Data breaches can be a terrifying event for any company. The bad news is that no organization large or small is immune to a breach. In fact, bigger organizations have more to lose—a fact that has been proven all too frequently over the past few years.
2015 saw more than its fair share of massive data breaches that affected millions. According tostatistics from the Identity Theft Resource Center, there were 177,866,236 records confirmed stolen across 780 recorded data breaches in 2015 alone.What were these breaches, who did they affect, and how can similar breaches be avoided in the future?
Here’s a brief analysis of #10-6 of the biggest data breaches of 2015:
10: Systema Software
- Breach Size: 1.5 million records
- Breach Source: Unauthorized access of Systema’s data storage system
According to modernhealthcare.com reports after the breach, “a Texas-based techie named Chris Vickery reported the exposed records and turned over to authorities the hard drive on which the records from Systema Software were recorded.”
Although the breach involved more than 1.5 million records, the individual behind the breach turned over the hard drive containing the records and no fraudulent activity was reported as a result of the breach.
9: Medical Informatics Engineering (MIE)
- Breach Size: 3.9 million records
- Breach Source: External breach of company systems
As noted on hipaajournal.com, the breaching “attack triggered the company’s network monitoring alarms at 5am on May 26, when an unusually high load was identified on the company’s servers. The subsequent investigation established that access was gained to the company’s server on May 7, 2015.”
The first notifications started going out to MIE’s healthcare organization clients on July 2—more than a full month after the breach was detected. Patients didn’t receive notice letters until July 17.
This breach has resulted in a class action lawsuit being filed against the company. According to the hipaajournal.com article, “if successful, the lawsuit is likely to result in a total award of damages in excess of $5 million before interest and legal costs.”
8: UCLA Health
- Breach Size: 4.5 million records
- Breach Source: External attack
In an LA Times article posted after the attack, there were many problems revealed about this particular breach that may have increased its severity:
- UCLA Health “hadn’t taken the basic step of encrypting this patient data”
- “the unauthorized access could have begun in September 2014” but it wasn’t until May 5, 2015 that “investigators determined that the hackers had gained access to parts of UCLA Health’s computer network where patient data was stored”
- Stolen data included “names, dates of birth, Social Security numbers, Medicare and health plan identification numbers as well as some medical information such as patient diagnoses and procedures”
- The stolen data dates back as far as 1990.
While no financial or credit card information was taken, the wealth of other data accessed by hackers over the course of the breach could allow for fraudulent activity with a massive cost to UCLA Health’s patients.
- Breach Size: 4.6 million records
- Breach Source: External attack
An article from Fortune highlights that the Scottrade breach took a long time to come to light. In the article, Scottrade representatives stated that, “based on our investigation and information provided by federal authorities, we believe the illegal activity involving our network occurred between late 2013 and early 2014, and targeted client names and street addresses.”
Despite the attack targeting less sensitive information, Scottrade took a precautionary stance and offered affected customers identity theft protection services.
6: The Georgia Secretary of State
- Breach Size: 6 million records
- Breach Source: Accidental transmission to unauthorized persons
In Georgia, there is a document known as the “State Download File” that lists the name, address, race, and gender of every registered voter in the state. This document is mailed on physical disc media to organizations such as newspapers and political parties. Normally, this disc only contains publically-available information.
However, according to sources such as atlantamagazine.com, “the October mailing was sent out with voters’ birthdates, driver’s license numbers, and social security numbers included. In theory, a recipient could have stolen the identities of approximately 6.1 million voters because of a lack of security measures.”
This accidental mailing of highly sensitive information has been affectionately tagged as the #PeachBreach by news outlets.
Fortunately, it was reported that the Georgia Secretary of the State’s office “would retrieve each CD and collect a signed affidavit from each recipient to ensure no copies were made” and that there were only “12 recipients of the Statewide Download File.”
However, despite terminating the employee found responsible for the breach, offering free credit monitoring to all of Georgia’s voters, and receiving personal assurances from disc recipients that no sensitive data was copied or transmitted, there were lawsuits filed against the office. These lawsuits were later dropped.
Data breaches 5-1 will be covered in a future post.