Cybercriminals were busy in 2015; data breaches were frequent and the damage that they caused was significant. Some reports indicate that there were over 700 data breaches in 2015 alone. And while certain breaches were on the smaller side of the spectrum, 2015 saw some of the largest data breaches ever. Hundreds of millions of people were victims of those unprecedented data breaches, proving that no one is safe from devious hackers who seem to be getting bolder.
Healthcare Industry Gets Hit Hard
Every year, major credit bureau Experian releases a data breach industry forecast for the coming year. While they never could have predicted their own major breach in 2015, they did hit the nail on the head when they forecasted the persistent and growing threat of healthcare breaches. The biggest healthcare targets this year were:
- Anthem – In February 2015, the second-largest U.S. health insurance company reported the biggest healthcare breach in history, with as many as 80 million customers at risk.
- Premera – Six weeks after the Anthem breach, Premera Blue Cross reported that up to 11 million customers may have been affected by a data breach.
- CareFirst BlueCross BlueShield – A smaller breach affecting the records of 1.1 million CareFirst members was uncovered in May 2015. The breach, however, took place in June 2014 and went undetected for nearly a year.
- UCLA Health System – 4.5 million patients in the UCLA Health System’s computer network may have had their personal information stolen before July 2015.
Hackers Go After the U.S. Government
Even the U.S. government is not immune when it comes to data breaches. In 2015, data breaches targeting the IRS, OPM, and LEO.gov didn’t sit well with the folks on Capitol Hill:
- Internal Revenue Service (IRS) – A breach that authorities believe originated in Russia allowed criminals to steal the tax returns of more than 610,000 Americans in May 2015.
- Office of Personnel Management (OPM) – One of the largest thefts of government data was announced in June 2015 when as many as four million people may have had their personal records stolen from the Office of Personnel Management.
- Law Enforcement Enterprise Portal – In November 2015, an FBI-run law enforcement portal — LEO.gov — was breached by a hacker group that stole law enforcement officials’ personal data and posted the information online.
Cyber Criminals with Moral Agendas
Most hackers are in it for the money, but there are others who steal data to make a point. Some of these cyber crusaders made headlines this year for carrying out some of the biggest — and most controversial — data breaches of 2015.
- Ashley Madison – In July 2015, a hacking group targeted this website for married individuals looking to have an affair. The group was upset that Ashley Madison would not only let clients fully delete their data after they paid a fee — but that the company still kept a record of the supposedly “deleted” information. When the company refused to shut down their website, hackers released the personal information of 37 million users, resulting in a huge fall-out.
- VTech Holdings Ltd. – The personal information of 6.4 million children and 4.9 million parents was stolen from the Learning Lodge database of Hong Kong-basked VTech Holdings Ltd in December 2015. The hacker said he or she does not plan to do anything with the information but they wanted to show parents how unsafe their children are while using VTech electronic toys.
The Full List of Breaches in 2015
Anthem, the second-largest U.S. health insurance company, reported in February 2015 the biggest healthcare breach in history, with as many as 80 million customers at risk. In a statement posted on the company’s website, CEO Joseph Swedish noted that attackers may have access to information like names, Social Security numbers, medical IDs, employment information and income data. The company has set up an FAQ page with identity theft protection tips and details about what you should do if you believe you are a victim.
Only six weeks after the Anthem breach, another health insurance company, Premera Blue Cross reported that up to 11 million customers may have been involved in a data breach stemming from a sophisticated cyberattack on their company’s network. Of particular concern is that an investigation showed the initial digital break-in occurred in May 2014, which means attackers may have had access to Premera’s systems for eight months before anyone detected the breach.
International Bank Hack
Moscow-based security firm Kaspersky Labs rang an alarm bell in February 2015 about malware being used to target more than 100 banks in 30 countries. An international hacking ring has stolen as much as $1 billion in what could be the largest banking data breach ever, the firm’s report noted. The malware, which has been in place for nearly two years, causes cash to be dispensed from ATMs without any physical contact with the machines; hackers simply pick up the money.
