The Biggest Data Breaches in 2016
2015 saw some of the largest data breaches ever, and while companies continue to fight the good fight against hackers and identity theft, we have no doubt 2016 will bring some breaches no one could never expect. Here are some major 2016 breaches from around the world that are important to be aware of.
Note: This post will be continuously updated throughout 2016 as new data breaches are reported.
January 25, 2016: FACC, an Austrian-based aerospace parts manufacturer (with clients like Airbus and Boeing), announced they fell victim to hackers in January 2016. The criminals, however, seemed to ignore the company’s data and intellectual property, opting to instead steal approximately €50 million — which is equivalent to about $54.5 million U.S. dollars. FACC says that while they are investigating the extent of the damage and how it happened, their normal operations have not been affected.
University of Central Florida
February 8, 2016: At the beginning of February 2016, the University of Central Florida announced a data breach that affected approximately 63,000 current and former students, faculty, and staff. The breach was discovered in January, but before making the incident public, the university reported it to law enforcement and conducted an internal investigation. Unknown cyber criminals compromised the university’s computer system and stole a variety of information including Social Security numbers, first and last names, and student/employee ID numbers.
U.S. Department of Justice
February 9, 2016: Hackers angry about U.S. relations with Israel tried to call attention to their cause in February 2016 by breaching the U.S. Department of Justice’s database. CNN reported the hackers released data on 10,000 Department of Homeland Security employees one day, and then released data on 20,000 FBI employees the next day. Information stolen included names, titles, phone numbers, and e-mail addresses; the Department of Justice does not believe that any sensitive information, like Social Security numbers, was obtained. Tweeting from the account @DotGovs, the hackers said it took one week for the Department of Justice to realize that their systems had been compromised.
Internal Revenue Service
February 29, 2016: The Internal Revenue Service (IRS) announced that the data breach they uncovered in May 2015 was much larger than initially believed. In May, the IRS said over 100,000 American taxpayers had their personal information compromised when the agency’s “Get Transcript” system was hacked. However, in February 2016, those numbers have been increased to over 700,000. The IRS thinks a sophisticated Russia-based criminal operation is responsible for the data breach and that identities were stolen to file fraudulent tax returns in the future.
February 29, 2016: The financial data of more than 80,000 University of California, Berkeley students, alumni, employees, and school officials was compromised around December 2015 and announced to the public in February 2016. The school says that although it was clear their system was hacked, it does not appear that any information was stolen. Those who may have been affected were notified and encouraged to keep an eye on their personal information.
March 3, 2016: 700 current and former Snapchat employees had their personal information stolen when hackers used a phishing scam to trick an employee into e-mailing them the private data. Posing as Snapchat chief executive Evan Spiegel, the attackers simply requested — and received — sensitive employee information including names, Social Security numbers, and wage/payroll data. It is presently unclear who is responsible for the attack or how they may use the information they stole.
21st Century Oncology
March 10, 2016: 21st Century Oncology, a Fort Myers-based company offering cancer care services, revealed in a statement on their website that 2.2 million patients may have had personal information stolen when the company’s system was breached in October 2015. The breach was discovered in November 2015, but the FBI discouraged the company from making a public announcement until March, as the investigation was ongoing. Though there is no evidence that the data has been used in any way, hackers did have access to patient names, Social Security numbers, doctor names, diagnosis and treatment information, and insurance information.
March 10, 2016: A data breach was reported by Premier Healthcare, a multispecialty provider healthcare group, after a laptop computer was stolen from the billing department of their Bloomington, Indiana headquarters. The laptop was protected by a password, but it was not encrypted and contained sensitive data pertaining to more than 200,000 patients. Most victims affected had their names, dates of birth, and other basic information compromised, but Premier Healthcare says that 1,769 individuals may have had their Social Security numbers or financial information taken as well.
Verizon Enterprise Solutions
March 25, 2016: Verizon Enterprise Solutions, a division of Verizon known for providing IT services and data breach assistance to businesses and government agencies around the world, was hit by hackers who stole the information of about 1.5 million customers. The data was found for sale in an underground cybercrime forum by cybersecurity journalist Brian Krebs. Verizon acknowledged the breach, saying that they’ve found the security flaw, and are working to contact affected customers.
March 28, 2016: A data breach at California-based Systema Software was not the result of hackers, but an internal error during a system upgrade in which data storage was set up improperly and made publicly available on the Internet. Chris Vickery, a white-hat hacker, found the information online and reported it to the proper authorities — by that point, customer information had been exposed for 75 days. Affected customers include the Kansas State Self Insurance Fund, the CSAC Express Insurance Authority, American All-Risk Loss Administrators/Risico, Millers Mutual Group, Crosswalk Claims Management, and Salt Lake County. Currently, it is not believed that any of the personal information has been used illegally.
