All businesses and organizations have legal and ethical responsibilities to safeguard their confidential data as well as their customers’ personal information, but data breaches happen all the time! According to the Online Trust Alliance’s (OTA) 2014 Data Protection & Breach Readiness Guide, 2013 was the worst year for data breaches in history, as over 740 million online records were exposed in 2013 alone. 31 percent of incidents were due to insider threats or mistakes, while 21 percent resulted from the loss of computers, hard drives, and paper documents. These incidents often — but not always — have a significant and negative impact. In this article, we go through some of the biggest data security breaches since 2010.
Top data breaches in 2010
1. Educational Credit Management Corporation
On March 26, 2010, Educational Credit Management Corporation (ECMC), a student loan agency, revealed that personal data on about 3.3 million student loan borrowers had been stolen from its headquarters in Minnesota. The compromised information included student’s names, addresses, date of birth and social security numbers.
A class action suit was filed against online movie rental giant Netflix in California, claiming that Netflix has “perpetrated the largest voluntary privacy breach to date.” According to the Complaint, Netflix knowingly and voluntarily disclosed the sensitive and personal information of approximately 480,000 Netflix subscribers when Netflix provided participants in a contest initiated to improve Netflix’s movie recommendation systems with data sets containing over 100 million subscriber movie ratings and preferences. Netflix has claimed that the data sets provided to the contest participants were anonymized and that the subscribers’ movie ratings were accompanied only by “a numeric identifier unique to the subscriber” (as opposed to the subscriber’s name or other personal information). However, the complaint cites the results of several researchers who, in fact, were able to crack Netflix’s anonymization process and identify individual subscribers.
Lincoln National Financial Securities mistakenly print a username and password in a brochure posted on a public website, but it let employees and affiliates share usernames and passwords. Unfortunately, those credentials belonged to a portfolio information system housing data for 1.2 million customers. This single incident accounts for nearly all of the records breached by insider access during 2010 – but most other insider breaches were reported as having an unknown record impact. According to the ITRC, just 51 percent of all breaches reported a number of records exposed, making it hard to assess their severity.
A class action filed against Florida insurer AvMed Health Plans seeks redress for a data breach that occurred when two laptops, containing patient information for 1.2 million members, were stolen from the company’s headquarters. According to AvMed, the laptops were left unattended and contained members’ names, home addresses, phone numbers, and Social Security numbers – as well as medical history data such as diagnosis information, medical procedure and prescription information.
Massachusetts-based South Shore Hospital was hit with a $750,000 fine for a data breach that affected more than 800,000 people. Backup tapes, containing individuals’ names, social security numbers, financial account numbers, and medical diagnoses were supposed to be erased at a facility in Texas, but two boxes full of those tapes were lost in the mail.
Ohio State University discovered an unauthorized access on its server that stored the names, SSNs, birth dates, and addresses of up to 760,000 current and former students, faculty, staff, consultants, and contractors. Though no data was stolen, the university cautioned that the breach could result in identity theft of the individuals whose information was stored on the server.
About 600,000 Citigroup customers got a shock in February when they received their annual tax documents – with their Social Security numbers printed on the outside of the envelope. Citigroup stated that the numbers were surrounded by other numbers and letters “that resembled a mailing routing number.” At least 50 of the customers have complained about the gaffe to Citi.
Anthem Blue Cross, a major US. health insurance provider which is a subsidiary of insurance giant Wellpoint, sent letters to 470,000 customers in California warning them that their personal data might have been accessed online. After a routine upgrade, a third-party vendor stated that all security measures had been properly reinstated, when in fact they hadn’t. As a result, thousands of applicants for coverage who were under the age of 65 had their personal information exposed in the open.
On April 5, Affinity Health Plan issued a press release concerning a “potential security breach” of the customer, provider, and staff personal information. On March 17, Affinity received information that an office copy machine it had previously leased and since returned to the leasing company may contain personal information on its hard drive. Some of the personal information on the machine included Social Security numbers, dates of birth, and medical information.
