL injection error. Even still, the company was certified as fully compliant, leading many to conclude that companies should go beyond the basic requirements of PCI to protect customer data. Particularly with regards to tracking security standards over time, as errors creep into systems and hackers gain more sophisticated tools. Heartland developed an E3 end-to-end encryption service to monitor and secure the whole payment process from point-of-sale all the way through authorization and approval. The PCI Security council also began looking into technologies like card tokenization to improve their own standards. The end result was more focus on a layered approach to information security. In the end, Heartland paid more than $110 million to Visa, MasterCard, American Express, and other card companies to settle claims related to the breach, customers were notified and offered credit monitoring, and companies gained a sobering check about the state of their data security.

11. US Department of Veteran’s Affairs – 2009

Once again, the VA put data from roughly 76 million veterans at risk through employee negligence. In this case, the breach started with a faulty hard drive in a database RAID array. Employees arranged for a contractor to repair the disc and neglected to erase the encrypted data stored on the disc. When the contractor failed to repair it, the disc was recycled, leaving the data accessible to whoever next claimed the disc.

12. Hannaford Bros. Chain – 2009

Much like Heartland, Hannaford Bros. supermarket chain appeared to be following PCI compliance standards when they were hit with a massive data breach. Despite their compliance, a sophisticated hacking attack exposed over 4 million credit and debit card numbers to potential identity theft risk, and resulted in almost two thousand cases of fraud. Later that year, Albert “Segvec” Gonzalez was indicted by a federal grand jury in New Jersey, along with two co-conspirators, on charges of hacking into Hannaford Brothers, Heartland Payment Systems, 7-Eleven, T.J. Maxx, and other unnamed national retailers. This individual and his small team were accused of stealing over 130 million credit and debit card numbers, the biggest fraud case of its kind in history. He was eventually sentenced to 20 years in federal prison for his crimes.

13. VeriSign – 2010

The VeriSign attack was notable both for the severity of potential complications such a breach could have caused, and for the astounding lack of communication happening within the company. The data breach was first discovered by their security team in 2010, but this was not reported at all to management until September of 2011. An SEC filing made public the data breach, forcing the company to acknowledge the situation, though initially the upper level management seemed to have little knowledge of the incident beyond what was included in the filing. At the time of the attack, VeriSign was one of the largest providers of SSL certificates, which browsers use to identify secure sites like financial sites and communication portals. VeriSign also housed sensitive information on customers and the registry service used to create website addresses also a potential target. The big fear was that the certificate system was compromised; this would have allowed hackers to forge certificates (an event that had already occurred) and thus trick users into believing a phishing site was completely legitimate. Stewart Baker, former assistant secretary of the Department of Homeland Security responded to the event by saying, “Oh my God. That could allow people to imitate almost any company on the Net.”

14. Gawker Media – 2010

Gawker Media’s security breach was a lesson in humility, the internet’s version of being publicly tarred and feathered. A feud between online message board 4Chan and Gawker (who is responsible for Kotaku, Gizmodo, Jezebel, Jalopnik, Lifehacker, Deadspin, Fleshbot, and io9) developed as the web publisher trashed 4chan’s antics. This was swiftly followed by denial-of-service attacks perpetrated by 4chan members. Shortly thereafter, a group with loose affiliation to 4chan who called themselves Gnosis began to infiltrate the Gawker’s content management system, internal communications systems, and user databases. There they sat for a period of time, during which Gawker’s founder was notified that his account was logged into their internal system when he was not. He ordered the account shut off, but did not bother to change his password. In a stunning display of stupidity, it turned out that he used the same password for everything. After playing around internally for a bit, Gnosis began to get public. They posted a snarky message via Gawker’s Twitter account suggesting that user accounts might be compromised. When a Gawker employee assured people that their information was safe, Gnosis responded by posting a meme and a message on Gawker’s site directing people to a Pirate Bay torrent containing a massive data dump that included internal conversations, user names and passwords for a number of employees and many site commenters, FTB account access, and the source code for their content management system (allowing hackers to dig through for weakness). It also revealed that they were three years out of date on their server’s security patches, were using horrendously out of date encryption on user passwords, and had zero protocol established for password creation; nearly 2,000 Gawker users has ‘password’ as their password. Gawker’s response was incredibly poor. Not only did Neck Denton, the founder, fail to respond in a sensible manner after being originally made aware of the problem, they then refused to admit that there was a problem because their passwords were ‘encrypted’ and then waited over a day before notifying users there was a breach. When they did notify customers, it was done with a message on their site, not via email, ensuring many users would never know there was an issue.

