October 27, 2016

Share Everywhere

The Biggest Data Breaches in 2016, So Far

2015 saw some of the largest data breaches ever, and while companies continue to fight the good fight against hackers and identity theft, we have no doubt 2016 will bring some breaches no one could never expect. Here are some major 2016 breaches from around the world that are important to be aware of.

Note: This post will be continuously updated throughout 2016 as new data breaches are reported.


January 25, 2016: FACC, an Austrian-based aerospace parts manufacturer (with clients like Airbus and Boeing), announced they fell victim to hackers in January 2016. The criminals, however, seemed to ignore the company’s data and intellectual property, opting to instead steal approximately €50 million — which is equivalent to about $54.5 million U.S. dollars. FACC says that while they are investigating the extent of the damage and how it happened, their normal operations have not been affected.

University of Central Florida

February 8, 2016: At the beginning of February 2016, the University of Central Florida announced a data breach that affected approximately 63,000 current and former students, faculty, and staff. The breach was discovered in January, but before making the incident public, the university reported it to law enforcement and conducted an internal investigation. Unknown cyber criminals compromised the university’s computer system and stole a variety of information including Social Security numbers, first and last names, and student/employee ID numbers.

U.S. Department of Justice

February 9, 2016: Hackers angry about U.S. relations with Israel tried to call attention to their cause in February 2016 by breaching the U.S. Department of Justice’s database. CNN reported the hackers released data on 10,000 Department of Homeland Security employees one day, and then released data on 20,000 FBI employees the next day. Information stolen included names, titles, phone numbers, and e-mail addresses; the Department of Justice does not believe that any sensitive information, like Social Security numbers, was obtained. Tweeting from the account @DotGovs, the hackers said it took one week for the Department of Justice to realize that their systems had been compromised.

Internal Revenue Service

February 29, 2016: The Internal Revenue Service (IRS) announced that the data breach they uncovered in May 2015 was much larger than initially believed. In May, the IRS said over 100,000 American taxpayers had their personal information compromised when the agency’s “Get Transcript” system was hacked. However, in February 2016, those numbers have been increased to over 700,000. The IRS thinks a sophisticated Russia-based criminal operation is responsible for the data breach and that identities were stolen to file fraudulent tax returns in the future.

UC Berkeley

February 29, 2016: The financial data of more than 80,000 University of California, Berkeley students, alumni, employees, and school officials was compromised around December 2015 and announced to the public in February 2016. The school says that although it was clear their system was hacked, it does not appear that any information was stolen. Those who may have been affected were notified and encouraged to keep an eye on their personal information.


March 3, 2016: 700 current and former Snapchat employees had their personal information stolen when hackers used a phishing scam to trick an employee into e-mailing them the private data. Posing as Snapchat chief executive Evan Spiegel, the attackers simply requested — and received — sensitive employee information including names, Social Security numbers, and wage/payroll data. It is presently unclear who is responsible for the attack or how they may use the information they stole.

21st Century Oncology

March 10, 2016: 21st Century Oncology, a Fort Myers-based company offering cancer care services, revealed in a statement on their website that 2.2 million patients may have had personal information stolen when the company’s system was breached in October 2015. The breach was discovered in November 2015, but the FBI discouraged the company from making a public announcement until March, as the investigation was ongoing. Though there is no evidence that the data has been used in any way, hackers did have access to patient names, Social Security numbers, doctor names, diagnosis and treatment information, and insurance information.

Premier Healthcare

March 10, 2016: A data breach was reported by Premier Healthcare, a multispecialty provider healthcare group, after a laptop computer was stolen from the billing department of their Bloomington, Indiana headquarters. The laptop was protected by a password, but it was not encrypted and contained sensitive data pertaining to more than 200,000 patients. Most victims affected had their names, dates of birth, and other basic information compromised, but Premier Healthcare says that 1,769 individuals may have had their Social Security numbers or financial information taken as well.

