The 10 worst breaches of the past 12 months
Most Internet users are accustomed to changing their online passwords regularly. They limit their shopping to sites with a trusted security certificate, and use companies like PayPal for safe transactions. But the last year has demonstrated that even the most cautious user is vulnerable to data breaches that can lead to fraud and identity theft.
Luckily, timely disclosure about these breaches is becoming more standard for the organizations affected, enabling users to act quickly to change their passwords and check their credit reports. However, with data breaches becoming more common, the best Internet users can hope for is that these quick security fixes, plus a new password, will be enough to protect them in the future.
Here are the top ten data and security breaches of the past twelve months—the year some have called the year of the stolen password.
The Heartbleed encryption bug is probably the biggest and best-known breach of the last 12 months (if not the last few years). The existence of the bug was made public by security firm Codenomiconon in April, although it operated undetected for almost two years. Heartbleed affected about 17% of the Internet’s secure web servers making passwords vulnerable to theft—information that was normally protected by SSL/TLS encryption.
A massive number of companies were affected including Amazon, Pinterest, Reddit, Tumblr, Airbnb, WordPress, and Wattpad. Users on each site were advised to change their passwords, while companies were advised to patch their copy of OpenSSL to fix the problem. Operating systems like Android 4.1.1 were also discovered to be vulnerable.
The industry mobilized one of its biggest responses ever to a data breach by creating the Core Infrastructure Initiative, a multi-million dollar project to fund critical elements of the web’s infrastructure. Backed by companies like Amazon, Dell, Facebook, Google, and Microsoft the funding will help lead developers on various projects and pay for security audits and software development.
Major US retailer Target announced a massive breach of its point-of-sale terminals in early December of last year. The breach affected an estimated 70 million Black Friday shoppers. Customer credit and debit cards were compromised and customer names, mailing addresses, email addresses, and phone numbers were stolen.
Target’s website has an FAQ dedicated to answering consumer questions about the breach. The company assures customers they won’t be held liable for fraudulent charges. In response to the theft, and in order to step up credit card security for its customers, Target is fast-tracking plans to implement chip-enabled technology with its store branded credit cards by early 2015.
Target also announced that it has joined forces with a host of other retailers to launch the Retail Cyber Intelligence Sharing Center, which will enable them to share information, analyze data, and help address cyber crime in tandem with U.S. law enforcement. Target CEO Gregg Steinhafel announced his resignation after 35-years with the company and Target CIO Beth Jacobs stepped down after 6 years with the organization.
Adobe revealed that it had been the victim of a sophisticated security attack last October. At least 38 million customers across various Adobe properties were affected by the breach. Information removed from the system included customer names, credit and debit card numbers, expiration dates, and order information—much of which was later posted online.
Customers whose debit or credit card information was compromised received a notification letter and the option of enrolling in a complimentary credit monitoring service for one year.
4. Facebook, Google, Twitter
In November of last year, hackers stole passwords and usernames for almost two million accounts across a number of social networks. Sites affected include Facebook, Gmail and YouTube, Twitter, LinkedIn, as well as the payroll service ADP.
The hack was the product of keylogging software that had been installed on a number of computers worldwide—enabling hackers to capture login credentials for millions of users and route them to their own server over a month long period.
The breach was discovered by researchers at cyber security firm Trustwave who traced the server to the Netherlands. A spokesperson at Trustwave suggested there could be more active servers they haven’t yet tracked down—and that the hack could be ongoing. Users are advised to update their antivirus software, download the latest patches for their Internet browser, Adobe, and Java, and change their passwords.
5. Washington State Courts
More than one million driver’s license numbers and 160,000 Social Security numbers were accessed in a data breach at the Washington State Administrative Office of the Courts’ website. Citizens booked at a city or county jail, or with a traffic case in a district or municipal court through 2012, or anyone with a DUI citation in the state going back to 1989 may have had their data compromised.
The court discovered the breach in late February of last year and has said they have taken steps to enhance their online security. The court advised citizens who may have been affected to call the court’s administrative office for more information.
In June of last year, Facebook admitted, via their blog, to a technical breach that had inadvertently exposed the phone numbers and emails of more than six million users. The software bug allowed Facebook users who downloaded contact information for their list of friends to obtain additional, unauthorized contact details. The bug was found by a security researcher who reported it to the company.
While Facebook says they fixed the glitch within 24 hours of discovery, and that they hadn’t received any complaints of suspicious activity as a result of the glitch, the incident served as a reminder to users that their personal information wasn’t safe-even on one of the world’s most popular websites.
Daily deal site LivingSocial was the victim of a cyber attack that compromised the account information of its 50 million users. According to the company, customer credit card data was stored on a different server and remained safe, however the names, email addresses, birth dates, and encrypted passwords of its users were accessed. LivingSocial forced the reset of customer passwords and sent notices to affected users.
8. Maricopa Community College
A massive security breach in Arizona exposed the personal information of 2.4 million current and former students and faculty across ten district schools. Compromised was a wealth of personal information, including Social Security numbers, driver’s license numbers, and bank account information, as well as academic records.
The school was notified of the security breach by the FBI who found a website selling personal data from the district’s information-technology system. While there is no evidence the information was actually accessed, the school came under fire for waiting seven months to disclose the breach to those affected.
The board has allocated $17 million to deal with the fallout—funds will go towards ongoing retention of a law firm, maintenance for a call center, as well as the issue of notification letters and credit monitoring for those affected.
9. JP Morgan Chase
The financial services firm revealed it was targeted in a July 2013 cyber attack. The bank uncovered the breach to its website server in September but came under fire for waiting months to notify its customers that their personal information had been compromised.
Targeted were almost half a million holders of the bank’s prepaid cash cards, called UCards, which were issued to corporations and government agencies—organizations that are increasingly using the cards to replace paper checks. More than 6,000 residents in Louisiana received the cards for their state income tax refund, for example. While the bank believes critical personal information such as Social Security numbers and birth dates were not taken, the bank is offering the cardholders a year of free credit-monitoring services as a courtesy.
10. The University of Pittsburgh Medical Center
The University of Pittsburgh Medical Center (UPMC) was the victim of a data breach than enabled scammers to file up to 788 bogus 2013 tax returns with the IRS—a scam worth about $10 million. Names, addresses, and Social Security numbers for up 27,000 employees may have been compromised, UPMC said. An investigation into the UPMC breach is ongoing but one worker has already filed a lawsuit against her employer—rather than financial compensation, the employee is seeking credit restoration services and identity theft insurance.