The total reported breaches captured in the San Diego-based Identity Theft Resource Center 2016 Breach Report hit 500 as of mid-year, about 20% higher than last year’s record pace for the same period.
The sum of reported records exposed, as of June 28, totaled 12,777,337. However, that only tells part of the story. CEO spear phishing breaches continued to represent nearly one-third of the total breaches reported, according to the ITRC.
In April, the FBI warned about a dramatic increase in so-called CEO fraud email scams in which the attacker spoofs a CEO message and dupes someone at the organization into wiring funds to the fraudsters. The FBI estimated these scams cost organizations more than $2.3 billion in losses over the past three years.
Year-over-year, breaches in the education sector were up 70% over 2015 figures, followed by the business sector up 36.7%, and the medical/healthcare field up 18%. The government/military sector continues to show a decline from last year’s figures, down 6.7%, with the banking/financial/credit category down 65%.
The five industry sectors broke down as follows:
- Business = 46.4%
- Medical/Healthcare = 33.5%
- Educational = 11.4%
- Government/Military = 5.8%
- Banking/Credit/Financial = 3%
The ITRC defined a data breach as an incident in which an individual name plus a Social Security number, driver’s license number, medical record or financial record (credit/debit cards included) was potentially put at risk because of exposure.
The ITRC 2016 Breach Report is a compilation of data breaches confirmed by various media sources and/or notification lists from state governmental agencies. Some breaches did not have reported statistics yet or remained unconfirmed.
Following are the biggest 2016 U.S data breaches, based on confirmed, exposed personally identifiable information records.
1. Office of Child Support Enforcement: 5 Million Records
Hard drives and a personal laptop, possibly containing millions of SSNs, were taken from a federal building in Washington State in February. However, the breach wasn’t reported until late March, prompting Congress to question the breach response actions taken by the U.S. Department of Health and Human Services.
2. 21st Century Oncology: 2.2 Million Records
In October 2015, a hacker gained access to a patient database in Florida containing insurance data and SSNs of patients. While the incident was not of the magnitude at Anthem, Excellus BCBS or Primera Blue Cross, it did rank as one of the largest healthcare data breaches of 2015. On March 4, 2016, a regulatory filing issued to the Securities and Exchange Commission indicated 2.2 million current and former patients potentially had their data copied and stolen.
3. Verizon Enterprise Solutions: 1.4 Million Records
In New Jersey, a B2B unit of the giant telecommunications firm Verizon, which often helps other companies respond to large data breaches, needed to investigate its own data breach involving the theft and resale of customer data. KrebsOnSecurity reported a prominent member of a closely guarded underground cybercrime forum posted a thread advertising the sale of a database containing the contact information on Verizon Enterprise customers.
4. Centene: 950,000 Records
The St. Louis-based payer misplaced six hard drives containing information of individuals who received laboratory services from 2009 to 2015, including names, addresses, birth dates, SSNs, member ID numbers, and health information. There was no financial or payment information stored on the hard drives, according to Centene.
5. Kroger / Equifax: 431,000 Records
Identity thieves stole tax and salary data from credit bureau Equifax Inc., according to a letter that grocery giant Kroger sent to all current and some former employees. The nation’s largest grocery chain by revenue is one of several Equifax customers similarly victimized this year. According to the letter dated May 5, thieves were able to access W-2 data simply by entering Kroger’s employee default PIN at Equifax’s online portal, which was nothing more than the last four digits of the employee’s SSN and his or her four digit birth year.
6. California Correctional Health Care Services: 400,000 Records
On April 25, CCHCS identified a potential breach of PII and protected health information that occurred on Feb. 25 when robbers broke into a workforce member’s automobile and stole an unencrypted laptop. The laptop was password protected in accordance with state protocol.
7. Baileys, Inc.: 250,000 Records
The outdoor equipment retailer notified its customers that an attacker may have stolen payment card information from the company website and that the length of the breach was longer than previously suspected, between Dec. 1, 2011 and Jan. 26, 2016. An examination by its security consultant revealed the theft involved 15,000 credit cards used to pay for purchases: Nearly 25% MasterCard cards, 64% Visa cards and less than 5% and 6% American Express and Discover cards, respectively.
8. Premier Healthcare: 205,748 Records
The Bloomington, Ind., healthcare provider discovered a laptop stolen from the billing department’s locked and alarmed administrative office on Jan. 4. The laptop was password protected, but not encrypted. Emails stored on the laptop’s hard drive contained some screenshots, spreadsheets and PDF documents used to address billing issues with patients, insurance companies, and other healthcare providers.
9. Southern New Hampshire University: 140,000 Records
This breach was discovered by researcher Chris Vickery shortly before Christmas 2015 but the investigation carried over to 2016. The exposed SNHU database contained student names, email addresses and IDs, as well as other class-related details such as course name, course section, assignment details and assignment score. The database also contains instructor names and email addresses.
10. IRS: 101,000 Records
The January 2016 assault, reported in February, took place after attackers previously gained access to the SSNs of 464,000 people, according to the IRS. This time hackers cracked an automated system, which generated additional e-filing PIN numbers.