The 10 Biggest Data Breaches Of 2016
Bigger And Badder
Another year, another collection of massive data breaches. While 2015 had some massive breaches, 2016 proved worse, with two of the largest data breaches in history, a massive hack at the Democratic National Committee with major political implications and a continued onslaught of breaches in healthcare, point-of-sale technology and within the federal government.
However, data breaches can mean a rising opportunity around security for partners, according to a study by Piper Jaffray, which found an 80.9-percent correlation between the number of breaches and revenue growth for security companies. Revenue growth is usually seen two quarters after an escalation of incidents, the study found.
As 2016 comes to a close, all signs point toward another year of data breaches and security threats, with emerging threat vectors around IoT and other points of entry. But before that happens, let's take a look back at some of the biggest incidents from the year that was.
10. Hewlett Packard Enterprise Services
While not one of the year's largest breaches by number of individuals affected, a Hewlett Packard Enterprise Services breach in October is of particular importance to the channel. In November, the Navy announced that in the month before, a laptop operated by an HPE Services contractor had information accessed by "unknown individuals." The information included names and Social Security numbers of more than 134,000 current and former Navy employees.
"The Navy takes this incident extremely seriously - this is a matter of trust for our sailors," said Chief of Naval Personnel Vice Adm. Robert Burke in a statement at the time. "We are in the early stages of investigating and are working quickly to identify and take care of those affected by this breach."
9. 21st Century Oncology
In March, 21st Century Oncology, a Fort Myers, Fla.-based cancer care provider, announced that a data breach had exposed the information of 2.2 million patients based across all 50 states and internationally. Hackers broke into a company database in October 2015, the company said, accessing personal information of patients, including names, Social Security numbers, physician names, diagnosis, treatment data and insurance information. The company said it had "no indication that the information has been misused in any way."
8. Weebly
Web hosting service and website builder Weebly confirmed a hack in October that affected more than 43.5 million accounts, including user names, email addresses, passwords and IP addresses. The breach affected both the security of the users and the websites associated with them. Weebly said it did not believe any credit card information was taken or used inappropriately after the breach. It was first reported by breach notification site LeakedSource.
7. Oracle Micros
In August, security journalist Brian Krebs reported that computer systems at software giant Oracle had been hacked, with attacks directed at the company's Micros Systems credit card payment systems (Oracle acquired Micros Systems in September 2014 for $5.3 billion). Oracle Micros Systems is one of the top three point-of-sale systems in the world. The Krebs report said that a Russian organized cybercrime group "known for hacking into banks and retailers" appeared to be behind the attack that "breached hundreds of computer systems" at Oracle. Oracle confirmed it had "detected and addressed malicious code" in some of its Micros Systems, saying its corporate network, cloud and other service offers were not impacted. The vendor said at the time that it has implemented additional security measures for legacy Micros systems "to prevent a recurrence." The company also required that all Micros customers change their passwords for all Micros accounts.
6. State Fishing And Hunting License Sites
In August, a hacker attacked the wildlife sporting licensing sites of four states, gaining unauthorized access to the personal identifiable information of more than 6 million people in Washington, Kentucky, Oregon and Idaho. The person claiming to be the hacker, who called himself "Mr. High" shared the security holes with the states, which they said were later patched. The information exposed included names, dates of birth, addresses, Social Security numbers, height, weight, eye color and some phone numbers and emails, though the information exposed varied by state.
5. Verizon Enterprise Services
After a report emerged from security journalist Brian Krebs in March, Verizon Enterprise Services announced that it had been the victim of a data breach that affected more than a million of its enterprise customers. The breach allowed hackers to collect information on an estimated 1.5 million enterprise clients, including basic contact information. Verizon said no customer proprietary network information or other data was accessed. It's not clear what the exact cause of the breach was, but Verizon said it had recently found and fixed a vulnerability in its enterprise client portal used by the hacker to collect the information. Partners at the time said the breach highlighted concerns around telecom providers, who pose an attractive target to hackers as they hold an extensive amount of customer information.
4. Department Of Health And Human Services
In April, a laptop and portable hard drives containing personal information was stolen from the Office of Child Support Enforcement in Washington, part of the U.S. Department of Health and Human Services. The devices were stolen by intruders who likely used a key from a disgruntled former employee, police said at the time. The devices contained personal information on as many as 5 million individuals, including Social Security numbers, birthdates, addresses and phone numbers. HHS was highly criticized at the time for not being forthcoming about the breach and who might be at risk. The breach came a year after the federal government announced a massive data breach affecting the Office of Personnel Management that exposed the personal information of more than 21 million federal employees and contractors.
3. Myspace
In May, many users got a reminder that they still held Myspace accounts, as the social media network announced a breach that reportedly affected 360 million accounts. In a blog post announcing the breach, Myspace said it discovered that email addresses, user names, and passwords for accounts created prior to June 11, 2013 had been posted on an online hacker forum. Myspace had updated its platform in 2013, which included a strengthening of account security. Myspace attributed the breach to the Russian hacker "Peace."
Myspace wasn't the only social media network in hot water for a data breach this year. Tumblr announced that 65 million accounts from a 2013 breach had been posted on the dark web. LinkedIn also announced it had discovered 117 million email and password combinations for sale on the dark web this year from a 2012 breach. Foursquare was also reportedly hit by a breach that affected 22.5 million customers, though the company denies the breach.
2. Democratic National Committee
As the presidential election campaign came down to its final days this fall, thousands of leaked emails from the Democratic National Committee were published on Wikileaks, reflecting poorly on the Democrats and arguably helping shape the outcome of the election. In October, the U.S. government said it believed Russia was behind the hacking of the DNC to steal the documents and emails in question. The CIA most recently said intelligence shows that Russia disproportionately targeted the Democratic Party with its nation-state attacks, with the Obama administration saying that Russian President Vladimir Putin authorized the attacks and claiming that Republican candidate Donald Trump - now the president-elect - knew of them personally. A report said Russia also attempted to hack the Republican National Committee, but the report said the attacks were less aggressive and failed to penetrate the group's systems. The attacks show the rising influence of nation-state attacks on some of the United States' most important systems.
1. Yahoo
Yahoo had not only suffered the biggest breach of the year, but the two biggest. In September, it announced it had discovered a breach from late 2014 that affected more than 500 million user accounts. The data breach exposed certain user account information, including names, email addresses, telephone numbers, birthdates, hashed passwords, and in some cases, encrypted or unencrypted security questions and answers, Yahoo said. The company said it believed a nation-state attacker was responsible for the attack. Just a few months later, in December, Yahoo announced a second, larger breach that it said affected 1 billion user accounts. The second breach, which it said was separate from the first, occurred in August 2013, with an unauthorized third party stealing data that included names, email addresses, telephone numbers, birthdates and hashed passwords. The company said it also, in some cases, included encrypted or unencrypted security questions and answers. Yahoo said at the time that it has not yet identified how the attackers penetrated its systems, though it said it's now working with law enforcement. The two breaches, each independently considered the largest breaches in history, reportedly has now put the company's pending $4.8 billion acquisition by Verizon in question.