10Fold, a full-service B2B technology public relations agency, today announced that more than 193.4 million personal records are vulnerable to identity theft and fraud attributed to the top data breaches of 2015. In its year-in-review, 10Fold analyzed 720 data breaches that occurred throughout the year and highlighted seven of the largest.
“As the research 10Fold has conducted clearly shows, security never sleeps. Each of the top seven data breaches compromised more than 5 million records, indicating that attackers are becoming stealthier, are employing more sophisticated techniques and are going after bigger and more lucrative targets,” said Angela Griffo, vice president of the security practice at 10Fold. “What’s more, our research indicates that cyber criminals are increasingly going after targets in the medical and healthcare verticals, which store valuable patient data that can’t be reissued like a credit card. Looking at the top breaches at year’s end allows us to detect patterns while also giving us a glimpse of what we can expect to see in the future.”
News reports about the seven largest data breaches, which are listed below, indicated that each of the attacks affected more than five million users. 10Fold selected these data breaches based on independent research and review of third-party resources such as ID Theft Resource Center and Information is beautiful.
Largest Insider Breaches of 2015:
- Excellus BlueCross BlueShield:Excellus BlueCross BlueShield announced that it was the victim of a sophisticated attack after hackers gained access to its information technology systems dating as far back as December 2013. This attack followed a series of healthcare hacks that had started at the beginning of the year. The Excellus hack in particular compromised the personal identifiable information of more than 10 million members, making this the third-largest healthcare breach in 2015. The exposed information, which includes names, birth dates, Social Security numbers, member identification numbers, financial account information and claims information, leaves members vulnerable to fraud and identity theft.
- Premera Blue Cross: One month after the breach at Anthem Blue Cross, Premera Blue Cross released a statement saying it had experienced a cyber attack affecting up to 11 million members. The hack was discovered by the organization on January 29 of this year, although the initial attack dates back to May 2014. Premera’s investigation team determined that attackers infiltrated the organization’s information technology system, which allowed them to access applicants’ and members’ personal information, such as names, birth dates, Social Security numbers, member identification numbers and bank account information. Affected customers included employees of Microsoft, Starbucks and Amazon.
- VTech:VTech was hit by the first data breach to ever directly target children; an unauthorized party accessed customer data through the Learning Lodge app store customer database and Kid Connect servers on November 14. According to the company, the attack affected 6.4 million children and 4.9 million customer (parent) accounts worldwide, exposing personally identifying information such as names, passwords, IP addresses, download history, and children’s gender and birth dates.
- Experian/T-Mobile: Experian North America stated that attackers breached a server in one of its business units that contained personally identifiable information for approximately 15 million T-Mobile customers. The data included names, birth dates, addresses and Social Security numbers and/or an alternative form of ID, such as drivers’ license numbers. The breach occurred, in part, because T-Mobile shared customer information with Experian to process required credit checks for service or device financing. Breaches such as these underscore that when customers share their information with a business, their personal data isn’t always kept private.
- OPM:The Federal Office of Personnel Management announced that a cyber attack compromised the records of more than 21.5 million citizens, enabling attackers to gain access to highly personal information contained on background investigation applications. Altogether, the attack affected 19.7 million individuals who applied for security clearances, 1.8 million relatives and other government personnel associates, and 3.6 million current and former government employees. What’s more, the stolen data also included 5.6 million fingerprint records belonging to the background-check applicants. According to news reports, the breach caused U.S. intelligence and law enforcement officials to be concerned about the theft of data on government forms submitted for security clearances. And with good reason — these applicants share detailed information about themselves, including mental-health history and previous relationships. Hackers that gain access to the identity and fingerprints of employees with existing security clearances can cause serious, and irreparable damage to users’ privacy.
- Ashley Madison:The hacker group identified as The Impact Team claimed to have accessed Ashley Madison’s user database, financial records and other proprietary information, including the personal data of 37 million users. A manifesto written by The Impact Team disclosed that the “full delete” feature on Ashley Madison was a lie — that the company did not scrub the personally identifiable information of customers who opted to have their profile and history deleted, but instead kept their payment information and purchase details, which hold identifiable information. The manifesto also instructed Avid Life Media (ALM), the parent company of Ashley Madison, to permanently delete the forums of Ashley Madison or they would release all customer information. ALM opted to keep the site running and consequently, The Impact Team released the customer records two months later.
- Anthem:The largest healthcare data breach in history occurred at the beginning of 2015. Anthem announced in February that it was the victim of a data breach that resulted in the theft of approximately 78.8 million highly sensitive patient records. By the end of the month, Anthem disclosed that the breach likely impacted an additional 8.8 to 18.8 million non-patient records that included names, birth dates, Social Security numbers, addresses and employment data. The attack on Anthem was the beginning of a series of healthcare hacks this year, including assaults on Premera Blue Cross, CareFirst BlueCross BlueShield, UCLA Health Systems and Excellus BlueCross BlueShield.