15. ESTsoft – 2011

ESTsoft is a general purpose software company operating in South Korea. In 2011, they were the target of a devastating attack that impacted nearly the entirety of South Korea’s population. Hackers gained access to one of ESTsoft’s update servers and loaded malware that attached itself to their ALZip compression application, which subsequently infected 62 computers at SK Communications that made use of the ESTsoft program. The infected computers were then able to steal complete customer databases including addresses, contact information, passwords, and gender of roughly 35 million individuals in a nation with a total population of 49 million. The company apologized, the primary web portal for Korea, NHN, ordered employees to delete ESTsoft programs, and lawsuits were filed. The company never disclosed the financial cost of the breach.

16. Epsilon – 2011

In one of the largest data breaches of its kind, Epsilon was hacked in March of 2011. Epsilon handles over 40 billion emails annually and services more than 2,200 clients around the world. The information stored was primarily email addresses and names, including those of customers who had opted-out of marketing mailers, opening up all of those customers to phishing attempts. In addition, some users member points were accessed, giving thieves an upper hand when creating believable scam emails. Included in the many companies that sent out warnings to their clientele were major retailers, financial companies, cellular phone companies, banking institutions, and more. Roughly 3% of Epsilon’s clientele was effected. The Secret Service investigated the breach which is estimated to potentially cost Epsilon up to $225 million in damages.

17. RSA Security – 2011

SecurID tokens, used in a two-factor authentication system which is designed to create a layered and stronger security system, were compromised in March of 2011 when RSA Security was hacked. Initially, RSA claimed that the hack would in no way allow any “direct attack” on the tokens. Then a few months later, the defense contractor Lockheed Martin fended off a hacking attempt in which the tokens failed to offer any layer of protection. In June RSA released a statement acknowledging the failure. Their Chairman, Art Coviello, claimed that the reason it took them 3 months to disclose the full scope of the breach was to protect other customers from attacks similar to what Lockheed Martin experienced. There were claims that Northrop Grumman and L-3 Communications faced similar attacks. The delay caused many to question the reliability of RSA’s system and certainly to worry that withholding that information put their customers at risk. Some choose to switch to a new token provider, but many remained with RSA because the cost of switching was much more expensive and time intensive than simply gaining new tokens (which RSA provided). In a rather ballsy gesture, RSA encouraged its customer base to increase the layers of RSA security to create redundancy layers. One product fails, so we’ll switch that one out and sell you two more.

18. PlayStation Network – 2011

Some 77 million user accounts on Sony’s PlayStation Network were compromised after a large scale hack accessed the Sony database. It took the company seven days to notify their customers that data was stolen during the breach that caused their massive shutdown. Names, email addresses, passwords, security questions, birth dates, and addresses were accessed, and Sony warned customers that credit and debit card information may also have been stolen, though no cases of identity theft or fraud were reported as a result. The company was fined £250,000 (approximately $400,000 USD) by Information Commissioner’s Office, a UK based watchdog group, naming the clear negligence on Sony’s part as the reason for the fine.

19. Bitcoinica – 2012

Bitcoin offered the internet world a unique form of new currency. The nature of Bitcoins makes it an irresistible target for hackers, as a key feature is the permanency of the peer-to-peer transaction style. While it protects merchants from chargebacks, it also means that a successful theft of the currency is one that cannot be reversed. Once a hacker gains access to the private keys, what they steal is theirs to keep. Bitcoin has see a lot of growth in recent years as it has become a haven for both criminal activity and as a sort of virtual stock market. It has also seen a rash of hacking attacks targeting trading platforms like Bitcoinia, who lost $87,000 worth of currency in an attack against their production servers and BitFloor, the largest Bitcoin exchange in the US, who lost $250,000 in a successful hack against an unencrypted storage server. Bt Gox, Instawallet, and other Bitcoin-supporting companies have also seen successful thefts. These thefts have considerably increased the risk of investment in Bitcoins, stalling what had been a dramatic growth in value in 2012.

20. Global Payments – 2012

With a pricetag of $92.7 million in damages, investigation costs, lost business, and remediation expenses, the Global Payments data breach put at risk more than 7 million card numbers. The data that was stolen in the breach included full Track 1 and Track 2 data, usable by thieves to counterfeit new cards.  Union Savings Bank was just one among a number of financial institutions affected by exactly that tactic. In March of 2012, thieves began purchasing small denomination Safeway-branded prepaid debit cards. They would then encode Union Savings Bank issued debit card accounts to the magnetic strip on these cards, use them to purchase high value prepaid cards, and spend the money buying high ticket electronics and other items from other retailers. USB alone suffered roughly $85,000 in expenses related to the theft. Some, like Fulton Bank of New Jersey were harder hit, seeing roughly one thousand stolen accounts every week. Visa and MasterCard promptly revoked their certification of Global Payments.  Javelin estimated that $707 million in fraudulent charges will occur to the 1.5 million cards that were known to be compromised, with an end cost to consumers of roughly $152 million.