Data breaches are on a record pace this year, both in the number of breaches and records exposed, according to the San Diego-based Identity Theft Resource Center.

The ITRC defines a data breach as an incident in which an individual name plus a Social Security number, driver's license number, medical record or financial record (credit/debit cards included) is potentially put at risk because of exposure.

The ITRC 2015 Breach Report is a compilation of data breaches confirmed by various media sources and/or notification lists from state governmental agencies. Some breaches do not have reported statistics yet or remain unconfirmed.

In 2014, the number of U.S. data breaches tracked by the ITRC hit a record high of 783, with 85,611,528 confirmed records exposed. So far this year, as of June 30, the number of breaches captured on the ITRC Breach Report totals 400 incidents with 117,576,693 confirmed records at risk.

So far this year, the five industry sectors broken down by the ITRC based on the number of breaches are: Business (40.3%), Medical/Healthcare (35%), Banking/Credit/Financial (10%), Educational (7.7%) and Government/Military (7.3%).

Based on the number of confirmed records, the industry breakdown is as follows: Medical/Healthcare (100,926,229), Government/Military (15,391,057), Educational (724,318), Banking/Credit/Financial (408,377) and Business (126,712).

The ITRC also reported a significant jump of about 85% in the number of breaches in the Banking/Credit/Financial sector compared to the same period last year. The biggest credit union breach so far this year took place at the $308 million, Winston-Salem, N.C.-based Piedmont Advantage Credit Union, which notified its 46,000 members in early March that one of its laptops containing personal information, including Social Security numbers, was missing.

What follows are the worst breaches of 2015 so far, based on the confirmed number of records exposed:

10 worst data breaches1. 78.8 million records: In February at the Indianapolis, Ind.-based health insurer Anthem Inc., hackers obtained access to a corporate database reportedly containing personal information of current and former U.S. customers and employees. “Anthem was the target of a very sophisticated external cyberattack,” Joseph R. Swedish, president/CEO of Anthem Inc., said. A FAQ related to the breach reported attackers gained unauthorized access to Anthem's IT system and obtained personal information from current and former members, such as their names, birthdays, medical IDs, Social Security numbers, street addresses, email addresses and employment information, including income data.

10 worst data breaches anthem2. 11 million records: The Mountlake Terrace, Wash.-based Premera Blue Cross disclosed that an intrusion into its network might have resulted in the breach of financial and medical records. It indicated that state-sponsored espionage groups based in China might have been the culprits. In a statement posted on its website about the breach, the company said it learned about the attack on Jan. 29, 2015. However, its investigation revealed that the initial attack occurred on May 5, 2014. “This incident affected Premera Blue Cross, Premera Blue Cross Blue Shield of Alaska, and our affiliate brands Vivacity and Connexion Insurance Solutions, Inc.,” the company said.

10 worst data breaches3. 10 million records: In June, a DHA statement blamed Chinese hackers for a breach that captured identifying information belonging to the Office of Personnel Management. While investigating the cyberattack on the information of about four million federal employees, officials discovered “a separate intrusion into OPM systems that may have compromised information related to the background investigations of current, former and prospective federal government employees, and other individuals for whom a federal background investigation was conducted.” Reports from Bloomberg and the Associated Press said hackers tapped into as many as 14 million personal records, a number OPM would not confirm, citing its continuing inquiry.

10 worst data breaches4. 1.1 million records: In May, CareFirst BlueCross BlueShield announced a cyberattack on its system that compromised past and current CareFirst members across the Mid-Atlantic region, where CareFirst is the largest payer, according to Reuters. The compromised information included individual member usernames for CareFirst's website, names, birth dates, emails and member identification numbers. The hackers did not acquire Social Security numbers, medical claims, or employment, credit card or financial information. Mandiant, a cybersecurity firm CareFirst hired to conduct a review, believes the attack occurred in June 2014. The cyberattack appears to be a one-time breach.

5. 912,906 records: The Georgia Department of Community Health reported two separate incidents on March 2, 2015.

10 worst data breaches6. 364,012 records: On March 2, 2015, Auburn University in Auburn, Ala. became aware of the unintentional availability of personal information belonging to certain current, former and prospective students beginning in September 2014. Auburn University corrected the issue and retained independent forensics experts to identify the scope of the disclosures.

10 worst data breaches morgan stanley7. 350,000 records: In January, the New York City-based Morgan Stanley fired an employee who allegedly stole and posted data, including account numbers, belonging to as many as 350,000 wealth management customers. The bank alerted law enforcement and found no evidence that customers lost any money, and said it detected account information for about 900 clients on an external website and “promptly” removed it. A hacking attack against JPMorgan Chase & Co. last year compromised personal information belonging to about 76 million households.

10 worst data breaches8. 306,789 records: In May, the South Bend, Ind.-based Beacon Health System notified the media and affected patients that it was the subject of a sophisticated phishing attack. It said there was no confirmation of any real or attempted misuse of personal or protected health information. Beacon reported that unauthorized individuals gained access to Beacon employee email boxes, which contained the personal and protected health information of some individuals, including patients.

10 worst data breaches9. 200,000 records: In April, the Florida Department of Economic Opportunity in Jacksonville reported one of its employees managed to access the Florida Department of Children and Families' Florida ACCESS system. The employee then obtained the names and social security numbers of more than 200,000 people in the DCF system.

10 worst data breaches10. 160,000 records: In January, Metropolitan State University in St. Paul, Minn. learned of a computer security intrusion and a likely data breach. The school investigated the scope of what appeared to be unauthorized access to a university server that contained personal information belonging to faculty, staff and students. Updated reports disclosed that an Australian teenager hacked the info via an SQL injection. The hacker may have accessed data belonging to past and present students in December 2014. The school said this data included names, birth dates, contact information, grades and partial Social Security numbers.

Complete your profile to continue reading and get FREE access to CUTimes.com, part of your ALM digital membership.

Your access to unlimited CUTimes.com content isn’t changing.
Once you are an ALM digital member, you’ll receive:

  • Breaking credit union news and analysis, on-site and via our newsletters and custom alerts
  • Weekly Shared Accounts podcast featuring exclusive interviews with industry leaders
  • Educational webcasts, white papers, and ebooks from industry thought leaders
  • Critical coverage of the commercial real estate and financial advisory markets on our other ALM sites, GlobeSt.com and ThinkAdvisor.com
NOT FOR REPRINT

© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.

Roy Urrico

Roy W. Urrico specializes in articles about financial technology and services for Credit Union Times, as well as ghostwriting, copywriting, and case studies. Also: writer/editor of a semi-annual newsletter for Association for Financial Technology since 1997 and history projects funded by the U.S Interior Department, National Park Service and Warren County (N.Y.).