U.S. breaches set records for the number of incidents and record exposures in 2017, according to reports from the Providence, R.I.-based CyberScout (formerly IDT911) and San Diego-based Identity Theft Resource Center.
The number of U.S. data breaches for 2017, hit an all-time high and represented a significant jump over 2016. The total number of breaches captured in the 2017 ITRC Breach Report totaled 1,579, an increase of 44.7 percent over 2016′s then record of 1,091. The total number of records exposed hit 178,955,069.
The ITRC defines a data breach as an incident in which an individual name plus a Social Security number, driver’s license number, medical record or financial record (credit/debit cards included) potentially puts people and their personally identifiable information at risk of exposure.
The ITRC 2017 Breach Report is a compilation of data breaches confirmed by various media sources and/or notification lists from state governmental agencies. Some breaches did not have reported statistics yet or remained unconfirmed. Yet every record represents a life potentially being disrupted or exposed to hackers and cybercriminals.
Broken down by industry category and number of breaches, business tops the list: Business=55.1% (870 breaches); Medical/Healthcare = 23.7% (374); Educational=8% (127); Banking/Credit/Financial=8.5% (134); Government/Military=4.7% (74). Broken down by industry category and number of records, business also tops the list: Business=91.3% (163,449,242 records reported); Government/Military=3.3% (5,903,448); Medical/Healthcare=2.8% (5,062,031); Banking/Credit/Financial=1.7% (3,122,090); Educational=0.8% (1,418,258).
“Data security breaches are occurring with such frequency that they have become embedded in the public consciousness. But the epic lapse at Equifax, affecting more than 145 million consumers, proves more than any other the need for accountability for the people and organizations that handle and retain consumers’ sensitive personal and financial data,” NAFCU President/CEO B. Dan Berger said.
The following are the Top 10 2017 U.S. data breaches, based on confirmed, exposed PII records.
1. Equifax: 145.5 Million Records
Outrage, lawsuits and justifiable anxiety exploded following the disclosure of the Equifax breach, which exposed sensitive information of some 145.5 million Americans including Social Security numbers, birth dates and home addresses. The cybersecurity mess started when hackers took advantage of a flaw in the credit reporting agency software to steal SSNs, birthdates and other personal identifying information. Equifax admitted that hackers accessed certain files from mid-May through July 2017 but waited until Sept. 7 to warn consumers.
This untethered information could come back to haunt credit unions and members in the form of account takeovers, fraudulent charges and other criminal uses involving identity theft.
2. America’s Joblink Alliance: 5.5 Million Records
The Joblink system, used by 10 states, is a standalone system that suffered a systematic breach designed to extract data. The information exposed included the names, SSNs and birthdates of job seekers in Alabama, Arizona, Arkansas, Delaware, Idaho, Illinois, Kansas, Maine, Oklahoma and Vermont. According to AJL, on Feb. 20, 2107, a hacker created a new account, then exploited a vulnerability to access other job seekers’ information. AJL’s technical support said in a statement that it first noticed unusual activity on March 12, and confirmed the breach on March 21.
3. Sonic Drive-In: Five Million Records
On Sept. 29, 2017, a data breach at drive-in food chain Sonic jeopardized the security of payment cards for up to five million customers. The Oklahoma City, Okla.-based fast-food chain confirmed the data breach of credit and debit card numbers as part of a malware attack at some Sonic locations. Brian Krebs, in his blog KrebsOnSecurity, disclosed the breach of Sonic, with nearly 3,600 locations across 45 U.S. states, may have led to a new menu featuring millions of stolen credit and debit card accounts offered by dark web stores. In December, a class action lawsuit filed in an Illinois federal court claimed the restaurant did not protect its customer credit card data, and consequently the data is now up for sale on the black market.
4. Dow Jones & Company: 2.2 to Four Million Records
The UpGuard Cyber Risk Team reported that a cloud-based file repository, configured to permit semi-public access, exposed the sensitive personal and financial details of millions of Dow Jones customers. The exposed data included the names, addresses, account information, email addresses, and last four digits of credit card numbers of millions of subscribers to the company’s publications like The Wall Street Journal and Barron’s. Also exposed in the cloud leak were the details of 1.6 million entries in a suite of databases known as Dow Jones Risk and Compliance, a set of subscription-only corporate intelligence programs used largely by financial institutions for compliance with anti-money laundering regulations. Dow Jones confirmed the breach affected at least 2.2 million customers; UpGuard calculations placed the number closer to four million accounts. 5. Election Systems & Software: 1.8 Million Records
A leading U.S. supplier of voting machines confirmed in mid-August 2017 that it exposed the personal information of more than 1.8 million Illinois residents. Alerts sent to state authorities and the FBI indicated the major data leak exposed names, addresses, dates of birth, partial SSNs and party affiliations of more than a million Chicago residents as well as some driver’s license and state ID numbers.
6. TIO Networks: 1.6 Million Records
In early December, 2017 PayPal Holdings acknowledged a data breach at TIO Networks, a Canadian payment processor acquired in February 2017 for $238 million. PayPal revealed attackers gained access to the personal – and perhaps billing – information of some of its customers and billers. The breach did not affect the PayPal platform. In a press release, PayPal did not specify the information compromised; however, the TIO Networks website indicated SSNs among the PII stolen.
7. Avanti Markets: 1.6 Million Records
The breach at the Tukwila, Wash.-based Avanti Markets not only possibly jeopardized credit card accounts but biometric data as well. Some 1.6 million customers use the Avanti’s company breakroom self-checkout devices, which allow customers to pay for drinks, snacks and other food items with a credit card, fingerprint scan or cash. Avanti said the malware appeared designed to gather certain payment card information including the cardholder’s first and last name, credit/debit card number and expiration date.
8. Schoolzilla: 1.3 Million Records
A California student data warehouse platform, Schoolzilla, first acknowledged the breach on April 12 in a message on its website, which informed customers: “A well-known computer security researcher was doing a targeted analysis of Schoolzilla when he uncovered a file configuration error.” The exposed information included the names, addresses, birth dates and test scores of 14,000 current and former students in the Palo Alto school district and more than a million SSNs of other individuals.
9. Washington State University: 1 Million Records
On April 21, 2017, Washington State University learned about the theft of a locked safe containing a hard drive containing at least some unencrypted information. The school determined the hard drive, used to store backed-up files from a server utilized by its Social & Economic Sciences Research Center, contained some personal information including names and addresses.
10. HealthNow Networks: 918,000 records
Patients who supplied sensitive information to HealthNow Networks, a Boca Raton, Fla.-based telemarketing organization providing medical supplies to seniors, had personal information exposed online for many months. The database contained a range of information including individuals’ names, addresses, email addresses, telephone numbers, dates of birth, SSNs, health insurance information and medical conditions.