10Fold recently evaluated the seven largest breaches this year and found that hackers had absconded with more than 193.4 million personal records. To get to this figure, the agency reviewed 720 data breaches that occurred throughout the year. To narrow the list to a more manageable size, the team made five million the barrier to entry.
10Fold selected these data breaches based on independent research and review of third-party resources such as ID Theft Resource Center and Information is Beautiful.
Largest Insider Breaches of 2015:
1. Excellus BlueCross BlueShield
Excellus BlueCross BlueShield announced that it was the victim of a sophisticated attack after hackers gained access to its information technology systems dating as far back as December 2013. This attack followed a series of healthcare hacks that had started at the beginning of the year. The Excellus hack in particular compromised the personal identifiable information of more than 10 million members, making this the third-largest healthcare breach in 2015. The exposed information, which includes names, birth dates, social security numbers, member identification numbers, financial account information and claims information, leaves members vulnerable to fraud and identity theft.
2. Premera Blue Cross
One month after the breach at Anthem Blue Cross, Premera Blue Cross released a statement saying it had experienced a cyber attack affecting up to 11 million members. The hack was discovered by the organisation on January 29 of this year, although the initial attack dates back to May 2014. Premera’s investigation team determined that attackers infiltrated the organisation’s information technology system, which allowed them to access applicants’ and members’ personal information, such as names, birth dates, social security numbers, member identification numbers and bank account information. Affected customers included employees of Microsoft, Starbucks and Amazon.
VTech was hit by the first data breach to ever directly target children; an unauthorised party accessed customer data through the Learning Lodge app store customer database and Kid Connect servers on 14 November. According to the company, the attack affected 6.4 million children and 4.9 million customer (parent) accounts worldwide, exposing personally identifying information such as names, passwords, IP addresses, download history, and children’s gender and birth dates.
Experian North America stated that attackers breached a server in one of its business units that contained personally identifiable information for approximately 15 million T-Mobile customers. The data included names, birth dates, addresses and social security numbers and/or an alternative form of ID, such as drivers’ licence numbers. The breach occurred, in part, because T-Mobile shared customer information with Experian to process required credit checks for service or device financing. Breaches such as these underscore that when customers share their information with a business, their personal data isn’t always kept private.
The Federal Office of Personnel Management announced that a cyberattack compromised the records of more than 21.5 million citizens, enabling attackers to gain access to highly personal information contained on background investigation applications. Altogether, the attack affected 19.7 million individuals who applied for security clearances, 1.8 million relatives and other government personnel associates, and 3.6 million current and former government employees. What’s more, the stolen data also included 5.6 million fingerprint records belonging to the background-check applicants. According to news reports, the breach caused U.S. intelligence and law enforcement officials to be concerned about the theft of data on government forms submitted for security clearances. And with good reason — these applicants share detailed information about themselves, including mental-health history and previous relationships. Hackers that gain access to the identity and fingerprints of employees with existing security clearances can cause serious, and irreparable damage to users’ privacy.
6. Ashley Madison
The hacker group identified as The Impact Team claimed to have accessed Ashley Madison’s user database, financial records and other proprietary information, including the personal data of 37 million users. A manifesto written by The Impact Team disclosed that the “full delete” feature on Ashley Madison was a lie — that the company did not scrub the personally identifiable information of customers who opted to have their profile and history deleted, but instead kept their payment information and purchase details, which hold identifiable information. The manifesto also instructed Avid Life Media (ALM), the parent company of Ashley Madison, to permanently delete the forums of Ashley Madison or they would release all customer information. ALM opted to keep the site running and consequently, The Impact Team released the customer records two months later.
The largest healthcare data breach in history occurred at the beginning of 2015. Anthem announced in February that it was the victim of a data breach that resulted in the theft of approximately 78.8 million highly sensitive patient records. By the end of the month, Anthem disclosed that the breach likely impacted an additional 8.8 to 18.8 million non-patient records that included names, birth dates, social security numbers, addresses and employment data. The attack on Anthem was the beginning of a series of healthcare hacks this year, including assaults on Premera Blue Cross, CareFirst BlueCross BlueShield, UCLA Health Systems and Excellus BlueCross BlueShield.
Rick Popko, Senior Account Manager, 10Fold
Image Credit: Shutterstock/wk1003mike