A Malaysian national named Lin Mun Poo hacked into the Cleveland Federal Reserve Bank and several other computer systems, including a defense contractor, and possessed of more than 400,000 credit and debit card numbers. Later, Poo was taken into custody a few hours later, after meeting with a “carder” who had offered to give him $1,000 cash for 30 active credit and debit card numbers.
Top data breaches in 2011
Backup computer tapes containing sensitive health information of 4.9 million Military Health Care System TRICARE beneficiaries treated in the San Antonio, Texas, area since 1992 were stolen from an employee’s car on September 14. The employee was transporting the tapes from one federal facility to another in the San Antonio area and reported the theft the same day to TRICARE and the San Antonio Police Department.
Social security numbers, names, addresses and in some cases, dates of birth and driving license numbers of about 3.5 million people had been leaked on a publicly accessible state computer server for a year or longer. However, there has been no evidence that any of it has been used to commit identity theft. It is said to be one of the largest information breaches in the US.
Betfair admitted that more than 2.9 million usernames and 90,000 bank account details were leaked in 2011 when their server was hacked by cybercriminals, possibly from Cambodia. The revelation came to light late when the betting exchange said it did not disclose in 2011’s flotation prospectus the details of the attack on customers’ payment card details. This led to the resignation of Betfair’s security chief.
4. Health Net
Health Net announced that it lost data containing personal information of over 1.9 million current and former policyholders. It reported that 9 server drives went missing from its data center in Rancho Cordova. Health Net said it would offer the affected individuals two years of free credit monitoring and fraud protection services. The insurer also said it would offer credit restoration and identity theft insurance.
Thieves robbed a van containing medical records of more than 1.7 million patients. The records were stolen on December 23, but the affected individuals were informed on Feb 11, the two months have taken to inform the victims was to identify the nature of the information leaked. The tapes contained the full names, addresses, Social Security numbers, health insurance information, medical record numbers, telephone numbers, diagnosis and treatment data, birth dates, admission and discharge dates, and mothers’ maiden names, according to HHC’s FAQ site. Staff, vendors, and contractors may have other personal information, such as professional license numbers.
According to Nemours, the loss of unencrypted computer backup tapes containing patient billing and employee payroll data was lost. This affected about 1.6 million patients, guarantors, vendors, and employees. There has been no indication of the information in data being misused or accessed by anyone.
The Oregon DMV sold DMV database information to marketing companies prior to the late 1990s. A man gained access to this information and used it to create fake Oregon identification cards and print fake checks. He was charged with 26 counts of aggravated identity; this represents one count per victim for each letter of the alphabet. The databases include 1.6 million names, addresses, dates of birth, genders, and ages of people who registered with the DMV. The database of publicly available information is over a decade old. The Oregon DMV says it is not the first time one of their databases has been used illegally.
More than 200,000 Anthem Blue Cross customers this week received letters informing them that their personal information might have been accessed during a security breach of the company’s website. Only customers who had pending insurance applications in the system are being contacted because the information was viewed through an online tool that allows users to track the status of their application. Social Security and credit card numbers were potentially viewed. Anthem Blue Cross merged with WellPoint in 2004. About 612,000 individuals may have had their names, Social Security numbers, dates of birth, addresses, telephone numbers, health information, and other electronic protected health information exposed. WellPoint paid HHS $1.7 million in fines.
A television and a computer containing medical records were stolen from the Eisenhower Medical Center in March 2011. The computer was password protected, but not encrypted. This led to the data leakage of patient information, including birth dates, partial Social Security numbers, names, ages, and medical record numbers.
A former employee made accusations that Who’s Who experienced a breach of 400,000 data tapes with customer information. It is not clear what happened, but the tapes were misplaced during the shipping process sometime before October 20, 2010. The information on the tapes included customer names, Social Security numbers, addresses, driver’s license numbers, payroll data, checking account numbers and credit card information may have been exposed.
