Biggest U.S. Data Breaches
It might seem like good news that data breaches in the banking/financial/credit category fell by almost 40% in 2016, but incidents overall set a record within an information world very interconnected.
There were more than 980 U.S. data breaches in 2016, which reportedly exposed the personally identifiable information of more than 35 million individuals, according to San Diego-based Identity Theft Resource Center. That does not include the estimated 1.5 billion records exposed in two Yahoo breaches, which are hard to ignore.
The ITRC defines a data breach as an incident that puts PII at risk because of exposure. For some listed 2016 breaches, the estimated records were not yet reported or unconfirmed, or just became public last year.
According to the ITRC, the five breached industry sectors in 2016 break down this way: Medical/Healthcare (15.4 million records, about 44%), Government/Military (13.1 million, 37%), Business (5.6 million 16%), Educational (1 million records, 3%) and Banking/Credit/Financial (72,000 records, .2%).
The biggest reported credit union breach involved a website hack that exposed some 2,200 records at the $20.1 million, Pittsfield, Mass.-based Credit Union of the Berkshires in January.
Breaches touch credit unions indirectly too. In June, Dublin, Ohio-based fast food chain Wendy's confirmed a customer payment-card data breach at 1,025 of its restaurants nationwide dating back to the fall 2015. The Michigan Credit Union League, its members, NAFCU and CUNA advocated for stronger merchants and card network accountability after the Wendy's breach forced several credit unions to cover associated costs.
Industry experts foresee other looming threats. “We see the next set of breaches occurring with card-not-present transactions and account-takeover fraud. These are the two big holes credit unions are going to have to fill in 2017,” Lois Hansen, vice president, product development, for Rancho Cucamonga, Calif.-based fintech/payments company CO-OP Financial Services, said. She suggested the industry must also deal with the tremendous loss due to false positives. “Retail fraud adds up to about $11 billion per year, but transaction declines on legitimate card purchases totals about $120 billion per year.”
Jack Lynch, chief risk officer for St. Petersburg, Fla.-based payments CUSO PSCU, held, “We’ve addressed almost three million in actual account breaches and we’re not seeing any slowdown in what's going on in the card side.”
Lynch maintained even though the shift to EMV is well over 85% complete now, there are still plenty of vulnerable merchants. In addition, with card skimming continuing to be out of control, the MasterCard and Visa shift of the EMV liability at the fuel pump from 2017 to 2020 creates an additional fraud-concern period for credit unions.
Then there is the continual maturing of cybercriminal tools across the board, Gene Fredriksen, vice president/CISO for PSCU suggested, “The criminals are finding out phishing, social engineering, those kinds of things, are just as effective. Phishing is how criminals are getting information for some of the account takeover attacks,” Fredriksen noted.
These are the biggest 2015 U.S. data breaches, based on confirmed, exposed PII records.
1. Yahoo: 1.5 Billion Records
In September, Yahoo confirmed the theft of account information including names, passwords, birthdays, and email addresses, of at least 500 million users in 2014 by what it believed was a state-sponsored actor.
Then in December the Sunnyvale, Calif. web information company, said a separate data breach, which occurred in 2013, involved personal information associated with more than one billion user accounts. Yahoo said an unauthorized third party stole that data.
2. Office of Child Support Enforcement: 5 Million Records
Burglars broke into the Office of Child Support Enforcement in Olympia, Wash., and swiped hard drives, which may have contained up to five million names and Social Security numbers, and a personal laptop, according to an Associated Press account. The reporting of the February incident did not occur until late March, prompting Congress members to question the breach response actions taken by the Department of Health and Human Services.
3. Banner Health: 3.6 Million Records
On July 7, the Phoenix-based company discovered hackers may have accessed computer systems that process payment-card data at food and beverage locations at some Banner Health facilities. This potentially exposed names, card numbers, expiration dates and verification codes between June 23 and July 7, 2016.
4. Newkirk Products 3.5 Million Records
The New York-based provider of ID card and management services, discovered an intrusion on July 6, 2016. The breach exposed the personal information of those covered by Albany, N.Y.-based Capital District Physicians’ Health Plan and Latham, N.Y.-based BlueShield of Northeastern New York, as well as about a dozen other organizations. The exposed information included names, mailing addresses, plan types, subscribers, group ID numbers, and covered dependents names.
5. Washington Department of Fishing & Wildlife: 2.4 Million Records*
A breach in June exposing sensitive customer information in apparent cybervandalism of WDFW's public website. Information exposed included names, birthdates, addresses, driver's license numbers, partial social security numbers, physical characteristics, and some email addresses and/or phone numbers.
*Also: see number 8 and 10.
6. Eddie Bauer: 2.3 Million Records
On July 5, 2016, KrebsOnSecurity reached out to the Bellevue, Wash., -based retailer after hearing from sources who identified a fraud pattern on customer cards at some U.S. locations. In August, Eddie Bauer sent out a letter confirming payment-card information used at one or more of its retail stores may have been accessed without authorization between January 2-July 17,2016.
7. 21st Century Oncology: 2.2 Million Records
A hacker accessed a patient database at the Florida-based medical facility containing patient insurance data and Social Security numbers. While not on the order of breaches at Anthem, Excellus BCBS, or Primera Blue Cross, it does rank as one of the largest healthcare data breaches of 2015. On March 4, 2016, a regulatory filing issued to the Securities and Exchange Commission indicated the breach potentially affected 2.2 million current and former patients.
8. Kentucky Department of Fish & Wildlife: 2.1 Million Records
9. Verizon Enterprise Solutions: 1.5 Million Records
A B2B unit of the telecommunications giant that helps Fortune 500 firms respond to data breaches reeled from its own intrusion involving the theft and resale of customer data, KrebsOnSecurity discovered. In March, an underground cybercrime forum posted advertising for the sale of a database containing the contact information on some 1.5 million Verizon Enterprise customers.
10. Oregon Department of Fish and Wildlife: 1.2 Million Records
On August 24, 2016, an individual self-named “Mr. High” claimed the hacking of four state wildlife sporting licensing sites: Kentucky, Oregon, Washington and Idaho (788,064 records). “I’ll list the exact websites once the security hole is patched and/or it makes the news,” Mr. High said. Ten hours later an update read: “It looks like two of the security holes have been patched. The other two remain open…. but I can see that one of these websites had a minor ‘kiddiot’ not too long ago [June hack of Washington Department of Fishing & Wildlife]. Looks like they didn't take the time to fix a much more serious error.”
Information exposed included: names, birthdates, addresses, driver's license numbers, partial social security numbers, height, weight, and eye color as well as some email addresses and/or phone numbers.