The only good news in regard to 2015 U.S. data breaches was thatfewer took place than the year before – by a hair. The bad news wasthe number of exposed records doubled compared to 2014 figures.

|

There were 781 data breaches in 2015, which exposed 169,068,506records containing personally identifiable information, accordingto the San Diego-based Identity Theft Resource Center. That is justshy of the record-setting 783 incidents, which revealed 85,611,528records, in 2014.

|

The ITRC defines a data breach as an incident that puts personalinformation (such as an individual name plus a Social Securitynumber, driver's license number, or medical or financial recordinformation) at risk because of exposure. For some breaches,statistics were not yet reported or were unconfirmed.

|

According to the ITRC, the five breached industry sectors in2015 were: Medical/Healthcare (66.7%), Government/Military (20.2%),Business (9.6%), Banking/Credit/Financial (3%) and Educational(.4%). The number of confirmed records exposed, by industry, was:Medical/Healthcare (112,832,082), Government/Military (34,222,763),Business (16,191,017), Banking/Credit/Financial (5,063,044) andEducational (759,600).

|

The biggest credit union breach took place at the $308 million,Winston-Salem, N.C.-based Piedmont Advantage Credit Union, whichnotified its 46,000 members in early March that a laptop containingPII was missing.

|

Two data breaches were highly talked up in the media, but didnot make the 10 biggest list. First, a misconfigured databaseexposed the information of 191 million registered U.S. votersfor more than a week. Independent security researcher Chris Vickerydiscovered the 300GB database on Dec. 20 and reported it toDataBreaches.net, which keeps track of online securityblunders.

|

Second, a breach of the online affair website Ashley Madison litup 37 million usernames, passwords, addresses, phone numbers andcredit card transactions on the Dark Web. Four NCUA work emailaddresses were among those compromised.

|

Following are the biggest 2015 U.S data breaches, based onconfirmed, exposed PII records.

|

1. Anthem Inc.: 78.8 Million Records

|

In February at the Indianapolis-based health insurer AnthemInc., hackers accessed a corporate database. It included a list ofcurrent and former U.S. customers and employees, and personalinformation such as birthdays, medical IDs, Social Securitynumbers, street and email addresses and employment information,including income data.

|

2. OPM: 21.5 Million Records

|

In June and July, the U.S. Office of Personnel Managementdiscovered two separate but related cybersecurity breach incidents,which exposed the personal data of current and former Federalgovernment employees, contractors and others. The OPM blamed theattack on Chinese hackers. Hackers acquired forms submitted byapplicants seeking security clearances with the federal government.These 127-page forms contained, among other things, the names offriends, relatives and associates of the applicants as well asfinancial information.

|

3. T-Mobile: 15 Million Records

|

In September, Experian North America discovered an unauthorizedparty accessed certain servers, exposing Social Security numbers,and other data on people who applied for financing from wirelessprovider T-Mobile USA. Information included names, addresses,Social Security numbers, birthdates, identification numbers (suchas driver's license, military ID or passport numbers) andadditional information used in TMobile's own credit assessment.

|

4. Premera Blue Cross: 11 Million Records

|

The Mountlake Terrace, Wash.-based Premera Blue Cross disclosedan intrusion into its network might have resulted in a breach offinancial and medical records. It indicated that state-sponsoredespionage groups based in China might have been the culprits. Thecompany said it learned about the attack on Jan. 29, 2015. However,its investigation revealed that the initial attack occurred on May5, 2014.

|

5. Excellus Blue Cross Blue Shield: 10 MillionRecords

|

In September, the Rochester, N.Y.-based Excellus Blue Cross BlueShield and a partner company revealed a breach, which stole SocialSecurity numbers and other identifying information, as well asinformation related to claims members made to pay for medical care.

|

6. Georgia Secretary of State: Six MillionRecords

|

In November, two women filed a class action lawsuit alleging amassive data breach took place within Georgia Secretary of StateBrian Kemp's office involving the Social Security numbers and otherprivate information belonging to voters statewide. The suit allegedthe unauthorized information, released in October, containedbirthdates and driver's license numbers. In response, Kemp's officeblamed a “clerical error” and said it did not consider it a breachof its system. It said 12 organizations, including statewidepolitical parties, news media organizations and GeorgiaGunOwner Magazine received the file.

|

7. Scottrade: 4.6 Million Records

|

In October, the St. Louis-based Scottrade said federal lawenforcement officials notified the company about crimes involvingthe theft of information from Scottrade and other financialservices companies. It said all client passwords remained encryptedat all times and did not see any indication of fraudulent activitydue to the incident. The company said the unauthorized accessappeared to have occurred from late 2013 to early 2014.

|

8. UCLA Health System: 4.5 Million Records

|

A July cyberattack on UCLA Health System's computer networkexposed data containing personal and medical information, includingnames, addresses, Social Security numbers and medical data,including information related to conditions, medications,procedures and test results.

|

9. Medical Informatics Engineering: 3.9 MillionRecords

|

In May, the technical team at the Fort Wayne, Ind.-based MedicalInformatics Engineering discovered suspicious activity on one ofits servers. It determined some protected health information hadbeen exposed, including patient names, home and email addresses,birthdates and some Social Security numbers.

|

10. Amazon Web Services: 1.5 Million Records

|

A contractor for the Larkspur, Calif.-based Systema Softwareinadvertently posted insurance claim data and other highlysensitive information on Amazon Web Services. Data exposed includedSocial Security numbers, insurance claim information, claimant IDnumbers, drug test results, details and dates of medical servicesprovided, billing amounts and payment information.

Complete your profile to continue reading and get FREE access to CUTimes.com, part of your ALM digital membership.

  • Critical CUTimes.com information including comprehensive product and service provider listings via the Marketplace Directory, CU Careers, resources from industry leaders, webcasts, and breaking news, analysis and more with our informative Newsletters.
  • Exclusive discounts on ALM and CU Times events.
  • Access to other award-winning ALM websites including Law.com and GlobeSt.com.
NOT FOR REPRINT

© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.

Roy Urrico

Roy W. Urrico specializes in articles about financial technology and services for Credit Union Times, as well as ghostwriting, copywriting, and case studies. Also: writer/editor of a semi-annual newsletter for Association for Financial Technology since 1997 and history projects funded by the U.S Interior Department, National Park Service and Warren County (N.Y.).