In a quirky data breach event, Equifax sent hundreds of credit reports on other people to a woman in Maine who had ordered her own report. The data involved in each report was extensive, including Social Security numbers, credit histories and other data that could be used for identity theft. Although there were only 300 potential victims in this breach, the situation is a good reminder that not all security issues are caused by hackers — sometimes, a company’s internal system is the culprit for putting your information at risk.
CareFirst BlueCross BlueShield
News of another healthcare data breach struck in May. This time, CareFirst was the target. This breach involved 1.1 million member records, making it much smaller in scale than the Anthem and Premera cases. The alarming part of the story was how long it took for CareFirst to detect the breach, which had actually taken place in June 2014.
Internal Revenue Service
June 3, 2015: Lawmakers on Capitol Hill — not to mention taxpayers — were upset by the May revelation of a major data breach at the Internal Revenue Service. This incident featured international intrigue: According to CNN, the IRS suspected the breach originated in Russia and “allowed criminals to steal the tax returns of more than 100,000 people.”
August 17, 2015: In August 2015, the IRS revealed that the breach was much larger than they originally thought and they now believe an estimated 610,000 Americans were affected.
May also saw a third significant data breach; this one involved an online dating site with 64 million members. The U.K. news agency Channel 4 first reported the hack following an investigation of sites on the underground “dark web.” The stolen data included highly sensitive information (e.g. user sexual preferences and who “might be seeking extramarital affairs”) as well as more mundane personal details (e.g. dates of birth, email addresses, postal codes).
Office of Personnel Management
One of the largest thefts of government data was announced in June 2015 when as many as four million people may have had their personal records stolen from the Office of Personnel Management. The federal office, which handles security clearances, background checks, pension payments, and other human resources-related tasks, is believed to have been the victim of hackers working on behalf of the Chinese government.
St. Louis Cardinals/Houston Astros
Another cheating scandal rocked two professional sports teams, but for this incident, the Federal Bureau of Investigation (FBI) got involved. In June, it was alleged that the Houston Astros had their internal computer system hacked by the St. Louis Cardinals. The system, named Ground Control, holds notes about trade discussions and baseball players.
July 15, 2015: Ashley Madison, a controversial website for married individuals looking to have an affair, was targeted by hackers. The hacking group called “The Impact Team” was allegedly upset that Ashley Madison would only let clients fully delete data if they paid a fee — but the company still kept a record of the deleted information. The hackers threatened to release personal customer information if the website was not permanently shut down.
August 18, 2015: After Ashley Madison failed to shut down their website, hackers stayed true to their word and revealed sensitive information surrounding the site’s approximately 37 million users. The fall-out has been immense — Ashley Madison and its parent company Avid Life Media Inc. are facing lawsuits, the Ashley Madison CEO has stepped down, and there are reports of extortion, marriages ending, and even suicide.
In July 2015, national pharmacy chain CVS had to shut down its online photo center after a security breach was discovered. An independent vendor manages and hosts CVSphoto.com and the credit card information collected by them may have been compromised. CVS announced that any customers who used their credit cards on CVSphoto.com should monitor their credit card statements for any suspicious activity. In-store customers and all other CVS-owned websites like CVS.com and optical.cvs.com were not affected by the breach.
UCLA Health System
4.5 million patients in the UCLA Health System’s computer network may have had personal information stolen by hackers before July 2015. The investigation is ongoing, and it is unclear as to when the breach occurred, but FBI investigators did determine that hackers gained access to parts of the network that contained patient information. UCLA sent letters to individuals who may have had information stolen, including names, Social Security numbers, dates of birth, and health plan identification numbers.
At the end of July 2015, details regarding a late May/early June breach at United Airlines emerged. Investigators believe the cyber attack was carried out by hackers backed by the Chinese government — the same hackers responsible for this year’s breaches at the U.S. Office of Personnel and Anthem, Inc. Flight manifests were among the stolen data, which included passenger names, birthdates, origins, and destinations.
September 2015 began with the discovery that hackers had targeted owners of “jailbroken” iPhones and stole more than 225,000 Apple accounts using malware, nicknamed KeyRaider. CNN Money reported the hackers then uploaded software that allowed the public to download iTunes apps for “free,” using the victims’ information to pay for the downloads.
