Less than 20 years ago, crooks looking to get their hands on quick cash would likely steal checks, snatch a purse or, if they were seeking a really big haul, even rob a bank. With the prevalence of surveillance security and better training for bank employees, these criminals are often caught and convicted fairly quickly. Keeping this in mind, criminals have been forced to become more sophisticated in their means of stealing money and have taken their operations online, honing their hacking skills in order to bring in the real money and to reduce their likelihood of being caught.
Though hacking consumer records is by no means a new phenomena, 2015 has seen a barrage of major security breaches which could impact consumers for many years to come. From children’s toys to sensitive government records, it would seem that there was nothing off limits for those looking to steal confidential consumer information. As of the end of December 2015 there had been 722 major security breaches, but the ones we’ll take a look at today are some of the worst of the worst.
Health Insurance Companies
According to statistics published by the Identity Theft Center, 177,840,420 consumer records have been exposed by hackers in 2015. Of those leaked records, nearly 120 million were medical records alone. It would be fair for consumers to assume that databases containing sensitive information, such as personal medical files, would be well protected from unauthorized access. Many consumers were shocked to hear that this simply was not the case, when four of the largest insurance providers within the U.S. compromised millions of customer records.
To kick off the new year, both the Anthem and Premera BlueCross BlueShield insurance providers had discovered that weakened system security had allowed hackers to access to nearly 29 million customer records dating as far back as 2002. Within the information obtained by the hackers included customer names, medical conditions, banking information, dates of birth and credit card numbers. Anthem was able to quickly catch and fix the security leak, which they believe began in December of 2015. Premera wasn’t able to identify their leak as quickly and believes the initial attacks to their system began sometime in May of 2014.
CareFirst BlueCross and BlueShield would be the next insurance provider to discover a major hole in their system security. On May 20, 2015 CareFirst revealed to consumers that hackers had unlimited access to one of the company’s databases since June of 2014. CareFirst claims that the hackers were unable to gain access to clinical records or credit card information, but were able to obtain usernames, email addresses and policy numbers, leaving close to 1.1 million customers susceptible to targeted phishing scams.
Excellus BlueCross and BlueShield was fourth insurance provider to announce their system had been targeted by hackers in August of 2015. The company revealed that the initial attacks had began in December of 2013, leaving consumer information exposed for nearly 20 months before the provider’s IT security department detected the attacks. Information the hackers had access to included social security numbers, financial information, names, mailing addresses, phone numbers and claims information. Nearly 10.5 million consumer records were compromised in the attack.
Combine those four attacks with the July’s attack against UCLA Health’s databases, which compromised another 4.5 million patient records, nearly 45 million consumers’ confidential information was leaked by hackers solely through these major attacks directed at the health care industry.
Army National Guard
If there’s one institution one would expect to safeguard classified information, it would be the United States Army National Guard, but if 2015 taught us anything, it’s that our information is always susceptible to falling into the wrong hands. Officially, hired contractors were to blame for the July 2015 leak, which compromised the personal information of Army National Guard servicemen and women dating back to 2004. According to an Army National Guard spokesman, the data included names, dates of birth and social security numbers. In spite of the personal nature of the information, the cause of the leak was cited as mismanagement of classified information, which was promptly reported and was not leaked on account of hackers looking to steal the information. Though the National Guard does not believe that the information will be used for unlawful purposes, a call center has been set up to instruct Guard members on what steps to take in the event that they believe they may have been victims of identity theft.
Office of Personnel Management
The Summer of 2015 was not a good season for national security. Not only did the National Guard inadvertently expose sensitive information on non-active and current Guard members, but the Office of Personnel Management – the U.S. government agency in charge of maintaining records on all Federal employees and providing background checks for security clearances – became a victim of the largest national security breach of all time. Nearly 22 million people were affected by the hack and 4 million government employees were confirmed as having their information compromised.
The June attack is believed to be connected to the same group of Chinese hackers responsible for the Anthem attack in January. Experts have since analyzed the attack and have described the leaks as foreseeable and completely avoidable, had the organization taken more steps to ensure the security of government information. Security experts have speculated that the group’s intentions are to compile a database of government employee information in order to impersonate those employees and conduct more attacks against government databases in the future. Additionally, the group now has the ability to blackmail U.S. government employees worldwide.
As one of the top providers of credit information, Experian North America is utilized by multiple agencies in both the public and private sectors when conducting consumer credit checks. In September of 2015, hackers targeted the main servers of Experian and were able to gain access to financial records for 15 million T-Mobile wireless subscribers. Names and social security numbers of the customers were among the information compromised in the attack.
The T-Mobile hack was not the first time Experian was found responsible for failing to properly secure customer information. In July 2015, a Vietnamese man was convicted of stealing and selling information obtained through some of the world’s largest consumer credit brokers, which included an Experian subsidiary. Experian is now facing class-action lawsuits in connection to the 200 million records the man was able to pull directly from their servers.
The Milan-based cyber security firm Hacking Team has long been rumored to have engaged in a number of unethical business practices, which included providing spyware and other security software designed for governments to break into computers and cellphones. This was confirmed in July of 2015 when hackers stole 400GB worth of data from Hacking Team’s servers, which included sales records proving the firm had been selling spy tools to authoritarian governments without regards for the agency’s intended use of the surveillance applications. Also among the leaked data were private corporate emails, source code for some of the developers’ security tools, and known Adobe Shockwave Flash exploits.
Links to some of Hacking Teams’s leaked files were promptly posted to their hijacked Twitter feed. Once the data had been dumped, hackers compromised the systems of an unknown number of civilian computers by executing the attacks as documented in Hacking Team’s files. Adobe has since been able to patch their popular browser plug-in to prevent any future attacks based on the Hacking Team data breach.
The IRS was in the fire back in 2009, when auditors discovered that nearly 5,000 tax payers had their information exposed. To make matters worst, the IRS then attempted to cover their tracks and hide the fact that there had been a security breach at all by delaying or foregoing notifications all together for those who were directly impacted as a result of the inadvertent information leak.
Six years later, the IRS was in trouble again. This time 334,000 taxpayer records were obtained through a tax transcript service offered through the IRS website by hackers using information such as social security numbers obtained through other sources. Consumers who were directly affected by the leak will have to remain vigilant in their credit monitoring, as information contained on the tax transcripts could potentially be used to open new lines of credit, including mortgages.
In 2015 some of the institutions that we, as consumers, would trust to have proper security measures in order to safeguard sensitive information have completely dropped the ball when it comes to system security. These institutions have proven themselves irresponsible and as a result, paid credit monitoring will no longer be just an option. If we can’t trust government and medical institutions to ensure our information is not falling into the wrong hands, then it is clear that we must vigilant in monitoring our own credit reports regularly or else leave ourselves vulnerable to identity theft.