As was the case in 2014, it hasn’t taken long this year for some serious data breaches to occur. Here are the stories that have gotten our attention. Note: This post will be continuously updated as new data breaches are reported.
Anthem, the second-largest U.S. health insurance company, reported in February 2015 the biggest healthcare breach in history, with as many as 80 million customers at risk. In a statement posted on the company’s website, CEO Joseph Swedish noted that attackers may have access to information like names, Social Security numbers, medical IDs, employment information and income data. The company has set up a FAQs page with identity theft protection tips and details about what you should do if you believe you are a victim.
Only six weeks after the Anthem breach, another health insurance company, Premera Blue Cross reported that up to 11 million customers may have been involved in a data breach stemming from a sophisticated cyberattack on their company’s network. Of particular concern is that an investigation showed the initial digital break-in occurred in May 2014, which means attackers may have had access to Premera’s systems for eight months before anyone detected the breach.
International Bank Hack
Moscow-based security firm Kaspersky Labs rang an alarm bell in February 2015 about malware being used to target more than 100 banks in 30 countries. An international hacking ring has stolen as much as $1 billion in what could be the largest banking data breach ever, the firm’s report noted. The malware, which has been in place for nearly two years, causes cash to be dispensed from ATMs without any physical contact with the machines; hackers simply pick up the money.
In a quirky data breach event, Equifax sent hundreds of credit reports on other people to a woman in Maine who had ordered her own report. The data involved in each report was extensive, including Social Security numbers, credit histories and other data that could be used for identity theft. Although there were only 300 potential victims in this breach, the situation is a good reminder that not all security issues are caused by hackers — sometimes, a company’s internal system is the culprit for putting your information at risk.
CareFirst BlueCross BlueShield
News of another healthcare data breach struck in May. This time, CareFirst was the target. This breach involved 1.1 million member records, making it much smaller in scale than the Anthem and Premera cases. The alarming part of the story was how long it took for CareFirst to detect the breach, which had actually taken place in June 2014.
Internal Revenue Service
June 3, 2015: Lawmakers on Capitol Hill — not to mention taxpayers — were upset by the May revelation of a major data breach at the Internal Revenue Service. This incident featured international intrigue: According to CNN, the IRS suspected the breach originated in Russia and “allowed criminals to steal the tax returns of more than 100,000 people.”
August 17, 2015: In August 2015, the IRS revealed that the breach was much larger than they originally thought and they now believe an estimated 610,000 Americans were affected.
May also saw a third significant data breach; this one involved an online dating site with 64 million members. The U.K. news agency Channel 4 first reported the hack following an investigation of sites on the underground “dark web.” The stolen data included highly sensitive information (e.g. user sexual preferences and who “might be seeking extramarital affairs”) as well as more mundane personal details (e.g. dates of birth, email addresses, postal codes).
Office of Personnel Management
One of the largest thefts of government data was announced in June 2015 when as many as four million people may have had their personal records stolen from the Office of Personnel Management. The federal office, which handles security clearances, background checks, pension payments, and other human resources-related tasks, is believed to have been the victim of hackers working on behalf of the Chinese government.
St. Louis Cardinals/Houston Astros
Another cheating scandal rocked two professional sports teams, but for this incident, the Federal Bureau of Investigation (FBI) got involved. In June, it was alleged that the Houston Astros had their internal computer system hacked by the St. Louis Cardinals. The system, named Ground Control, holds notes about trade discussions and baseball players.
July 15, 2015: Ashley Madison, a controversial website for married individuals looking to have an affair, was targeted by hackers. The hacking group called “The Impact Team” was allegedly upset that Ashley Madison would only let clients fully delete data if they paid a fee — but the company still kept a record of the deleted information. The hackers threatened to release personal customer information if the website was not permanently shut down.
August 18, 2015: After Ashley Madison failed to shut down their website, hackers stayed true to their word and revealed sensitive information surrounding the site’s approximately 37 million users. The fall-out has been immense — Ashley Madison and its parent company Avid Life Media Inc. are facing lawsuits, the Ashley Madison CEO has stepped down, and there are reports of extortion, marriages ending, and even suicide.
In July 2015, national pharmacy chain CVS had to shut down their online photo center after a security breach was discovered. An independent vendor manages and hosts CVSphoto.com and the credit card information collected by them may have been compromised. CVS announced that any customers who used their credit cards on CVSphoto.com should monitor their credit card statements for any suspicious activity. In-store customers and all other CVS-owned websites like CVS.com and optical.cvs.com were not affected by the breach.