Top data breaches in 2012
The system was hacked by computer hackers, revealing personal data such as names and addresses were stolen, along with passwords, credit card information and medical records. But the scope of the data hacking in South Carolina stands out because an estimated 3.6 million Social Security numbers were compromised along with 387,000 credit card records.
On March 12, 2012, the Department of Child Support Services was notified that contractors IBM could not locate several computer devices that had been shipped from Colorado to California. California residents who used state child support services were affected by the loss. Names, Social Security numbers, addresses, driver’s licenses, names of health insurance providers, health insurance plan membership identification numbers, and employer information may have been exposed.
The breach involved both Medicaid patients as well as recipients of Children’s Health Insurance Plan, which provides insurance coverage for children without other health insurance and who meet income guidelines. The Utah Department of Health initially believed that 24,000 claims had been accessed, but that number was reassessed to about 780,000, according to UDOH. The department then reported that 280,000 people had their Social Security numbers stolen and about 500,000 others had less-sensitive personal data, such as name, date of birth and address, compromised.
Around 700,000 caregivers and care recipients had their information lost or stolen during transit between Hewlett Packard and the State Compensation Insurance Fund in Riverside, California. A package that originally contained microfiche with payroll data entries and possibly other sensitive information arrived via U.S. Postal Service damaged and missing thousands of payroll data entries. Names, wages, Social Security numbers, and state identification numbers were exposed. A total of 375,000 In-Home Supportive Services workers were affected and 326,000 recipients of In-Home Supportive Services care were affected.
Emory Healthcare in Atlanta says that it has misplaced 10 backup disks containing information for 315,000 patients. Emory announced the data breach on April 18. The 10 disks held data on surgical patients treated between September 1990 and April 2007, the health system reported. The disks are missing from a storage location at Emory University Hospital. The locations where affected patients were treated include Emory University Hospital Midtown and the Emory Clinic Ambulatory Surgery Center. Of the 315,000 patient files on the disks, 228,000 included Social Security numbers. Other information at risk included patient names, dates of surgery, diagnoses and procedure codes. Names of surgeons and anesthesiologists that the patients had seen were also included in the records. The hospital’s IT systems were not hacked into, the health system stressed.
An employee of the South Carolina Department of Health and Human Services was arrested on April 19 after he compiled data on more than 228,000 people and sent it to a private email account. Approximately 22,600 people had their Medicaid ID numbers were taken, which were linked to their Social Security numbers. Others had names, addresses, phone numbers, and birth dates stolen as a result of the act. The former employee, Christopher Lykes Jr., was charged with five counts of violating medical confidentiality laws and one count of disclosure of confidential information.
7. Alere Home Monitoring, Inc.
More than 100,000 patients who take drugs to prevent blood clots are at risk of identity theft. An employee of Alere Home Monitoring, Inc. had the patient data on a laptop that was stolen. The computer file contained the names, Social Security numbers, addresses and diagnoses of patients who take anticoagulant drugs such as warfarin or Coumadin. The company became aware of the data breach around Oct. 1, said Doug Guarino, director of corporate relations for Alere, Inc.
The South Carolina Department of Revenue recently suffered a major data breach, leading to 3.8 million taxpayers and their 1.9 million dependents having their Social Security numbers exposed along with credit cards (5K) and bank account information (3.3 million accounts). The attacker gained access to 44 servers, installing 33 pieces of malicious software and utilities along the way, all undetected. The organization had no idea they were breached. It was not until law enforcement brought evidence to the department regarding three cases identify theft, that they were even aware something might be wrong.
The Wisconsin Department of Revenue revealed that it had accidentally made public 110,795 Social Security numbers and tax ID numbers of Wisconsin residents. The numbers were mistakenly embedded in a real estate report and posted to the department’s website for almost three months before being removed.
