Organizations worldwide were hit with a rude awakening this year in terms of data protection. From medical providers, to financial institutions, and government agencies, hackers this year did not discriminate in terms of who’s the next organization to be breached. As we stand to enter the New Year, let’s reflect on some of the largest data breaches that occurred in 2016.
21st Century Oncology
21st Century Oncology, a Fort Myers-based cancer care services provider, released a statement on their website indicating that 2.2 million patients could have had their personal information stolen during a breach of the company’s system in October 2015. The breach was disclosed to the public in March of 2016, and there’s no evidence the stolen information has been used in any way. Though hackers did have access to the names, social security numbers, doctor names, diagnosis and treatment information, and insurance information of 21st Century Oncology patients.
National Payment Corporation of India
The National Payment Corporation of India (NPCI) was notified by international banks that some of its customers’ debit cards were being used fraudulently. Many experts believe the breach began with a malware attack that originated at an ATM. Since the attack, banks across India have replaced as many as 3.25 million debit cards with fears that the card data may have been compromised. Of those affected, about 2.65 million are on Visa and MasterCard platforms, and 600,000 are on RuPay.
Philippine Commission on Elections
A breach of the database for the Philippe Commission on Elections (COMELEC) is being deemed the worst government data breach to happen anywhere. It’s believed that the personal information of every Philippine voter, roughly 55 million people, was comprised on March 27, 2016, by Anonymous. The information has since been published in a database online and is available for anyone online to steal and engage in identity theft. Anonymous claims the leak was an effort to push the COMELEC to turn on security features in the vote counting machines before the national elections took place on May 9, 2016.
Russia’s popular social media site VK.com experienced a breach in June of this year, leaking details on more than 100 million VK users. The database contained information including first & last names, email addresses, plain-text passwords, location information, phone numbers, and in some cases, secondary email addresses. The hacker responsible, known as Peace, claims the passwords were already in plain text when VK.com was hacked and were not cracked at a later date. Peace is selling the stolen data for 1 bitcoin, but another set of 71 million accounts, he’s decided to not sell.
LinkedIn, the popular professional networking site, was hacked four years ago in 2012. While the company originally thought the hacks impact was the theft of 6.5 million passwords, the company came to find out this year that the number of impacted individuals is much larger- 117 million to be exact. LinkedIn acted swiftly and invalidated the passwords of all accounts that were created prior to 2012 and had not undergone a reset since the breach.
Yet another adult website was taken down by hackers this year, with this breach nearly 13 times the size of last year’s hack of Ashley Madison. Approximately 412 million users had their personal information stolen and published online as a result of this attack. The breached information included email addresses, passwords, VIP member status, browser info, last IP address to log in, and purchases. The company has since only admitted to finding a vulnerability within their systems but has not yet confirmed the attack.
427 million passwords of Myspace users were leaked back in May 2016. LeakedSource and Peace are the hackers responsible for this breach and claim the credentials are from a past, unreported breach. Understandably, this attack occurred during an era where security measures were not as strong as they are today. Hacker ‘TheCthulhu’ published the database of 427 million passwords for more than 360 million users of the social network onto the dark web.
2016 was a particularly rough year for Yahoo, who suffered two of the most notorious breaches in history this past year. In September, Yahoo announced that a hacker stole information from a minimum of 500 million accounts in late 2014. The thief who’s believed to be working with some sort of government, stolen email addresses, passwords, full user names, birth dates, phone numbers, and in some cases, security questions and answers.
Yahoo suffered an additional attack that they disclosed in December claiming more than 1 billion user accounts were compromised in August 2013, making this the largest data breach in history. Yahoo’s Chief Information Security Officer, Bob Lord, claims hackers used ‘forged cookies’- pieces of code that stay in the user’s browser cache allowing a website to not require a login with ever visit. Similar to the 2014 breach, the information stolen may have included names, email addresses, phone numbers, dates of birth, hacked passwords, and in some cases, encrypted or unencrypted security questions and answers.
NNT’s Breach Detection- Host Intrusion Detection Solutions
The fiscal and reputational damage posed by data breaches and cyber-attacks should be more than enough reason to persuade organizations to maintain a vulnerability free IT environment, yet as the years progress, the lessons are never learned and billions of victims suffer from their negligence. Organizations must comprehend the seriousness of protecting this incredibly sensitive personal information and implement Breach Detection- Host Intrusion Detection solutions to help combat these ever growing cyber-attacks.
Read this article on ZDNet
Read this article on Identity Force