Verizon Enterprise Solutions

March 25, 2016: Verizon Enterprise Solutions, a division of Verizon known for providing IT services and data breach assistance to businesses and government agencies around the world, was hit by hackers who stole the information of about 1.5 million customers. The data was found for sale in an underground cybercrime forum by cybersecurity journalist Brian Krebs. Verizon acknowledged the breach, saying that they’ve found the security flaw, and are working to contact affected customers.

Systema Software

March 28, 2016: A data breach at California-based Systema Software was not the result of hackers, but an internal error during a system upgrade in which data storage was set up improperly and made publicly available on the Internet. Chris Vickery, a white-hat hacker, found the information online and reported it to the proper authorities — by that point, customer information had been exposed for 75 days. Affected customers include the Kansas State Self Insurance Fund, the CSAC Express Insurance Authority, American All-Risk Loss Administrators/Risico, Millers Mutual Group, Crosswalk Claims Management, and Salt Lake County. Currently, it is not believed that any of the personal information has been used illegally.

Tidewater Community College

March 28, 2016: Current and former employees of Tidewater Community College (TCC) in Norfolk, Virginia had their personal information stolen in a tax season phishing scam. An employee in the school’s finance department received a request from a fake TCC e-mail address asking for all employee W-2 information. The individual, not realizing the e-mail was fake, responded with sensitive information including names, earnings, and Social Security numbers. TCC’s spokesperson has said that at least 16 TCC employees have reported false tax returns filed under their Social Security numbers.

MedStar Health Inc.

March 30, 2016: The FBI is investigating a computer virus that paralyzed MedStar Health-operated hospitals in Maryland and Washington. Officials are trying to determine whether the virus was ransomware, which holds a company’s systems “hostage” until a specific dollar amount is paid. It is not immediately clear whether any patient information was stolen, but with the popularity of medical identity theft among hackers, it is certainly possible that personal data was compromised.

Philippine Commission on Elections

April 11, 2016: A breach of the database for the Philippe Commission on Elections (COMELEC) prompted Infosecurity Magazine to say it “could rank as the worst government data breach anywhere.” It is believed that the personal information of every single voter in the Philippines — approximately 55 million people — was compromised on March 27, 2016 by Anonymous; LulzSec Pilipinas published the database online a few days later and those private details are now available online for anyone to steal and engage in all different types of identity theft. Anonymous’ actions were allegedly an effort to push COMELEC to turn on security features in the vote counting machines before the national elections on May 9.

Multiple Major E-mail Providers

May 5, 2016: Milwaukee-based Hold Security discovered more than 270 million e-mail usernames and passwords being given away for free in the Russian criminal underground. It is unknown how all of the accounts were stolen, but Hold counted about 57 million Mail.ru accounts, 40 million Yahoo accounts, 33 million Hotmail accounts, and 24 million Gmail addresses. There were also hundreds of thousands of German and Chinese email providers, along with username/password combinations that seem to belong to employees of major banking, manufacturing, and retail companies.


May 11, 2016: In January 2016, Wendy’s began investigating a potential data breach after receiving reports of unusual activity involving payment cards at some of their restaurant locations. The details of that investigation became public in May, as the fast food chain revealed that less than 5 percent of its restaurants were affected. The company believes that malware infiltrated one particular point of sale system at fewer than 300 of approximately 5,500 franchised North America Wendy’s restaurants, starting in the fall of 2015. Security expert Brian Krebs said many bank and credit unions “have been grumbling about the extent and duration of the breach” and that it seems some breached Wendy’s locations were still leaking customer card data as late as the end of March 2016 into early April.