71,000 registered voters were notified by letter dated September 12 that five laptops containing their personal information were stolen from the Robeson County Board of Elections sometime between July 18 and September 4. The unencrypted laptops had been kept in a padlocked room but were removed during a time that a staff member was removing supplies from the room with the help of unsupervised community volunteers. The computers, which were protected by multiple passwords, contained voters’ names, addresses, dates of birth, the last four digits of their Social Security numbers and possibly their driver’s license numbers.
Top data breaches in 2013
In mid-December 2013 it was found that cybercriminals had breached the systems. It was reported that the hackers had access to credit card and debit card information. It cost nearly 110 million for the company to make the compensation.
Four computers were stolen from the company contained names, date of birth, addresses and social security numbers of nearly 4 million patients. It was estimated that the damages done could range to billions of dollars.
Adobe said that the hackers stole nearly 3 million encrypted credit card information and user login information for adobe accounts. The attack impacted on nearly 38 million Adobe users. According to the Ponemon study, the average cost of a breached record is $188.
Information of 2.4 million current and former student information were compromised in a security breach. The information contained records of academic and personal data of students. The district’s governing board approved several million dollars for repairs and 7 million and more to notify students who were affected.
Credit and debit card information of nearly 2.4 million users were compromised when hackers attacked the store’s database. The company said that the breach could cost $80 million in Illinois alone.
Hackers obtained nearly 160,000 social security numbers and 1 million driver’s license numbers form Washington’s state AOC servers. Officials said that they aren’t sure of what type of data was taken from the server.
Two Apple MacBook containing information of 840,000 members were stolen from the Newark headquarters. The data included names, addresses, date of birth and social security numbers which could be misused by the criminals.
Two passwords protected laptops containing data of 729,000 patients were stolen from the office by the criminals. The laptops were placed on the sixth floor and the thief broke into a video-monitored floor to steal them. Officials said that the information has not been accessed or misused by any means.
9. CBR Systems
A laptop, encrypted backup tapes, an external hard drive, and a USB drive were stolen when the employee left them in his car. The devices contained information on 298,000 individuals. The laptop and the external hard drive consisted of the password which could allow access to CBR systems.
Information of patients admitted between 1980 and 1990 on a Microfichwasre found in a park. The incident happened because the company meant to shred the records failed to do so.
Top data breaches in 2014
The online retailer suffered one of the biggest data breaches yet reported by an online retailer. The breach is thought to have affected the majority of the company’s 145 million members, and many were asked to change their passwords as a result. The lawsuit could cost eBay more than $5 million.
The U.S. biggest arts and crafts retailer reported that data on more than 3 million of its customer card have been stolen. The attack happened over a span of eight months and the company didn’t get to notice it.
The hackers who gained access to the credit card payment systems of the Neiman Marcus groups bagged information of nearly 1.1 million credit and debit cards. Mastercard and visa told the company that about 2400 cards used at Neiman Marcus have since been used fraudulently.
4. Variable Annuity Life Insurance Co.
The number of individuals got affected in the data breach of Variable annuity exceeds more than 774,000. It was found that a former financial advisor of the company stole a flash drive containing the information.
Texas biggest liquor chain store had its data breached for almost 17 months. The security breach was estimated to have exposed nearly 550,000 information of its customers. The information included credit and debit card details. The company offered a free year of credit monitoring and identity theft protection for those who were affected.
A three day attach on the systems by the hackers brought out information of nearly 405,000 former and current patients. The primary IP address involved in the attack was identified and traced back to China.
Aaron Brothers, a subsidiary of Michaels store had information of nearly 400,000 of its customer payment cards compromised.
The Chancellor of the college announced that information including names and social security numbers of more than 290,000 former and current students and nearly 800 faculty and staff were hacked. The relief of the incident is that the data did not include any bank or credit card data.
The University warned more than 160,000 individuals that included students, staff, alumni, faculty and applicants that their information has been compromised. The exposed information included names, data of birth and even bank account details.
Data of students who attended the university between 2011 to 2014 was put to risk when the information was accessed by three automated data mining application. Affecting more than 106,000 students the incident cost the university nearly $80,000.