2015 data breach round up
There have been a number of high profile data breaches during 2015, particularly in the healthcare sector, but also some significant breaches in other sectors that we felt were worth a mention in this year’s data breach round up.
While reported breaches are down by 2.5% YoY, it is clear from the variety of organizations featured in this year’s round up that no industry is safe from data breaches.
Anthem and Primera
Anthem didn’t have a good start to 2015, with a massive breach of nearly 80 million records being reported in January – and they remain as the largest reported data breach of the year to date.
Anthem were victims of what they described as a ‘very sophisticated external cyberattack’. It was later revealed that the compromised data was not encrypted at rest, and that Anthem did not store data in separate databases that could be locked if an attack occurred.
Primera also announced a breach affecting 11 million records in January, with names, dates of birth, addresses, telephone numbers, email addresses, Social Security numbers, member identification number, medical claims information and financial information all being accessed.
It turned out that the breach occurred on the same day as Anthem, leading some data security specialists to believe that the breaches were the work of the same individuals. These combined breaches resulted in the largest theft of medical records ever reported.
The size of the Uber breach wasn’t particularly significant, with a reported 50,000 Uber drivers affected; however, the length of time it took the company to discover the breach before making the official announcement in February this year is rather alarming.
The breach took place in May 2014, was discovered in September 2014, and still took another 6 months for Uber to make the information public. Data compromised was reported to be names and driver’s licences of Uber’s driver base.
The ensuing court case has been an interesting one too. Uber have been investigating a possible connection between the hacker and the technology chief of a rival company, Lyft, after it was alleged that the data was accessed via a Comcast IP associated with him.
U.S. Office of Personnel Management
In June, the Office of Personnel Management announced the largest known cyberattack to occur on a federal network, with the security breach reportedly compromising the records of an estimated 22 million people. The attack is thought to be linked to the earlier Anthem and Primera hacks.
UCLA Health System
Information such as social security numbers, medical records, ID numbers, and more were stolen – and worst of all, it was all unencrypted. The breach took place in 2014, but wasn’t detected until some time in 2015, with the official announcement being made in July. 4.5 million records were exposed.
Ashley Madison, a social networking site for men and women looking to date outside of their committed relationships, had 37 million records breached in July. This was a business that was proud of its ability to enable discreet encounters between married individuals, with a claim that all identities are kept secret, however the breach revealed this was not the case.
Stolen records included profiles containing their customers’ secret sexual fantasies, credit card transactions, real names and addresses, employee documents, and emails, making these records incredibly valuable to blackmailers.
It has been recently reported that blackmailers have begun sending letters to users of the Ashley Madison dating site, threatening to reveal their membership to friends and family.
Experian learned in September that an unauthorized party accessed T-Mobile data housed in a server, affecting approximately 15 million records. Records containing a name, address, Social Security number, date of birth, identification number and additional information were all compromised.
The CEO of T-Mobile was said to be livid about the breach, which affected customers who were credit checked by Experian over a two year period.
The IRS announced in May that thieves accessed 114,000 tax accounts through the IRS “Get Transcript” application, a program to acquire information about tax returns. However, three months later, the IRS stated that the attack had compromised a further 220,000 tax accounts, bringing the total number of victims up to 334,000 – three times the original amount they’d originally reported.
One of the most bizarre data breaches of the year occurred at the end of November, where toy manufacturer V-Tech disclosed that 4.9 million parent accounts were accessed by hackers, as well as nearly 6.4 million children’s profiles making it one of the largest attacks targeting children.
Of the information that was compromised, parent account information included name, mailing address, email address, IP address, download history and account credentials. Children’s profiles only include name, gender and birthdate, according to V-Tech.
The alleged hacker behind the breach stated: “nothing will be done with the information, apart from it being used to reveal the company’s weaknesses”. A 21 year old man from the UK has been arrested in connection with the hack.