June 16, 2016 Update: In June 2016, Wendy’s announced that their data breach was worse than they originally thought. The company did not provide much additional information — only that “additional malicious cyber activity has recently been discovered in some franchise-operated restaurants.” They said that they disabled the newly discovered malware, but that “the number of franchise restaurants impacted by these cybersecurity attacks is now expected to be considerably higher than the 300 restaurants already implicated.” Wendy’s is continuing to work with security experts and federal law enforcement who are investigating the breach. Customers with questions can call 888-846-9467 or email PaymentCardUpdate@wendys.com


May 17, 2016: A 2012 data breach came back to haunt LinkedIn when 117 million email and password combinations stolen by hackers four years ago popped up online. At the time the breach occurred, members who had been affected were told to reset their passwords. That information then became publicly available in May 2016. LinkedIn acted quickly to invalidate passwords of all LinkedIn accounts that were created prior to the 2012 breach and had not undergone a reset since the breach. It is not clear who stole the information or published it online, but LinkedIn is actively working with law enforcement officials.

Newkirk Products

August 12, 2016: In August 2016, Newkirk Products, a service provider that issues healthcare ID cards, announced a data breach that may have affected up to 3.3 million people. Unknown hackers were able to gain access to a server that contained sensitive member information, including names, mailing addresses, dates of birth, and details about health insurance plans. At this time, it does not appear that any of the stolen information has been used maliciously.


August 12, 2016: The company that owns the MICROS point-of-sale system, used in more than 330,000 cash registers around the world, became the victim of a data breach, which was announced to the public in August of 2016. At the time the breach was uncovered by security expert Brian Krebs, it was unclear as to the size and scope; Krebs did say that a large Russian cybercrime group was likely to blame and that they had placed malware on company computers and on the MICROS customer support portal to steal usernames and passwords. Many experts also believe the hackers were probably able to plant malware in the MICROS point-of-sale systems and that they could be responsible for major data breaches at retailers around the country.


September 2, 2016: The popular file-hosting service was forced to confront a data breach from four years ago that affected more users than originally believed. In 2012, Dropbox helped a small amount of users secure their accounts after some usernames were stolen. At the end of August 2016, however, it was revealed that more than 68 million Dropbox users had their usernames and passwords compromised in that initial breach. It does not look like the accounts have been illegally accessed at this time, and all Dropbox users who have not reset their passwords since 2012 have been prompted by the company to do so.


September 22, 2016: In what may be the most expansive data breach of all time, Yahoo announced that a hacker had stolen information from a minimum of 500 million accounts in late 2014. The thief, believed to be working on behalf of a foreign government, stole e-mail addresses, passwords, full user names, dates of birth, telephone numbers, and in some cases, security questions and answers. At the time of the breach announcement, Yahoo was still working with law enforcement and the FBI on an investigation.


October 20, 2016: Over 43 million Weebly users were notified about a data breach that happened in February, but was just discovered in October. Stolen data included usernames, passwords, e-mail addresses, and IP information, but Weebly does not believe any type of financial information was stolen because it does not store full credit card numbers on its servers. Hackers were not able to log directly into customer websites because passwords were protected by bcrypt hashing.

National Payment Corporation of India

October 20, 2016: The National Payment Corporation of India (NPCI) was notified by international banks, primarily in the U.S. and China, that some of its customers’ debit cards were being used illegally. Experts believe the breach began with a malware attack that originated at an ATM. The NPCI said that 32 lakh debit cards across 19 Indian banks were compromised, but customers were contacted to change the debit card PINs and customers they couldn’t reach had their cards canceled and were issued new ones.

Judy Leary

President at IdentityForce
For Judy, identity theft protection is in her DNA—her dad started IdentityForce’s parent company in the 70s, and in the 80s, she and her brother came on board. She loves her dedicated team and how much they care about every member, partner, and supplier. In addition to protection against identity theft, Judy is passionate about travel (Aruba is her “happy place”!) and giving back. She volunteers for the Alzheimer’s Association, Mazie Mentoring Program, and Sunshine Golden Retriever Rescue. She’s also a proud mom to 2 grown daughters and 3 rescue dogs.

Latest posts by Judy Leary (see all)

One Response to The Biggest Data Breaches in 2016, So Far

  1. Alexis Dix says:

    I am glad that I am currently taking a MOOC (Massive Open Online Course) on FutureLearn called “Introduction to Cybersecurity.” It is abundantly clear that everyone is at risk in this day and age.

Join The Discussion

Your email address will never be published.