The 10 Biggest Data Breaches Of 2015 (So Far)

Breach Barrages

2014 was a big year for breaches, and so far 2015 hasn't been far behind. While we're only halfway through the year, breaches have already hit the health-care, financial, higher-education and federal markets, and even the security industry itself. While the breach barrage continues, solution providers said customers' awareness of security issues is at an all-time high and investments are pouring into security technologies.

Take a look back at the biggest breaches of the year so far (and cross your fingers for a better six months to come).

For more on the "coolest" of 2015, check out "CRN's Tech Midyear In Review."

CareFirst BlueCross BlueShield

While not the biggest breach of the year by number of records compromised, the CareFirst BlueCross BlueShield breach in May was notable because it highlighted the continued vulnerability of the health-care industry. CareFirst discovered the breach as part of a Mandiant-led security review that found hackers had gained access to a database that members use to get access to the company's website and services. All in all, 1.1 million members had their names, birth dates, email addresses and subscriber information compromised, but member password encryption prevented cybercriminals from gaining access to Social Security numbers, medical claims, employment, credit card and financial data.

Kaspersky Lab

A different kind of cyberattack than the rest on the list, Kaspersky Lab revealed in June that it had discovered an infiltration in several of its internal systems. The attack, which it named Duqu 2.0, was believed to be a nation-state-sponsored attack, whose other victims included events and venues with links to world power meetings, including recent negotiations for an Iran nuclear deal. The Moscow-based security vendor said the compromise included information on the company's newest technologies, such as Kaspersky’s Secure Operating System, Kaspersky Fraud Prevention, Kaspersky Security Network and Anti-APT solutions and services. The attackers also targeted investigations into advanced targeted attacks, the company said.

Premera BlueCross BlueShield

In one of two mega breaches to hit the health-care industry so far this year, health insurance company Premera BlueCross BlueShield said in March that it had discovered a breach in January that affected as many as 11.2 million subscribers, as well as some individuals who do business with the company. The breach compromised subscriber data, which includes names, birth dates, Social Security numbers, bank account information, addresses and other information. According to the Seattle Times, the health insurer had been warned last year that its IT systems were vulnerable to a possible attack.

[Related: The 10 Biggest Data Breaches Of 2015]

Multi-Bank Cyberheist

In February, a billion-dollar bank cyberheist was discovered, affecting as many as 100 banks around the world. The breaches, discovered by Kaspersky Lab, infiltrated the banks' networks using tactics such as phishing and gaining access to key resources, including employee account credentials and privileges. The cybercriminal ring, known as Carbanak, then used those credentials to make fraudulent transfers and make hijacked ATM machines appear legitimate as they funneled more than $1 billion into their own pockets. The attacks were first detected in December 2013, ramping up between February and April of last year.

Harvard University

A July breach at Harvard University, following in the footsteps of eight other education breaches this year, highlighted growing security concerns around the higher-education market. The breach affected as many as eight schools and administrative offices, though it remains unclear what information was accessed by the hackers. Harvard wasn't the only university that was hit by a breach this year, with an announcement of two Penn State University breaches in May, which compromised the information of 18,000 people since the attack started in 2012. Solution providers at the time said the higher-education market faces challenges of tight budgets and a free-thinking culture but that these incidents showed more investment in security is needed.

Hacking Team

The breach of Hacking Team July 5 led to a cascade of other security threat revelations and had governments around the globe in hot water. The Hacking Team develops spy tools for government agencies, including those that can go around traditional anti-virus solutions. The breach published more than 1 million emails from the Italian surveillance company, revealing its involvement with oppressive governments as well as multiple Flash zero-day vulnerabilities. As the breach is still fairly recent, the full extent of the impact isn't known as more revelations continue to roll out.


In June, password management company LastPass revealed that it had been the victim of a cyberattack, compromising email addresses, password reminders, server per user salts and authentication hashes. The company said it believed its encryption measures would protect most users. At the time, solution providers said the breach was significant because, on the heels of the Kaspersky breach, it showed an increasing trend from attackers to target the security vendors themselves.

Army National Guard

The July data breach of the Army National Guard was the result of an improperly handled data transfer to a non-accredited data center by a contract employee, the organization said. The breach possibly exposed the Social Security numbers, home addresses and other personal information of approximately 850,000 current and former National Guard members, dating back to 2004. Solution providers said at the time that this breach highlights the importance of having strong security practices for internal threats, including those posed by third-party contractors.


In yet another appearance for the health-care industry on this list, health insurer Anthem revealed a breach in February that exposed an astonishing 80 million patient and employee records. Anthem said the breach occurred over several weeks, beginning in December 2014, and could have exposed names, date of birth, Social Security numbers, health-care ID numbers, home addresses, email addresses, employment information, income data and more. It said it did not believe banking information was taken. The Wall Street Journal reported that Anthem had not encrypted the data that was accessed by hackers.

Office Of Personnel Management

Revealed in June, the two breaches of the Office of Personnel Management have snowballed into what is arguably one of the biggest cyberattacks in history. The larger of the two breaches, affecting 21.5 million federal workers, was discovered in late May after a separate, unrelated breach hit the agency in April, exposing the personnel data of 4.2 million individuals. While the actors behind the attack haven't officially been announced, reports have tied the attacks to China-based hackers. While details are still emerging about the extent of the attacks and their effect on millions of federal workers, some of the implications have already begun with the resignation of OPM Director Katherine Archuleta.