December 22, 2016

2016 data breaches: A look back at a big year of data loss

Though we still have a little less than a month left in 2016, this year has proven to be one of the most significant years for breaches.

We dove into the data using Breach Report, Lookout’s new feature that tracks and alerts users about such incidents, to bring you a deeper look at what breaches really looked like in 2016. Of course, criminals also put name brands in their crosshairs, including Yahoo, Twitter, LinkedIn, Tumblr, and Myspace. But we also observed a new trend out of 2016. Attackers seemed to concentrate attacks around three kinds of data: healthcare records, voting data, and credit card data.

Check out our breakdown of a year in data breaches:

The latest, and arguably biggest, breach of 2016: Yahoo

In a year full of superlatives, Yahoo set a new high water mark for the scale of a breach in 2016. In an updated statement, Yahoo said hackers “stole names, email addresses, phone numbers, dates of birth, and encrypted and unencrypted security questions and answers from more than 1 billion accounts” in 2013. This was the second hack to impact Yahoo this year; back in September, the company also confirmed that data from at least 500 million users was stolen in what Yahoo believes is a separate, previous breach. Forensic experts reportedly connected elements of the hacking to state-sponsored actors, but stopped short of saying which foreign government might be responsible.

According to statement released December 14th by Bob Lord, Yahoo’s CISO, the stolen information in this most recent breach “did not include passwords in clear text, payment card data, or bank account information” because that information was not stored on the affected system.

Other large-scale internet company/social media breaches

In terms of sheer volume, social media and internet companies lost some astonishingly large amounts of data, many of them from household technology names. This year, most of these companies revealed or discovered breaches that actually occurred in past years, showing how long some breaches can go undetected:

  • While the exact number remains unclear, Twitter confirmed that at least 32 million user login credentials were compromised and posted for sale on the dark web.
  • 167 million LinkedIn users were affected in a breach from 2012 were posted for sale online.
  • Around 5GB of files containing details on 68,680,741 Dropbox accounts, which included email addresses and hashed (and salted) passwords for Dropbox users, were found online. Although the accounts were stolen in a previously disclosed breach dating back to 2012, Dropbox had never, until this year, released details of the breach, and it was not known how many users had been affected.
  • The total number of Tumblr accounts (emails and passwords) breached has climbed to over 65.5 million, in a breach dating back to 2013.
  • The login credentials of 360,213,024 MySpace users, compromised on June 11, 2013, are just now making their way onto the dark web.

Together, that’s nearly 700 million breached accounts, which adds up to serious impact on an average person’s digital life.

Healthcare data

Attackers seemed to have a particular interest in compromising health data this year. Around 15% of the overall data breaches Lookout recorded in Breach Report in 2016 were related to healthcare institutions or data. Here’s a short list of the top breaches we saw in this segment:

  • Banner Health, a nonprofit health system based in Arizona, suffered a cyber breach that affected 3.7 million patients. The attackers possibly obtained patient names, addresses, Social Security numbers, and various health care information.
  • Blue Cross and Blue Shield of Kansas (BlueKC) notified upwards of 790,000 members that it had been the victim of a data breach.
  • Attackers stole personal information for around 21,000 Blue Shield of California customers.
  • Kaiser Permanente suffered a breach of its ultrasound machines affecting 1,100 patients.
  • 21st Century Oncology had to alert customers that approximately attackers had compromised 2.2 million current and former patients records.
  • Criminals breached information for around 13,000 Medicaid clients enrolled in Louisiana Healthcare Connection.
  • Kreck Hospital and Norris Comprehensive Cancer Center of USC fell victim to a ransomware attack — another trend in attacks to medical institutions we saw gain traction in 2015.
  • Attackers successfully breached a third-party vendor used by Massachusetts General Hospital, compromising data for over 4,300 patients.
Government data

Information retained by the government is extremely sensitive. It oftentimes includes personally identifiable information such as social security numbers, driver’s license data, birthdates, addresses, names. Voter information was a trending target in 2016. Check out these government breaches:

  • Attackers compromised L2 Political, a CouchDB database responsible for 154 million voter records. The L2 database contained the full names, addresses, ages, phone numbers, income, ethnicity, gender, political affiliation, and voting frequency of 154 million American citizens.
  • The entire voter database of Mexican citizens, involving 93.4 million records.
  • The state of Louisiana was particularly hard hit. They lost nearly three million voter records, 50,000 city police records from the city of Baton Rouge, and another quarter million records from the state’s DMV.
  • The entire database of the Philippines’ Commission on Elections (COMELEC) leaving 55 million people at risk.
  • The personal records of over two million registered Republicans in the Iowan voter database.
  • A hack of the Turkish citizen database that just recently posted more than 43 million records for sale online.
  • The IRS was also the victim of an automated attack involving approximately 464,000 unauthorized Social Security numbers, of which about a quarter were able to compromise the e-filing PIN application. This is an addition to a breach of around 390,000 additional taxpayers whose information may have been stolen in the previously reported IRS “Get Transcript” breach in May 2015, bringing the total according to the latest updated reports to almost 790,000 people in that breach.
Point-of-sale attacks

In 2016, criminals used point-of-sale (POS) attacks as a means to obtain credit card information. These attacks involve installing malware onto those credit card readers used in checkout lines everywhere. While the most famous of these was the 2014 breach on Target stores, we saw no shortage of this attack-type in 2016:

  • Wendy’s announced that over 1,025 of its locations were affected by malicious credit card breach.
  • CiCi’s Pizza confirmed that attackers gained access to its point-of-sale systems in 138 of its stores.
  • Omni Hotels also suffered a data breach of its POS systems. Malicious authors were able to obtain access to guests’ names and credit card information.
  • The Hard Rock Hotel & Casino also issued a statement regarding signs of “card scraping” malware in its POS systems, which was able to compromise cardholder names, numbers, expiration dates, and internal verification codes.
  • Eddie Bauer confirmed a breach of its POS systems at all of its over 350 outlets in North America.
  • HEI Hotels reported a breach to its systems, impacting 20 locations, including the Starwood, Marriott, Hyatt, and Intercontinental hotels.
How companies reacted and what the future will look like

Regardless of the number or type of breaches, organizations are not doing a particularly good job of notifying the people whose records were stolen. Sixty-five percent of data breach victims are alerted by the company within the first month, which means that 35 percent don’t get notified early enough to take precautionary measures, according to an identity theft survey from Lookout.

Unfortunately, only a quarter of all respondents feel confident in knowing what to do if they are a victim of a data breach.

This is why solutions like the Lookout Personal app for iOS and Android are so important. Lookout gives Premium customers access to Breach Report which provides timely alerts whenever an app, company, or service you use has been breached. The Premium Plus package offers identity theft protection, which includes Identity Monitoring, 24/7 Identity Restoration Assistance and $1M Identity Theft Insurance.

Individuals can sign up to get alerts in case any of their personal data is leaked online and breach notifications if any of their services are compromised.

Screen Shot 2016-11-14 at 11.50.47 AM

Leave a comment