What You Need to Know:
While companies continue to fight the good fight against hackers and identity theft, we have no doubt that 2016 will introduce data breaches no one could ever expect. Review this list of major data breaches in 2016 from around the United States and around the world.
January 25, 2016: FACC, an Austrian-based aerospace parts manufacturer (with clients like Airbus and Boeing), announced they fell victim to hackers in January 2016. The criminals, however, seemed to ignore the company’s data and intellectual property, opting to instead steal approximately €50 million (approximately $54.5 million). FACC says that while they are investigating the extent of the damage and how it happened, their normal operations have not been affected.
SOURCE | Reuters
University of Central Florida
February 8, 2016: At the beginning of February 2016, the University of Central Florida announced a data breach impacting 63,000 current and former students, faculty and staff. The breach was discovered in January but before making the incident public, the university reported it to law enforcement and conducted an internal investigation. Unknown cybercriminals compromised the university’s computer system and stole a variety of information including Social Security numbers, first and last names and student/employee ID numbers.
SOURCE | USA Today
U.S. Department of Justice
February 9, 2016: Hackers breached the U.S. Department of Justice’s database, releasing data on 10,000 Department of Homeland Security employees one day and then 20,000 FBI employees next. The information stolen included names, titles, phone numbers and email addresses. The Department of Justice does not believe that any sensitive information, like Social Security numbers, was obtained. Tweeting from the account @DotGovs, the hackers said it took one week for the Department of Justice to realize that their systems had been compromised.
SOURCE | CNN
Internal Revenue Service
February 29, 2016: The Internal Revenue Service (IRS) announced that the data breach they uncovered in May 2015 was much larger than initially believed. In May, the IRS said over 100,000 American taxpayers had their personal information compromised when the agency’s “Get Transcript” system was hacked. However, in February 2016, those numbers increased to over 700,000. The IRS thinks a sophisticated Russia-based criminal operation is responsible for the data breach and that identities were stolen to file fraudulent tax returns in the future.
SOURCE | USA Today
February 29, 2016: A cyberattack on a system storing Social Security or bank account numbers of more than 80,000 University of California, Berkeley students, alumni, employees and school officials were compromised around December 2015 and announced to the public in February 2016. The school says that although it was clear their system was hacked, it does not appear that any information was stolen. Those who may have been affected were notified and encouraged to keep an eye on their personal information.
SOURCE | UCBerkeley News
March 3, 2016: An undisclosed number of current and former Snapchat employees had their personal information stolen when attackers used a phishing scam to trick an employee into emailing them the private data. Posing as Snapchat chief executive Evan Spiegel, the attackers simply requested — and received — sensitive employee information including names, Social Security numbers and wage/payroll data. It is presently unclear who is responsible for the attack or how they may use the stolen information.
SOURCE | TechCrunch
21st Century Oncology
March 10, 2016: A Fort Myers-based company offering cancer care services, 21st Century Oncology, revealed in a statement that 2.2 million patients may have had personal information stolen when the company’s system was breached in October 2015. Attackers accessed patient names, Social Security numbers, diagnosis and treatment information, doctor names and insurance information.
SOURCE | Federal Trade Commission
March 10, 2016: A data breach was reported by Premier Healthcare, a multispecialty provider healthcare group, after a laptop computer was stolen from the billing department of their Bloomington, Indiana headquarters. The laptop was protected by a password but it was not encrypted and contained sensitive data pertaining to more than 200,000 patients. Most victims affected had their names, dates of birth and other basic information compromised, but Premier Healthcare says that 1,769 individuals may have had their Social Security numbers or financial information taken as well.
SOURCE | HealthCareITNews
Verizon Enterprise Solutions
March 25, 2016: Verizon Enterprise Solutions, a division of Verizon known for providing IT services and data breach assistance to businesses and government agencies around the world, had the information of about 1.5 million customers stolen. The data was found for sale in an underground cybercrime forum by cybersecurity journalist Brian Krebs. Verizon acknowledged the breach, saying that they’ve found the security flaw and are working to contact affected customers.
SOURCE | TheVerge
March 28, 2016: A data breach at California-based Systema Software was caused by an internal error during a system upgrade in which data storage was set up improperly and made publicly available on the internet. Chris Vickery, a white-hat hacker, found the information online and reported it to the proper authorities. The personal identifiers, medical records, names and contact information of 8,000 customers already had been exposed for 75 days. Affected customers include the Kansas State Self Insurance Fund, the CSAC Express Insurance Authority, American All-Risk Loss Administrators/Risico, Millers Mutual Group, Crosswalk Claims Management and Salt Lake County.
SOURCE | The Salt Lake Tribune
Tidewater Community College
March 28, 2016: Current and former employees of Tidewater Community College (TCC) in Norfolk, Virginia had their personal information stolen in a tax season phishing scam. An employee in the school’s finance department received a request from a fake TCC email address asking for all employee W-2 information. The individual, not realizing the email was fake, responded with sensitive information including names, earnings and Social Security numbers. TCC’s spokesperson has said that at least 16 TCC employees have reported false tax returns filed under their Social Security numbers.