Tidewater Community College
March 28, 2016: Current and former employees of Tidewater Community College (TCC) in Norfolk, Virginia had their personal information stolen in a tax season phishing scam. An employee in the school’s finance department received a request from a fake TCC e-mail address asking for all employee W-2 information. The individual, not realizing the e-mail was fake, responded with sensitive information including names, earnings, and Social Security numbers. TCC’s spokesperson has said that at least 16 TCC employees have reported false tax returns filed under their Social Security numbers.
MedStar Health Inc.
March 30, 2016: The FBI is investigating a computer virus that paralyzed MedStar Health-operated hospitals in Maryland and Washington. Officials are trying to determine whether the virus was ransomware, which holds a company’s systems “hostage” until a specific dollar amount is paid. It is not immediately clear whether any patient information was stolen, but with the popularity of medical identity theft among hackers, it is certainly possible that personal data was compromised.
Philippine Commission on Elections
April 11, 2016: A breach of the database for the Philippe Commission on Elections (COMELEC) prompted Infosecurity Magazine to say it “could rank as the worst government data breach anywhere.” It is believed that the personal information of every single voter in the Philippines — approximately 55 million people — was compromised on March 27, 2016 by Anonymous; LulzSec Pilipinas published the database online a few days later and those private details are now available online for anyone to steal and engage in all different types of identity theft. Anonymous’ actions were allegedly an effort to push COMELEC to turn on security features in the vote counting machines before the national elections on May 9.
Multiple Major E-mail Providers
May 5, 2016: Milwaukee-based Hold Security discovered more than 270 million e-mail usernames and passwords being given away for free in the Russian criminal underground. It is unknown how all of the accounts were stolen, but Hold counted about 57 million Mail.ru accounts, 40 million Yahoo accounts, 33 million Hotmail accounts, and 24 million Gmail addresses. There were also hundreds of thousands of German and Chinese email providers, along with username/password combinations that seem to belong to employees of major banking, manufacturing, and retail companies.
May 11, 2016: In January 2016, Wendy’s began investigating a potential data breach after receiving reports of unusual activity involving payment cards at some of their restaurant locations. The details of that investigation became public in May, as the fast food chain revealed that less than 5 percent of its restaurants were affected. The company believes that malware infiltrated one particular point of sale system at fewer than 300 of approximately 5,500 franchised North America Wendy’s restaurants, starting in the fall of 2015. Security expert Brian Krebs said many bank and credit unions “have been grumbling about the extent and duration of the breach” and that it seems some breached Wendy’s locations were still leaking customer card data as late as the end of March 2016 into early April.
June 16, 2016 Update: In June 2016, Wendy’s announced that their data breach was worse than they originally thought. The company did not provide much additional information — only that “additional malicious cyber activity has recently been discovered in some franchise-operated restaurants.” They said that they disabled the newly discovered malware, but that “the number of franchise restaurants impacted by these cybersecurity attacks is now expected to be considerably higher than the 300 restaurants already implicated.” Wendy’s is continuing to work with security experts and federal law enforcement who are investigating the breach. Customers with questions can call 888-846-9467 or email PaymentCardUpdate@wendys.com
May 17, 2016: A 2012 data breach came back to haunt LinkedIn when 117 million email and password combinations stolen by hackers four years ago popped up online. At the time the breach occurred, members who had been affected were told to reset their passwords. That information then became publicly available in May 2016. LinkedIn acted quickly to invalidate passwords of all LinkedIn accounts that were created prior to the 2012 breach and had not undergone a reset since the breach. It is not clear who stole the information or published it online, but LinkedIn is actively working with law enforcement officials.
August 12, 2016: In August 2016, Newkirk Products, a service provider that issues healthcare ID cards, announced a data breach that may have affected up to 3.3 million people. Unknown hackers were able to gain access to a server that contained sensitive member information, including names, mailing addresses, dates of birth, and details about health insurance plans. At this time, it does not appear that any of the stolen information has been used maliciously.
August 12, 2016: The company that owns the MICROS point-of-sale system, used in more than 330,000 cash registers around the world, became the victim of a data breach, which was announced to the public in August of 2016. At the time the breach was uncovered by security expert Brian Krebs, it was unclear as to the size and scope; Krebs did say that a large Russian cybercrime group was likely to blame and that they had placed malware on company computers and on the MICROS customer support portal to steal usernames and passwords. Many experts also believe the hackers were probably able to plant malware in the MICROS point-of-sale systems and that they could be responsible for major data breaches at retailers around the country.
