The 10 Biggest Data Breaches Of 2015


Throughout 2015, industries of all types were hit again and again by data breaches. From health care to education to the public sector, no industry was exempt in 2015 from the eye of attackers. While the number of breaches overall was down from 2014 (190 total reported breaches in 2015, as opposed to 297 in 2014, according to the Privacy Rights Clearinghouse), the tone of many of the breaches this year was much more sinister. 2015 saw mega-breaches compromising more extensive personal information than ever before and targeting organizations based on principles, rather than just for financial gain as in years past. As we cross our fingers for a more secure 2016, take a look back at the biggest data breaches from the past year.

10. Army National Guard

In July, the Army National Guard said it had been hit by a cyberattack that compromised all current and former members of the group since 2004, around 850,000 individuals. The breach possibly exposed the Social Security numbers, home addresses and other personal information. It was caused by a contract employee inadvertently transferring files to a non-accredited data center, which prompted solution providers at the time to call attention to the necessity of having strong security practices for third-party contractors.

9. Hacking Team

The Hacking Team develops spy tools for government agencies, including those that can go around traditional anti-virus solutions. A breach of the company in July put governments around the globe as well as the Hacking Team itself in hot water as it revealed a number of security threat issues as well as more than 1 million emails from the Italian surveillance company. The emails revealed that the Hacking Group had involvement with oppressive governments. Controversy from the hack continues to emerge, even into December, with the FBI refusing to confirm or deny whether it bought spyware from the company.

8. Security Vendors

Security vendors weren't immune from security attacks in 2015. The year saw hack reports at Kaspersky Lab, LastPass and MacKeeper. Kaspersky announced in June that it had discovered sophisticated malware on its systems that it called Duqu 2.0 and claimed to be a nation-state attack. Password management company LastPass said in June that suspicious network activity revealed the compromise of email addresses, password reminders, server per user salts and authentication hashes, though it said it did not believe user data or user accounts were affected. Most recently, researcher Chris Vickery found that 13 million account records were left exposed on a database server of MacKeeper, a vendor with security solutions tailored to OS X environments.

7. Starwood Hotels & Resorts, Hilton Hotel

While they were two separate incidents, the Starwood Hotel & Resorts breach in November and the Hilton Hotel breach in September had many similarities. Both breaches affected point-of-sale systems within hotel gift shops and restaurants, but did not compromise the reservation systems. The Starwood breach affected 54 locations, although the company did not specify how many people were affected, and Hilton did not specify any information on how many records were compromised.

6. VTech

While not necessarily one of the largest breaches of the year by number of records compromised, the breach of children's technology maker VTech was one of the more concerning. The breach, revealed in December, compromised data on close to 5 million parents and more than 6 million children, reportedly including some chat records. VTech confirmed the information included child profiles (including name, gender and birthday), sales logs, emails, profile photos and activity logs, although it said it did not include financial information. Later in the month, an arrest of a 21-year-old man from England was made, reports said.

5. Excellus BlueCross BlueShield

Three of the top four breaches of the year are in the health-care space. Excellus BlueCross BlueShield, a health insurer focused in the upstate New York region, was one of those breaches, with 10.5 million people and associated businesses compromised in what it called a ’very sophisticated cyberattack.’ Records potentially exposed in the breach, which was revealed in September, included name, date of birth, Social Security number, mailing address, telephone number, member identification number, financial account information and claims information.

4. Premera BlueCross BlueShield

In one of the first major breaches of 2015, Premera BlueCross BlueShield said in January that it had discovered a breach that affected as many as 11.2 million subscribers, as well as some individuals who do business with the company. Premera is a health insurance company that operates in Washington and Alaska. Data compromised included names, birth dates, Social Security numbers, bank account information, addresses and other information.

3. Experian

Just as health insurers were targeted in 2015 for their aggregation of valuable health-care information, hackers also targeted credit service provider Experian for its vast amounts of financial and personal information. In October, the credit company said that information on 15 million T-Mobile customers who had applied for telecom vendor's postpaid services, which are handled by Experian, had been compromised after unauthorized access was discovered to a company server. T-Mobile said its own systems and network were not compromised in the incident. Information compromised could include names, addresses, Social Security numbers, dates of birth, and identification numbers, the company said at the time.

2. Anthem

While the breach happened in February, the compromise of health-care insurer Anthem remained one of the biggest events of the year and kicked off a rough year overall for the health-care industry when it came to security. The breach exposed the records of more than 80 million patients and employees, including names, date of birth, Social Security numbers, health-care ID numbers, home addresses, email addresses, employment information, income data and more. The Wall Street Journal reported that Anthem had not encrypted the data that was accessed by hackers.

1. Office Of Personnel Management

Hands down the most impactful breach of the year, and arguably of all time, was the Office of Personnel Management. Discovered in late May, more than 21.5 million federal workers were impacted by the breach, which exposed the Social Security numbers, residency and educational history, employment history, information about immediate family and other personal and business acquaintances, health, criminal and financial history, and more. Reports said the attack was a nation-state attack, linking the breach back to China. The event triggered a shift from the public sector to focus more on security, although the impact on those affected remains to be seen as there really is no precedent for a breach involving this expansive and deep level of personal information.