UCLA Health System
4.5 million patients in the UCLA Health System’s computer network may have had personal information stolen by hackers before July 2015. The investigation is ongoing, and it is unclear as to when the breach occurred, but FBI investigators did determine that hackers gained access to parts of the network that contained patient information. UCLA sent letters to individuals who may have had information stolen, including names, Social Security numbers, dates of birth, and health plan identification numbers.
At the end of July 2015, details regarding a late May/early June breach at United Airlines emerged. Investigators believe the cyber attack was carried out by hackers backed by the Chinese government — the same hackers responsible for this year’s breaches at the U.S. Office of Personnel and Anthem, Inc. Flight manifests were among the stolen data, which included passenger names, birthdates, origins, and destinations.
September 2015 began with the discovery that hackers had targeted owners of “jailbroken” iPhones and stole more than 225,000 Apple accounts using malware, nicknamed KeyRaider. CNN Money reported the hackers then uploaded software that allowed the public to download iTunes apps for “free,” using the victims’ information to pay for the downloads.
In October 2015, it was announced that Experian, a major credit bureau, experienced a data breach in which hackers stole the personal information of 15 million T-Mobile customers. T-Mobile used Experian to conduct credit checks on potential customers and anyone who applied for regular T-Mobile USA postpaid plans between September 1, 2013 and September 16, 2015 may have been affected. CNN Money reported that hackers took customer names, addresses, Social Security numbers, birthdays, driver’s license numbers, military ID numbers, and passport numbers, though it’s not clear yet what the hackers have or will do with that information.
Law Enforcement Enterprise Portal
In November 2015, an FBI-run law enforcement portal — LEO.gov — was breached by a hacker group called Crackas With Attitude (CWA). CWA broke in to the portal, stole law enforcement officials’ personal data, and posted the information online. Speaking with WIRED, CWA said they are not trying to hurt innocent people — just the U.S. government. The group claims to be fighting for Palestine’s freedom and wants the U.S. government to stop funding Israel.
In early November, Comcast announced that roughly 200,000 of its customers would need to reset their login information. The reason? Their Comcast email addresses and corresponding passwords were up for sale on a shadowy website.
The cable giant claimed it had not been hacked. Security and risk management site CSO speculated that users who had their information exposed “were possible Phishing victims, had malware installed on their systems, or had their Comcast email and password exposed during one or more of the massive data breaches that have gone public over the last few years.”
Just two months earlier, Comcast agreed to pay a $33 million fine for accidentally posting the personal details of about 75,000 customers.
JPMorgan Chase + 14 Other Companies
In November 2015, the details of a massive hacking scheme that affected 15 companies and more than 100 million people from 2012 until mid-2015 came to light. JPMorgan Chase customers made up over 80% of the victims who had personal information stolen, while other victims included customers of TD Ameritrade, Scottrade, and News Corp.’s Dow Jones unit, among other companies. Manhattan U.S. Attorney Pretty Bharara called the massive breach the “largest theft of customer data from a U.S. financial institution in history.” The three main hackers involved have been charged; authorities say they were trying to support stock manipulation schemes, payment-processing schemes, and gambling.
Days before Thanksgiving, Hilton Worldwide acknowledged a security breach that may have affected guests at any of its 4,500 hotels around the world. The Wall Street Journal reported that malware was found in the company’s payment systems and could have collected customer names, credit or debit card numbers, security codes, and expiration dates. Hilton is asking all guests who stayed at any of their properties between April 21 to July 27, 2015 or November 18 to December 5, 2014 to check their account statements for signs of fraud.
VTech Holdings Ltd.
At the beginning of December 2015, Hong Kong-based VTech Holdings Ltd. announced that their Learning Lodge database had been compromised weeks earlier on November 14. The personal information of 6.4 million children and 4.9 million parents was stolen, including the full names, genders, and birthdates of kids. The hacker responsible also said they were able to obtain thousands of pictures of kids and parents, chat logs, and audio recordings. Although the hacker has said that he or she does not plan to do anything with the information, security professionals are more skeptical.
Make Sure You Stay Vigilant
As the rate of these 2015 data breaches demonstrates, security and identity theft are ongoing issues, so it’s a good idea to check your bank account and credit card statements regularly. Be on the lookout for suspicious activity, and remain aware about potential threats coming in over email and regular mail. In addition, you should consider adding another layer of protection by enrolling in IdentityForce’s UltraSecure+Credit. Your personal information will be monitored 24/7, and you’ll be notified immediately of any suspicious activity. If anything does happen, IdentityForce will be with you every step of the way, so you can quickly restore your identity.
Image courtesy of Flickr user Perspecsys Photos.