The 10 Biggest Data Breaches Of 2016 (So Far)

No One Is Immune

According to the Identity Theft Resource Center, there have already been 522 reported breaches as of the middle of July, exposing more than 13 million records (that number does not include the majority of breaches that did not report number of records affected). While we have yet to see a mega-breach that will define the year, as the Office of Personnel Management, Target and Sony have in years past, trends have emerged in the year so far, including multiple attacks targeting W-2 information, federal agencies, health-care organizations and telecom providers. Take a look at 10 of the biggest and most impactful breaches of the year so far.

(For more on the "coolest" of 2016, check out "CRN's Tech Midyear In Review.")


Luck didn't improve much for the health-care sector in 2016, following up on a tough year for data breaches. In January, multi-line health-care enterprise Centene announced that 950,000 members had potentially been impacted by a data breach. The breach was caused by the loss of six hard drives that included personal health information on members who had had lab services between 2009 and 2015. It also included names, addresses, dates of birth, Social Security numbers, ID numbers and other health information, the company said. It is not clear if the device was encrypted.

Federal Bureau of Investigation, Department of Homeland Security

In February, hackers threatened to, and ultimately did, dump the records of nearly 30,000 FBI and Department of Homeland Security workers. The records included personal information on around 9,000 DHS employees and around 20,000 FBI employees, including names, titles and contact information. The hacker, which first reached out to Motherboard with the files, claimed he had access to even more files, totaling 200 GB.


Seagate was one of the many victims of a W-2 attack this tax season, with security reporter Krebs reporting in March that the data storage company had been breached of all of its W-2 tax documents. The leak included documents on all current and past employees, Krebs said in a blog post about the breach, and included Social Security numbers, salaries and other data. The breach was the result of a successful phishing scam, where "an employee believed the phishing email was a legitimate internal company request," a company spokesperson said at the time.

Internal Revenue Service

At the height of tax season, the Internal Revenue Service announced that it had been hit by a massive data breach, exposing the information of more than 700,000 individuals. Hackers accessed the information, including Social Security numbers and other personal information, through the IRS' "Get Transcript" program, which was created to allow taxpayers to check their history online. The hackers potentially accessed the accounts using data from breaches of IRS-approved tax preparers or other online accounts, the IRS said at the time. The IRS first reported the breach in May 2015, saying it affected 114,000 accounts. That number was expanded in February of this year to include as many as 724,000 accounts affected.

LinkedIn, MySpace

Within the space of two weeks in May, a hacker called Peace posted data on the dark web to sell, which allegedly included information on 167 million LinkedIn accounts and, in the following week, 360 million emails and passwords for MySpace users. The LinkedIn leak expands on the 6.5 million encrypted passwords that were posted after a LinkedIn breach in 2012. Motherboard first reported the data leaks. The credentials, which included user names, passwords and emails, were largely from former breaches, according to LeakedSource, a paid hacked data search engine.

21st Century Oncology

In March, 21st Century Oncology, a Fort Myers, Fla.-based cancer care provider, announced that a data breach had exposed the information of 2.2 million patients based across all 50 states and internationally. Hackers broke into a company database in October, the company said, accessing personal information of patients, including names, Social Security numbers, physician names, diagnosis, treatment data and insurance information. The company said it had "no indication that the information has been misused in any way."

Office of Child Support Enforcement

In April, a laptop and portable hard drives containing personal information was stolen from the Office of Child Support Enforcement in Washington. The devices were stolen by intruders that likely used a key from a disgruntled former employee, police said at the time. The devices contained personal information on as many as 5 million individuals, including Social Security numbers, birth dates, addresses and phone numbers. The breach comes a year after the federal government announced a massive data breach affecting the Office of Personnel Management, exposing the personal information of more than 21 million federal employees and contractors.

Federal Deposit Insurance Corporation

While not the largest breach of the year so far by number of records, the June announcement of a data breach at the Federal Deposit Insurance Corporation is particularly concerning. A report issued by the House Committee on Science, Space and Technology announced that Chinese hackers had access to the department's systems from 2010 to 2013 though back-end malware that had been installed on workstations and servers. The announcement came after the Inspector General started investigating the FDIC for another breach, which occurred in 2015, and found the FDIC had failed to report the breach. In May, the FDIC had retroactively reported five other breaches, affecting a total of 160,000 individuals. The breach brings up concerns around breach reporting, as well as nation-state attacks from overseas actors such as China.

Verizon Enterprise Services

After a report emerged from security journalist Krebs in March, Verizon Enterprise Services announced that it had been the victim of a data breach that affected more than a million of its enterprise customers. The breach allowed hackers to collect information on an estimated 1.5 million enterprise clients, including basic contact information. Verizon said no customer proprietary network information or other data was accessed. It is not clear what the exact cause of the breach was, but Verizon said it had recently found and fixed a vulnerability in its enterprise client portal used by the hacker to collect the information. Partners at the time said the breach highlighted concerns around telecom providers, who pose an attractive target to hackers as they hold an extensive amount of customer information.