In October 2015, it was announced that Experian, a major credit bureau, experienced a data breach in which hackers stole the personal information of 15 million T-Mobile customers. T-Mobile used Experian to conduct credit checks on potential customers and anyone who applied for regular T-Mobile USA postpaid plans between September 1, 2013 and September 16, 2015 may have been affected. CNN Money reported that hackers took customer names, addresses, Social Security numbers, birthdays, driver’s license numbers, military ID numbers, and passport numbers, though it’s not clear yet what the hackers have or will do with that information.
Law Enforcement Enterprise Portal
In November 2015, an FBI-run law enforcement portal — LEO.gov — was breached by a hacker group called Crackas With Attitude (CWA). CWA broke in to the portal, stole law enforcement officials’ personal data, and posted the information online. Speaking with WIRED, CWA said they are not trying to hurt innocent people — just the U.S. government. The group claims to be fighting for Palestine’s freedom and wants the U.S. government to stop funding Israel.
In early November, Comcast announced that roughly 200,000 of its customers would need to reset their login information. The reason? Their Comcast email addresses and corresponding passwords were up for sale on a shadowy website.
The cable giant claimed it had not been hacked. Security and risk management site CSO speculated that users who had their information exposed “were possible Phishing victims, had malware installed on their systems, or had their Comcast email and password exposed during one or more of the massive data breaches that have gone public over the last few years.”
Just two months earlier, Comcast agreed to pay a $33 million fine for accidentally posting the personal details of about 75,000 customers.
JPMorgan Chase + 14 Other Companies
In November 2015, the details of a massive hacking scheme that affected 15 companies and more than 100 million people from 2012 until mid-2015 came to light. JPMorgan Chase customers made up over 80% of the victims who had personal information stolen, while other victims included customers of TD Ameritrade, Scottrade, and News Corp.’s Dow Jones unit, among other companies. Manhattan U.S. Attorney Pretty Bharara called the massive breach the “largest theft of customer data from a U.S. financial institution in history.” The three main hackers involved have been charged; authorities say they were trying to support stock manipulation schemes, payment-processing schemes, and gambling.
Days before Thanksgiving, Hilton Worldwide acknowledged a security breach that may have affected guests at any of its 4,500 hotels around the world. The Wall Street Journal reported that malware was found in the company’s payment systems and could have collected customer names, credit or debit card numbers, security codes, and expiration dates. Hilton is asking all guests who stayed at any of their properties between April 21 to July 27, 2015, or November 18 to December 5, 2014, to check their account statements for signs of fraud.
VTech Holdings Ltd.
At the beginning of December 2015, Hong Kong-based VTech Holdings Ltd. announced that its Learning Lodge database had been compromised weeks earlier on November 14. The personal information of 6.4 million children and 4.9 million parents were stolen, including the full names, genders, and birthdates of kids. The hacker responsible also said they were able to obtain thousands of pictures of kids and parents, chat logs, and audio recordings. Although the hacker has said that he or she does not plan to do anything with the information, security professionals are more skeptical.
Also in December 2015, Landry’s Inc., the parent company of over 40 U.S. restaurant chains, confirmed they were investigating a potential data breach of customer payment cards at a number of their restaurants. Landry’s owns an expansive portfolio of hospitality brands including Morton’s Steakhouse, Bubba Gump Shrimp Factory, Rainforest Café, Claim Jumper and McCormick & Schmick’s, among others. In total, they own and operate more than 500 properties — many being seafood and steakhouses concentrated in popular tourist destinations. Restaurant locations were impacted for more than 17 months during two separate periods from May 4, 2014, to March 15, 2015, and again from May 5 to December 3, 2015.
There’s Hope for a Better 2016
Cybercriminals are getting smarter — but so are we. Consumers are learning how to keep their information safer, while businesses are implementing advanced security measures and developing data breach action plans. This year, the U.S. made the switch from traditional swipe-and-sign credit cards to the new EMV chip-card technology. This technology provides a much higher level of fraud protection and is a major step toward preventing credit card fraud and identity theft.
It may feel like the “bad guys” are getting more stealthy when it comes to data breaches, but don’t worry — so are the “good guys.” We think there’s a lot of hope for a much more secure 2016!
Image courtesy of Flickr user Claus Rebler.