by Elliot Maras
18 December 2015 (TSR-Hacked) – This year will go down as the year of the personal data breach. Consumers all over the world are learning their personal information is not safe with businesses, health insurers, financial institutions, the government, and even the educational sphere. Estimates of the number of personal records exposed in 2015 range from 176 million to more than 193 million from about 730 breaches.
Research indicates hackers are concentrating on medical and health care sectors that store patient data that cannot be replicated like credit card data.
The Identity Theft Resource Center (ITRC) data breach report tracks seven types of data losses: hacking, data on the move, insider theft, employee error and negligence, Internet exposure, -physical theft and accident. The research tracks four types of information stolen: protected health information, Social Security numbers, email/passwords-user names and credit/debit card numbers.
According to San Diego, Calif.-based ITRC, health care accounted for 68.1% of all breaches, followed by government/military, 19.4%, business, 9.2%, banking/credit/financial, 2.9%, and educational, 0.4%.
The full extent of the personal information exposed is unknown, as the number of records compromised was not reported in many cases, the ITRC report notes.
Health Care Leads All Sectors In Exposed Data
In the health care sector, leading the list in terms of records lost was Anthem customers with 78.8 million; followed by Premera Blue Cross of Washington State, 11 million; Excellus Blue Cross/Blue Shield/Lifetime Healthcare, 10 million; Anthem Inc. – Blue Cross Blue Shield of Indiana, 8.8 million; UCLA Health, 4.2 million; Medical Informatics Engineering/NoMoreClipbo, 3.9 million; CareFirst BlueCross Blue Shield of Maryland, 1.1 million; and Empi Inc/DJO LLC of Minnesota, 160,000.
In the government/military sector, the Office of Personnel Management #2 lost 21.5 million records; followed by Office of Personnel Management in Washington, D.C., 4.2 million; and Georgia Secretary of State, 6 million.
In the business category, T-Mobile/Experian had 15 million records breached, followed by Vtech with 5 million; Missing Links Networks Inc./eCellar of California, 250,000; SterlingBackcheck, 100,000; Web.com, 93,000; Alfa Specialty Insurance Corp./Alfa Vision Insu, 86,000; Firekeepers Casino in Michigan, 85,000; We End Violence/California State Universities, 79,000; Securus Technologies in Texas, 63,000; Sally Beauty Holdings, Inc. of Texas, 62.210; Service Systems Associates/Zoos of Colorado, 60,000; Blue Sky Casino/French Lick Resort of Indiana, 54,624; Uber, 50,000; Autozone, 49,967; Nobel House Hotel and Resorts – The Commons in Washington State, 19,472.
(The Ashley Madison breach, which exposed an estimated 37 million accounts, was not included in the ITRC report.)
In the banking/credit/financial sector, Scottrade had 4.6 million records exposed, followed by Morgan Stanley, 350,000; Piedmont Advantage Credit Union, 46,000; and E*trade , 31,000.
In the education sector, Auburn University in Alabama topped the list with 364,012 records breached, followed by Metropolitan State University in Minnesota, 160,000; and Career Education Corp. in Illinois, 151,6626.
Seven Top Breaches
10Fold, a San Francisco, Calif.-based B2B technology public relations firm, reviewed the ITRC data breach report and some additional information. 10Fold analyzed 720 data breaches and compiled a review of what it considers the top seven breaches.
The top seven breaches compromised more than 5 million records. Following is a summary of these seven.
The Anthem breach of 78.8 million patient records in early 2015 marked the largest breach in history. By the end of February, Anthem reported the breach impacted an additional 8.8 to 18.8
million non-patient records, including names, Social Security numbers, birth dates, employment data and addresses.
The breach began a series of health care hacks, including Prermera Blue Cross, UCLA Health Systems, CareFirst BlueCross BlueShield and Excellus BlueCross BlueShield.
Excellus BlueCross Blue Shield
The attack on the health insurer began in December of 2013 following a series of attacks that took place earlier that year. The breach compromised personal information of more than 10 million members and leaves members vulnerable to identity theft and fraud. The information stolen included birth dates, Social Security numbers, names, member ID numbers, claims information and financial account information.
Premera Blue Cross
The health insurer discovered the attack affecting 11 million members in January of this year after it began in May of 2014. Investigators found the attackers infiltrated the information technology system, enabling them to gain access to personal information of members and applicants, including Social Security numbers, member identification numbers, birth dates and bank account information. Members included Microsoft, Starbucks and Amazon employees.
VTech, the maker of tablets and gadgets for children, had kids’ and parents’ information compromised by the breach of the Kid Connect and Learning Lodge app store customer database. The breach affected 6.4 million kids and 4.9 million parent accounts globally and marked the first attack to directly target children. It exposed personal ID information like passwords, download history, IP addresses, names, and children’s birth dates and genders.
Attackers breached a server in a North American Experian/T-Mobile business unit containing personal ID information of about 15 million T-Mobile customers. The information included birth dates, names, Social Security numbers and alternate IDs like driver’s license numbers. One cause of the breach was that T-Mobile shared customer information with Experian to process credit card checks for device or service financing.
When customers share information with a business, the personal data is not always protected.
Office of Personnel Management
The attack affected 19.7 million individuals who applied for security clearances, plus 1.8 million relatives and other government personnel associates and 3.6 million former and current employees. The compromised data included 5.6 million fingerprint records that belong to background check applicants.
The breach alarmed intelligence officials about the theft of data on government forms submitted for security clearances. These applicants shared information about themselves, including health history and prior relationships. Hackers that gain access to information about employees with security clearances can cause irreparable damage to users’ privacy.
A hacker group called The Impact Team accessed the website’s user database, including financial and proprietary information of 37 million users. The hackers released a manifesto noting the “full delete” feature on the Ashley Madison website was false and that the company did not remove the personally identifiable customer information for those who wanted it deleted.
The statement instructed Avid Live Media (ALM), the parent company, to permanently delete the forums or all customer information would be released. The hackers released the customer information records two months later since ALM opted to keep the website running.