Posted by: adelvecchio
Data breach, data breach security, health data breach, healthcare data, healthcare data breach
Guest post by Rick Kam, CIPP/US, president and co-founder, ID Experts
There’s no sugarcoating the fact that 2015 was a dizzying year for data breaches, and disastrous for many organizations and consumers. In the first half of the year alone, Gemalto NV found that 888 disclosed security incidents compromised nearly 246 million records worldwide.
There were certainly trends in data breaches this year, including the rising sophistication of hackers, the ever-increasing threat of massive state-sponsored attacks, and the continuing prevalence of large breaches in the healthcare industry. In fact, the average healthcare breach through mid-2015 was 200% larger than in the first half of 2014.
With those trends in mind, let’s take a look back at the 10 biggest and baddest breaches of 2015 — and then see what consumers and security professionals can do to make 2016 a safer and more secure year.
The five biggest breaches of 2015
The following incidents were the five biggest breaches of the year in the U.S., based on number of records compromised.
1. Anthem, 80 million
Health insurer Anthem Inc. revealed in February 2015 that hackers, likely from China, had accessed a database that included encrypted and unencrypted data on patients and employees. According to the Huffington Post, it was the fifth-largest breach of all time.
2. Ashley Madison, 37 million
A hacking group known as Impact Team stole private information on 37 million people who use the Ashley Madison website, which encourages users to cheat on their partners. The hackers are threatening to reveal customers’ personal data unless the website shuts down, which it has yet to do.
3. U.S. Office of Personnel Management, 21.5 million
The U.S. Office of Personnel Management suffered two unrelated breaches in 2015. The larger one affected more than 21 million current and past federal workers. Again, the breaches of the government agency are believed to have originated in China.
4. Experian, 15 million
Experian Information Solutions, Inc., the world’s largest consumer credit monitoring firm, suffered its second massive breach in 2015. The breach exposed the sensitive personal data of about 15 million T-Mobile customers who underwent credit checks by Experian. An earlier attack on an Experian subsidiary exposed the Social Security numbers of 200 million U.S. citizens.
5. Premera Blue Cross, 11 million
The records exposed in Premera’s breach may have been more sensitive than those leaked in the far larger Anthem breach, including Social Security numbers and financial information of subscribers and people who do business with the company.
The five baddest breaches of 2015
Now let’s take a look at the five baddest breaches of the year — an admittedly subjective category that highlights breaches that are especially damaging or disturbing because of factors such as who they targeted, how they were carried out, and their lasting ramifications.
1. LastPass, 7 million
Consumers should be rewarded for taking smart steps to protect their online security. That’s the troubling aspect of this breach of a leading password management company, which has further undermined consumer confidence and could lead to unsafe practices. It’s a big problem if consumers stop believing in their ability to achieve digital security and fail to take even basic precautions.
2. Planned Parenthood, 333
While “only” 333 employees were affected by the Planned Parenthood attack, the troubling aspect of this breach is that it was done not to achieve financial gain but to pursue ideological agendas and blackmail affected individuals.
3. Securus Technologies, thousands
Prison phone company Securus Technologies, Inc. had 70 million call records hacked, involving thousands of prisoners across 37 states. The ugliest part? Many of those recorded calls appear to have violated prisoners’ constitutional rights because they involved confidential conversations between prisoners and their attorneys.
4. IRS, 333,000
Hackers accessed extremely sensitive information through past tax returns, including Social Security data and financial details. The total cost to taxpayers in fraudulent claims was about $50 million before the IRS noticed the breach.
5. Harvard University, eight schools and offices
Harvard University joined a long list of other universities to suffer a data breach in 2015. Education is being hit hard, accounting for 6% of all data breaches — slightly more than the retail industry — in the first half of the year. Budgets are tight in the education sector, but breaches at the most esteemed U.S. universities are a reminder that security must be prioritized to protect students and employees.
What can we learn from the big and the bad?
Want even more bad news? These lists include only U.S. breaches. Two of the largest breaches of 2015 — 50 million records breached at a Turkish agency and 20 million at Russian dating site Topface — occurred outside the U.S.
Here are a few takeaways that all organizations — big and small — can put into practice now and in 2016:
- Beware of all sources of attacks. The largest two breaches were state-sponsored attacks, but Gemalto found that type of attack accounted for just 2% of all the data breach incidents in the first half of 2015. The biggest culprit over those six months? Malicious outsiders, which accounted for 62% of total breaches and nearly half of all records taken.
- Brace yourself, especially in healthcare and government. According to Gemalto, the healthcare and government sectors accounted for about two-thirds of all compromised data records in the first half of the year.
- Encrypt. The data stolen from LastPass was heavily encrypted, a protection which may limit the damage done. At the very least, organizations should follow LastPass’ example and encrypt sensitive data.
- Learn from mistakes. One breach is bad enough. If an organization suffers a second large attack, as did Experian, the damage to its reputation will grow exponentially.
- Heed the warnings. According to the Seattle Times, Premera Blue Cross was warned three weeks before its data breach began that it lacked sufficient network security procedures. Ironically, the warning was issued following an audit by the U.S. Office of Personnel Management — which suffered an even larger breach. Premera argued that the vulnerabilities found in the audit may not have been exposed by the hackers. But the point remains: Take any warning seriously, and act as quickly as possible to upgrade your security measures.