It was a bountiful year for hackers who gained unauthorized access to countless corporate and government databases. Here are the online breaches that hauled in the largest amount of personal data -- most of them tallying into the millions.
No. 10: U.S. Internal Revenue Service
Number of people affected: About 334,000
Security experts said it technically wasn’t “hacking” when thieves stole the tax information of 100,000 people through the IRS site. It was a case of weak security: They entered through the IRS’ “Get Transcript” service by answering security questions correctly, using personal information on their victims that had been obtained elsewhere, or simply guessing.
These incidents occurred from February to mid-May and were brought to public attention by the IRS on May 26. The perpetrators’ (who the IRS believed originated in Russia) intent was probably to use the stolen personal data (which included a person’s date of birth, Social Security information, and street address) to commit refund fraud. Upon further review, on August 17, the IRS revised the number of victims of this identity theft to 334,000.
No. 9: Patreon
Number of people affected: 2.3 million
This crowdfunding site, whose niche is enabling artists to raise money from the public to support their creative projects, got its user data dumped onto the Internet for all to see on Oct. 1. Adding insult to injury, this nearly 15GB of data included the source code for the Patreon site. Information pertaining to both artists and their donors was revealed: email addresses, passwords, and private messages exchanged among users through the site. The operator of the online security watch site Have I Been Pwned? found 2.3 million email addresses in this data dump -- including his own.
No. 8: Adult FriendFinder
Number of people affected: 3.9 million
Personal details of the members of this dating site were leaked to a darknet forum: their ages, email addresses, IP addresses, usernames, ZIP codes, and even interest in seeking extramarital affairs, and sexual preference. Channel 4 News of the UK, which broke this news on May 21, tracked down a member of the site whose personal information was exposed. He claimed he had deleted his account before the hack, which, if true, suggests the dating site didn’t remove customer information for closed accounts. Gizmodo found a post on an online forum connected to someone who could be the culprit, who apparently tried to blackmail the company behind Adult FriendFinder for $100,000 over the release of this member information.
No. 7: LastPass
Number of people affected: 4.4 million (low estimate total number of users of the Chrome and Firefox extensions)
The great thing about a good password manager is that it stores your log-in information for web sites at which you’re registered, and can then automatically enter your username and password whenever you visit one of these sites. The bad thing is if someone gains access to your personal information for the password manager itself. That’s what happened to LastPass, which announced on June 15 that it had detected an intrusion on their servers that compromised user emails, password reminders, and other important details -- but which, fortunately, did not include their personal passwords to the LastPass service, or for web sites that LastPass users stored in their LastPass accounts. (Also read, "LastPass drops the ball, but looks good doing it.")
No. 6: Scottrade
Number of people affected: 4.6 million
It was a bull market for hackers who accessed a list of client names and their street addresses from this online brokerage. This intrusion was brought to the attention of Scottrade by the FBI, and was believed to have occurred from late 2013 to early 2014, but the incident was not disclosed to the public until Oct. 1, 2015. Though email addresses, Social Security numbers, and other sensitive customer information were also vulnerable, it was believed none of these were taken, nor were client funds, their passwords, or Scottrade’s trading platforms ever compromised. It was speculated that the hackers wanted the firm’s customer contact details in order to facilitate stock scams.
No. 5: VTech
Number of people affected: more than 11.2 million (total of 4,854,209 parents and 6,368,509 children)
What could be a worse way to introduce children to the importance of web site security than to have their personal information leaked? That’s what happened with the app store for VTech, a maker of tech toys for children. Its security was so bad that a “whitehat” hacker gained access to the company’s customer database on Nov. 14. He extracted files that held names, email addresses, passwords, and street addresses for almost 5 million people who bought VTech products. But it gets worse: This data also contained the first names, birth dates, and genders for more than 6.3 million children linked to these VTech customers (their parents)... and it even included chat messages between children and their parents, “tens of thousands” of headshots (of these children and their parents) and audio captured with VTech devices.
On Dec. 15, a 21-year-old man in Berkshire, England, was arrested in connection with this hack.
No. 4: T-Mobile and Experian
Number of people affected: 15 million
Did you apply for a new contract with, or to finance a phone through, T-Mobile between Sept. 1, 2013 and Sept. 16, 2015? Sorry, but your personal information may have been stolen from a server by someone with unauthorized access to it. This incident was not discovered until Sept. 15, 2015. Applicant names, addresses, date of births, identification numbers (which could be a driver’s license or passport number), and Social Security numbers were taken. All of this data was held by credit reporting agency Experian, so T-Mobile blamed them: T-Mobile CEO John Legere, already known for his outspoken public personality, wrote in a message to his customers that he was “incredibly angry” and would “institute a thorough review of our relationship with Experian.”
No. 3: U.S. Office of Personnel Management
Number of people affected: 25.7 million (total number of two separate breaches)
On June 5, it was reported that personal data on 4 million current and former employees of the U.S. Federal government were stolen from the systems and database of the Office of Personnel Management (OPM), the government agency responsible for handling security clearances. Then a month later, it was reported that a separate intrusion was discovered where records for a staggering 21.5 million people were lifted from the OPM’s background check database, which potentially included Social Security numbers and fingerprint images. As for those fingerprints, the OPM first announced that approximately 1.1 million were taken, but on Sept. 23 this was revised over five-fold to approximately 5.6 million. The hackers were suspected to have originated from China.
No. 2: Ashley Madison
Number of people affected: 32 million
It was reported on July 19 that someone stole the personal information of the members of this infamous dating site, and threatened to release it all unless Ashley Madison and a sister site, Established Men, were shut down permanently. When this demand was not met, on Aug. 18, they dumped 9.7GB of this data onto the dark web. Ashley Madison members’ names, addresses, encrypted passwords, phone numbers, and payment transactions going back to 2008 (that had associated names, email addresses and street addresses) were part of this illicit package. The fallout from this generated many compelling stories throughout the summer, like: Celebrities exposed as members of Ashley Madison; encryption for member passwords being successfully broken; in-depth analyses on how many member accounts belonged to actual women; and theories about who was behind this act.
No. 1: U.S. health insurers
Number of people affected: up to 115.7 million (total number from breaches at five companies)
So many health insurers in the U.S. had their customer databases attacked and swiped in 2015 that we decided to group them all together. Otherwise, if each incident was listed on its own, almost half of this list would have comprised of health insurance companies. In ascending order of number of customers whose personal information was definitely or possibly accessed by hackers: CareFirst (1.1 million), Systema Software (1.5 million), UCLA Health (4.5 million), Premera Blue Cross (11 million) and Anthem (97.6 million). Systema Software wasn’t a health insurer, but a company that manages insurance claims whose database wound up, unsecured, on an Amazon Web Services subdomain. By itself, the attack on Anthem’s systems still comes out as the No. 1 personal data breach of 2015. Its tally of exposed personal information also possibly includes people who are not Anthem customers, but are customers of other companies that share the same insurance network as Anthem.
Wen is a freelance writer. He can be reached at howardwen@gmail.com.
This story, "Top 10 breaches of personal data in 2015" was originally published by Network World.