2015 was yet another year of massive data breaches, with an increase of 193 reported incidents from 2014’s total. If these numbers are any indication, 2015 could surpass 2014’s record of 1 billion records exposed from data breaches. While the smoke clears and the dust settles, here’s a roundup of the ten biggest data breaches last year, by total records lost.
10. Excellus BlueCross BlueShield Discovers Two-Year-Old Compromise that Exposed Information on 10 Million Customers
Image via Mike Greenlar.
In August, healthcare provider Excellus uncovered a series of successful cyber attacks dating back as far as December 2013. The attacks were detected in a forensic investigation conducted in response to the number of recent breaches and attacks that targeted other healthcare companies (such as Anthem, Premera, Carefirst, and Community Health Services). The data exposed could include names, birthdates, Social Security Numbers, mailing addresses, phone numbers, financial information, medical claim information, and member identification numbers.
9. Premera Data Breach Exposes Health Records, PII of 11 Million
Image via Kim Crompton/Spokane Journal.
To many, 2015 marked the year of the healthcare breach. In yet another hacking-based breach in the health industry, Premera announced in March that it had detected a data breach affecting 11 million customers. While less records were exposed than the Anthem breach, Premera’s 11 million records exposed were more sensitive than those leaked by Anthem, including Social Security Numbers, financial information, and healthcare data including clinical and claims information.
8. VTech Data Breach Exposes Personal Information of 11.3 Million Customers, Including Children
Image via VTech/Amazon.
Late 2015 saw the announcement of a data breach at Hong Kong toymaker VTech, exposing information on 4.9 million parents’ accounts and an additional 6.4 million accounts belonging to children. The information exposed includes names, email addresses, encrypted passwords, secret questions and answers used for account access, IP addresses, mailing addresses, and download histories. According to VTech’s FAQ on the data breach, the information exposed on children was limited to names, gender, and birthdates. Attributed to a “skilled hacker,” the incident and following investigation led to the British police’s arrest of a 21-year-old man in connection with the attack.
7. Misconfigured Database Exposes Information on 13 Million MacKeeper Users
Image via Malware Tips.
Researcher Chris Vickery discovered two of the largest data breaches of 2015 while searching the internet for publicly accessible database servers. Vickery’s first discovery consisted of a 21 gigabyte cache of user data belonging to Kromtech, producer of the MacKeeper software utility for Apple computers. The information was left publicly exposed by a misconfigured database server and included names, user names, hashed passwords, IP addresses, license information, and purchase history. The database was taken offline “within hours of discovery,” according to a statement from MacKeeper/Kromtech.
6. T-Mobile has Information on 15 Million Customers Exposed in Experian Data Breach
Image via Bank Info Security.
In September, Experian notified T-Mobile that “an unauthorized party accessed T-Mobile data housed in an Experian server.” Representative of the growing problem of data breaches via third party business partners, the incident exposed names, addresses, Social Security Numbers, birthdates, and other identifiable information (in some cases driver’s licenses, military IDs, or passport numbers) on up to 15 million T-Mobile customers. The incident marked the second major data breach involving Experian, who lost 200 million records in 2012 after acquiring a subsidiary that had been compromised.
5. The Office of Personnel Management Exposes Personal Information of 21.5 Million Government Workers in Data Breach
Image via Cyber Security Caucus.
The Office of Personnel Management made headlines this June when it disclosed that the personal records of millions of federal workers were stolen over the course of two hacking attacks spanning March through June. Following the incidents, OPM announced that 4.2 million had their information exposed in the breach – a number that increased to 18 million and then finally 21.5 million as the investigation progressed. The sensitivity of the information exposed – which includes background investigations, security clearance information, health records, fingerprints, and more – combined with the fact that the victim is a major U.S. Government agency led to significant fallout for OPM, whose director, Katherine Archuleta, resigned on July 10. The attackers have not been named publicly, but U.S. Intelligence Chief James Clapper has confirmed that the attacks are believed to have originated in China.
4. Ashley Madison Hacked, Records Stolen on 37 Million Users
Image via Ashley Madison/Avid Life Media.
The infamous extramarital dating website Ashley Madison fell victim to a widely publicized hack and ensuing data breach in July. Following an online dump of volumes of Ashley Madison data, the hackers – a group known as Impact Team – blackmailed Ashley Madison with the release of customers’ personal data unless the website was permanently shut dwn within 30 days. Ashley Madison did not shut down, and Impact Team started dumping user data on August 18. The dating site’s reputation did take quite a hit from the breach, however, which revealed some questionable business practices by the company.
3. Securus Hack Leads to Data Breach of 70 Million Prisoner Phone Calls
In November, an anonymous hacker leaked over 70 million recordings of inmate phone calls made using phone services provided by Securus Technologies. The recordings include phone calls made by prisoners between December 2011 through spring of 2014, spanning prisons in 37 states. The motive behind the data breach is best described as hacktivism, as the hacker claimed to have carried out the attack due to their belief that Securus’ recording of prisoner phone calls – particularly between inmates and their attorneys – could be in violation of those inmates’ constitutional rights. Of the 70 million recordings, at least 14,000 have been determined to be calls between inmates and lawyers.
2. Anthem Loses 80 Million Customer Records in “Sophisticated Attack”
Image via Darron Cummings/Associated Press.
2015 kicked off with Anthem’s disclosure of the loss of 80 million personal records stolen in a “sophisticated attack” discovered in January. The breach came on the heels of a 2014 warning from the FBI stating that hackers are targeting companies in the health industry. The FBI’s warning proved true, with Anthem going down as the first major healthcare provider to fall victim to a hacking attack in 2015. Data stolen includes names, birthdates, email addresses, Social Security Numbers, and medical IDs. After the breach was discovered, Anthem launched Anthemfacts.com to inform customers and offered 24 months of free identity theft repair and credit monitoring to those affected. As with the breaches at OPM, the perpetrators have not been named publicly, but it is widely believed that this breach was also carried out by hackers in China.
1. Database Server Misconfiguration Exposes Personal Information on 191 Million Registered Voters
Image via Newsy/Getty Images/John Moore.
2015 ended with a bang on the data breach front, as security researcher Chris Vickery disclosed his discovery of a misconfigured database server that left information on 191 million registered voters openly exposed on the internet. The incident proved to be the largest data breach by volume discovered in 2015, trumping Anthem’s 80 million record breach at the start of the year. Information exposed included names, phone numbers, addresses, birthdates, email addresses, and party affiliations. The database was taken offline soon after the announcement, but the incident still served to underscore privacy concerns, particularly for such a large and far-reaching volume of personal data.