September 2, 2016: The popular file-hosting service was forced to confront a data breach from four years ago that affected more users than originally believed. In 2012, Dropbox helped a small amount of users secure their accounts after some usernames were stolen. At the end of August 2016, however, it was revealed that more than 68 million Dropbox users had their usernames and passwords compromised in that initial breach. It does not look like the accounts have been illegally accessed at this time, and all Dropbox users who have not reset their passwords since 2012 have been prompted by the company to do so.
September 22, 2016: In what may be the most expansive data breach of all time, Yahoo announced that a hacker had stolen information from a minimum of 500 million accounts in late 2014. The thief, believed to be working on behalf of a foreign government, stole e-mail addresses, passwords, full user names, dates of birth, telephone numbers, and in some cases, security questions and answers. At the time of the breach announcement, Yahoo was still working with law enforcement and the FBI on an investigation.
October 20, 2016: Over 43 million Weebly users were notified about a data breach that happened in February, but was just discovered in October. Stolen data included usernames, passwords, e-mail addresses, and IP information, but Weebly does not believe any type of financial information was stolen because it does not store full credit card numbers on its servers. Hackers were not able to log directly into customer websites because passwords were protected by bcrypt hashing.
National Payment Corporation of India
October 20, 2016: The National Payment Corporation of India (NPCI) was notified by international banks, primarily in the U.S. and China, that some of its customers’ debit cards were being used illegally. Experts believe the breach began with a malware attack that originated at an ATM. The NPCI said that 32 lakh debit cards across 19 Indian banks were compromised, but customers were contacted to change the debit card PINs and customers they couldn’t reach had their cards canceled and were issued new ones.
November 3, 2016: An incorrect security setting on the mobile version of Cisco’s “Professional Careers” website created a privacy hole that exposed the personal information of job-seekers. Discovered by an independent researcher, the security vulnerability made sensitive data available between August and September 2015, and again from July to August 2016. That data included names, addresses, e-mails, phone numbers, usernames, passwords, answers to security questions, resumes, cover letters, and voluntary information such as gender, race, veteran status, and disability.
At this time, there is no evidence that any other parties accessed the job-seekers’ information, other than the independent researcher. Cisco did say, however, that “there was an instance of unexplained, anomalous connection to the server during that time, so we are taking precautionary steps.” Those steps include alerting all Cisco job-seekers to the breach, requiring all users to reset their passwords, and offering to put 90-day fraud alerts on accounts for interested users.
November 13, 2016: AdultFriendFinder, an X-rated website, was targeted by hackers for the second time in two years. This time, though, the amount of accounts compromised was immense — approximately 412 million users had personal information stolen and published in online criminal marketplaces. The breached data included e-mail addresses, passwords, VIP member status, browser info, last IP address to log in, and purchases. LeakedSource is responsible for finding and reporting the breach to the public; AdultFriendFinder has only admitted to finding a vulnerability and has not confirmed the attack yet.
San Francisco Municipal Transportation Agency
November 25, 2016: San Francisco’s public railway system, known as Muni, was infected with malware over the Thanksgiving weekend; this resulted in locked kiosks and computers and two days of free rides for passengers until the system went back online on Sunday, November 27. Fortune reached out to the hackers, who said the attack was not targeted — it was an automated attack, also known as a “spray and pray.” In this type of attack, an automated system sends links to malware out to many prospective victims; an IT admin at the transportation agency allegedly clicked on the link and unknowingly downloaded the malware files.
The hackers claim to have 30GB of stolen data, which includes the personal information of employees and riders. They want the agency to fix its vulnerable systems and pay a ransom of 100 Bitcoins, or about $73,000 — if their demands aren’t met, they say they will release all of the personal information. The agency’s systems are back online, but as of now, it does not appear that they have paid the hackers.
December 14, 2016: Less than three months after announcing a 2014 data breach that affected 500 million users, Yahoo did it again — and even bigger than before. In December, the company discovered another breach from 2013 that may have compromised the personal information of one billion Yahoo accounts, making it the largest data breach in history. At the time of the breach announcement, Yahoo did not have much additional information to share with the public, as it was still unclear who was responsible, how they got into the system, and what they stole.
- January 2017
- December 2016
- November 2016
- October 2016
- September 2016
- August 2016
- July 2016
- June 2016
- May 2016
- April 2016
- March 2016
- February 2016
- January 2016
- December 2015
- November 2015
- October 2015
- September 2015
- August 2015
- July 2015
- June 2015
- May 2015
- April 2015
- March 2015
- February 2015
- January 2015
- December 2014
- November 2014
- October 2014
- September 2014
- August 2014
- July 2014
- June 2014
- May 2014
- April 2014
- March 2014
- February 2014
- January 2014
- December 2013
- November 2013
- October 2013
- September 2013
- August 2013