SOURCE | Data Privacy + Security Insider
Philippine Commission on Elections
April 11, 2016: A breach of the database for the Philippine Commission on Elections (COMELEC) on March 27, 2016 is believed to have compromised the personal information of every single voter in the Philippines — approximately 55 million people. LulzSec Pilipinas, a black hat computer hacking group, published the database online a few days later and those private details were made available online for anyone to steal and engage in all different types of identity theft.
SOURCE | Infosecurity Magazine
Multiple Major Email Providers
May 5, 2016: Milwaukee-based Hold Security discovered more than 270 million email usernames and passwords posted online for free in the Russian criminal underground. It is unknown how all of the accounts were stolen, but Hold Security counted about 57 million Mail.ru accounts, 40 million Yahoo accounts, 33 million Hotmail accounts and 24 million Gmail addresses. There were also hundreds of thousands of German and Chinese email providers, along with username/password combinations that seem to belong to employees of major banking, manufacturing and retail companies.
SOURCE | Reuters
May 11, 2016: In January 2016, Wendy’s began investigating a potential data breach after receiving reports of unusual activity involving payment cards at some of their restaurant locations. The details of that investigation became public in May, as the fast-food chain revealed that less than 5% of its restaurants were affected. The company believes that malware infiltrated a point-of-sale system at fewer than 300 of approximately 5,500 franchised North America Wendy’s restaurants, starting in the fall of 2015. Security expert Brian Krebs reported that it seems some breached Wendy’s locations were still leaking customer card data as late as the end of March 2016 into early April.
SOURCE | Wendy’s
May 17, 2016: A 2012 data breach came back to haunt LinkedIn when 117 million email and password combinations stolen four years ago popped up online. At the time the breach occurred, members who had been affected were told to reset their passwords. That information then became publicly available in May 2016. LinkedIn acted quickly to invalidate passwords of all LinkedIn accounts that were created prior to the 2012 breach and had not undergone a reset since the breach.
SOURCE | LinkedIn
August 12, 2016: In August 2016, Newkirk Products, a service provider that issues healthcare ID cards, announced a data breach that may have affected up to 3.3 million people. Hackers were able to gain access to a server that contained sensitive member information, including names, mailing addresses, dates of birth and details about health insurance plans.
SOURCE | HIPAA Journal
August 12, 2016: Oracle, the company that owns the MICROS point-of-sale system used in more than 330,000 cash registers around the world, became the victim of a data breach, which was announced to the public in August of 2016. At the time the breach was uncovered by security expert Brian Krebs, it was unclear as to the size and scope. Krebs reported that a large Russian cybercrime group was suspected of placing malware on company computers and on the MICROS customer support portal to steal usernames and passwords.
SOURCE | Krebs on Security
September 2, 2016: Dropbox, a popular file-hosting service, was forced to confront a data breach from four years ago that affected more users than originally believed. In 2012, Dropbox helped a small amount of users secure their accounts after some usernames were stolen. At the end of August 2016, however, it was revealed that more than 68 million Dropbox users had their usernames and passwords compromised in that initial breach.
SOURCE | The Washington Post
September 22, 2016: Yahoo, an American web services provider, announced that at least 500 million out of their 1 billion users were impacted in a cyberattack. The hacker accessed email addresses, passwords, full usernames, dates of birth, telephone numbers and, in some cases, security questions and answers.
SOURCE | CNN
October 20, 2016: 43 million Weebly users were notified about a data breach. Stolen data includes usernames, passwords, email addresses and IP information, but Weebly does not believe any type of financial information was stolen because it does not store full credit card numbers on its servers.
SOURCE | TechCrunch
National Payment Corporation of India
October 20, 2016: The National Payment Corporation of India (NPCI) was notified by international banks, primarily in the U.S. and China, that some of its customers’ debit cards customers’ debit cards were being used illegally. Experts believe that the breach began with a malware attack that originated at an ATM. The NPCI confirmed that 3.25 million lakh debit cards across 19 Indian banks were compromised. Customers were contacted to change the debit card PINs and customers they couldn’t reach had their cards canceled and were issued new ones.
SOURCE | Reuters
November 3, 2016: An incorrect security setting on the mobile version of Cisco’s “Professional Careers” website created a privacy hole that exposed the personal information of job-seekers. The security vulnerability made sensitive data available between August and September 2015 and again from July to August 2016. That data included names, addresses, emails, phone numbers, usernames, passwords, answers to security questions, resumes, cover letters and voluntary information such as gender, race, veteran status and disability.
SOURCE | ZDNet
San Francisco Municipal Transportation Agency
November 25, 2016: San Francisco’s public railway system, known as Muni, was infected with malware which resulted in locked kiosks and computers, and two days of free rides for passengers until the system went back online on Sunday, November 27. The hackers claim to have 30GB of stolen data, which includes the personal information of employees and riders.
SOURCE | KPIX-TV
December 14, 2016: Less than three months after announcing a 2014 data breach that affected 500 million users, Yahoo did it again — and even bigger than before. In December, the company discovered another breach from 2013 that may have compromised the personal information of one billion Yahoo accounts, making it the largest data breach in history. At the time of the breach announcement, Yahoo did not have much additional information to share with the public, as it was still unclear who was responsible, how they got into the system and what they stole.
SOURCE | The New York Times