The 10 Largest Data Security Breaches Of 2018 (So Far)

Nearly 182 million records were exposed in the 10 biggest data breaches in the first half of 2018, with five of the six largest breaches occurring at private sector organizations.

Data Doldrums

See the latest entry: The 10 Biggest Data Breaches of 2022 (So Far)

Information management is extremely important to both employees and consumers since unauthorized exposure of that data could potentially lead to identity theft.

Although the information exposed can vary and the data can be lost due to everything from insider threats to hacking to employee negligence, all data breaches contain personal identifying information in a format that can be read easily by thieves.

Nearly 182 million records were exposed in the 10 biggest data breaches in the first half of 2018, according to information compiled by the Identity Theft Resource Center as well as other sources.

Five of the six largest breaches impacted private sector enterprises, with two breaches hitting government agencies, one breach affecting a financial services player, one impacting a health-care organization, and one striking an educational institution.

Read on to learn how the 2018 biggest data breaches of 2018 (so far) transpired.

(For more on the biggest news of 2018, check out "CRN's Tech Midyear In Review.")

10. Pennsylvania Department of Education

Number Of Records Exposed: 360,000

A data breach of a Pennsylvania Department of Education database may have potentially compromised personal information including Social Security numbers of the commonwealth's current and former teachers.

The breach lasted for 30 minutes on a February afternoon, and was caused by an error made by an employee in the governor's Office of Administration.

During the incident, users who logged into the Teacher Information Management System would have been able to view personal information of other current and former teachers. This database provides a way for teachers to apply for certification, for the department to review applications, and by schools to verify a teacher's certification.

The Pennsylvania Department of Education and Office of Administration mailed letters to affected individuals offering a year's worth of free credit monitoring services.

9. Florida Virtual School

Number Of Records Exposed: 368,000

The largest state-run virtual school in the country revealed two major data breaches in March, with the exact nature of the breaches under dispute.

In one of the breaches, the personal information of more than 368,000 students who have taken courses at the Florida Virtual School (FLVS) was left unsecured online for almost two years, exposing them to potential identity theft, the school said.

According to FLVS, unauthorized individuals also obtained data being transferred between FLVS and Florida's Leon County school district, allowing them to collect the Social Security numbers, addresses, phone numbers, spouses' names, personal contact information, and emergency contacts of more than 1,800 Leon County teachers.

Leon County school officials, though, said that Florida Virtual School is 100 percent responsible for the theft since the hackers got all the data from a single server that was accidentally left open.

8. LifeBridge Health

Number Of Records Exposed: 538,000

LifeBridge Health was hit by a malware attack that potentially exposed the private information of patients for more than a year.

Officials said they discovered the breach in March, with a malware infection on its server that hosted LifeBridge Potomac Professional’s EHR (electronic health records) and LifeBridge Health’s patient registration and billing systems.

However, the investigation that followed found the hackers first gained access to the EHR and servers in September 2016. And the breached data included demographic information, dates of birth, medical history, clinical and treatment information, insurance data, and – in the case of some patients – Social Security numbers.

LifeBridge said they sent letters to patients and established a call center to answer questions.

7. California Dept. of Developmental Services

Number Of Records Exposed: 582,000

California's Department of Developmental Services said in April that confidential information may have been seen during a Feb. 11 break-in at one of its Sacramento buildings.

Burglars ransacked files, damaged and stole state property, and started a fire, with fire sprinklers dousing many of the records.

The burglars could have seen information for about 582,000 clients as well as the roughly 15,000 employees of regional centers, service providers, job-seekers and parents of minors enrolled in departmental programs.

Officials said they have no evidence that personal and health information was revealed, but are notifying clients and the public out of an abundance of caution.

6. Orbitz

Number Of Records Exposed: 880,000

Travel booking site Orbitz said that a possible security breach discovered in March may have exposed information tied to payment cards. The incident involved an older travel booking platform where information may have been accessed between October 2017 and December 2017.

The attacker may have accessed personal information such as customers' full names, birth dates, phone numbers, email addresses and billing addresses, although Orbitz doesn't have any direct evidence that the information was taken from the site.

The company, which is owned by Expedia, said its current Orbitz.com site wasn't affected. Orbitz said it notified customers and business partners about the incident, and offered a year of free credit monitoring.

5. SunTrust

Number Of Records Exposed: 1.5 Million

SunTrust announced in April that a former employee may have tried to steal and share data of about 1.5 million customers, including names, addresses, phone numbers and account balances.

The former SunTrust employee reportedly tried to print the information and share it with a criminal third party, although no fraudulent activity had been observed on any of the possibly affected accounts.

Identifying information such as PIN, user IDs, passwords and driver’s license information is not believed to be at risk, the company said in April. SunTrust said it's working with experts and law enforcement as well as offering free identity protection to all current and new clients on an ongoing basis.

4. Jason's Deli

Number Of Records Exposed: 3.4 Million

Jason's Deli disclosed in January that criminals had deployed RAM-scraping malware on a number of their point-of-sale (POS) terminals at various corporate-owned restaurants between June 8 and Dec. 29, 2017.

Specifically, the payment card information obtained was full track data from a payment card’s magnetic stripe. While this information varies from card issuer to card issuer, full track data can include the cardholder name, credit or debit card number, expiration date, cardholder verification value, and service code.

Unlike a situation in which a block of static data is illegally copied and stolen all at once, the RAM-scraping malware employed by the criminals against Jason’s Deli copied data as individual transactions occurred over a period of several months.

3. Saks and Lord & Taylor

Number Of Records Exposed: 5 Million

A well-known ring of cybercriminals obtained credit and debit card numbers from customers of Saks Fifth Avenue and Lord & Taylor, according to an April report from cybersecurity research firm Gemini Advisory. The data appeared to have been stolen using software that was implanted into the cash register systems at the stores and that siphoned card numbers until March 2018.

Gemini Advisory said that a group of Russian-speaking hackers known as Fin7 or JokerStash posted that they had obtained a cache of 5 million stolen card numbers, and were offering 125,000 of those records for immediate sale. The researchers determined that the card numbers all seemed to have been used at Saks and Lord & Taylor stores from May 2017 to March 2018.

Although it’s unclear exactly how the malware was installed in the stores’ checkout systems, Gemini said it was most likely through phishing emails sent to Hudson’s Bay employees.

2. Sacramento Bee

Number Of Records Exposed: 19.4 Million

Two Sacramento Bee databases on a third-party computer server were seized in January by an anonymous hacker who demanded The Bee pay a ransom in Bitcoin to get the data back.

The intrusion exposed one database containing California voter registration data from the California Secretary of State, and another that had contact information for subscribers who activated their digital accounts prior to 2017. The Bee did not pay the ransom and deleted the databases to prevent further attacks.

The voter database included contact information – addresses and phone numbers – and party affiliations, dates of birth and places of birth for 19.4 million voters. The subscriber database, meanwhile, included the names, addresses, email addresses and phone numbers of 53,000 current and former Bee subscribers.

1. Under Armour

Number Of Records Exposed: 150 Million

Under Armour said in March that data from some 150 million MyFitnessPal diet and fitness app accounts had been compromised in one of the biggest hacks in history.

The stolen data includes account user names, email addresses and scrambled passwords for the MyFitnessPal mobile app and website, according to the company. Social Security numbers, driver's license numbers and payment card data were not compromised, Under Armour said.

Under Armour did not provide details on how the hackers got into its network or pulled out the data without getting caught in the act. The company said that it would require MyFitnessPal users to change their passwords, urging users to do so immediately. Under Armour started notifying users of the breach four days after it first learned of the incident.