12 Biggest Data Breaches of the Last 12 Months

Recent security breaches prove that regardless of the technology you have in place, if you are targeted by cyber-attackers — whether through social engineering, a phishing attack or an employee opening a malicious file on the company network — they will penetrate your defenses and steal whatever data they choose. Smart organizations are evolving their approach from a perimeter defense to a more a multi-layered, risk-based security approach, but in the meantime it seems as if most organizations are vulnerable.

As early as last week, the California Division of Motor Vehicles reported a potential credit card data breach. Former Washington Post journalist Brian Krebs, in his column, “Krebs on Security,” reports that these breaches were relative to online transactions that occurred on their website between August 2013 and January 2014 and could possibly affect the more than 11.9 million credit card transactions. There is also fear that that additional data such as driver’s licenses, Social Security numbers, email and physical addresses could have been stolen as well.

Although officially no breach has been detected there, the DMV is performing a full forensic investigation and has reported a possible breach to banks and other related financial institutes.

Last month, the University of Maryland reported a data breach that affected anyone who has had a campus ID since 1998. That’s 16 years of records that included Social Security numbers, date of birth and the University ID number putting nearly 300,000 staffers, students and employees at risk.

Four weeks later, University of Maryland CIO, Ann Wylie reported yet another cyber-intrusion, which brought in the FBI and Secret Service to work with the university’s IT security staff. This attack netted the personal data of only a single senior university official, according to Wylie.

In late February 2014, Sally’s Beauty Holdings noticed unusual network activity. Using an intrusion detection technology from Tripwire, which sends alerts when key system files are modified, Sally’s IT security were notified and shut down all external communication and began the investigation. Shortly thereafter they contacted Verizon’s cybersecurity and forensics teams.

Sally Beauty originally reported that no credit card or personal data had been stolen, but experts weren’t so sure. Then earlier this month, Sally Beauty announced that there had, in fact, been data loss of roughly 25,000 records. These stolen records contained credit card data, according to reports.

Late last year, retail giant Target reported a data breach that included personal data, credit card data and encrypted PIN numbers from debit cards from more than 70 million consumers. In one of the largest data breaches in history, attackers installed malicious software on point of sale (POS) devices in Target’s checkout lines.

In an effort to help soothe its customer base, Target has have assured users that they will not be held liable for any charges resulting from this data breach and are offering free credit monitoring and identity theft protection.

On the heels of Target’s breach came Neiman Marcus’s announcement that more than 1.1 million credit and debit card numbers may have been compromised from mid-July to late October 2013. It was reported that cybercriminals infiltrated and infected terminals at Neiman Marcus stores using the same methods as the Target data breach. Neiman Marcus doesn’t use PIN pads, so it appears as though no PIN data was stolen, but rather only track data from the credit card’s magnetic strips.

Neiman Marcus is trying to repair its image by offering a year of free credit monitoring and identity-theft protection to anyone compromised in this data breach.

Last July, Apple’s developer site, where users can find tools and resources for programming Apple products, fell victim to cybercriminals and was taken offline for three days. Apple is reporting that it is possible that paid users accounts may have been compromised in the attack. Here is a quote from the email delivered to Apple community developers:

“An intruder attempted to secure personal information of our registered developers from our developer website. Sensitive personal information was encrypted and cannot be accessed, however, we have not been able to rule out the possibility that some developers’ names, mailing addresses, and/or email addresses may have been accessed.”

Last October, Adobe announced that nearly three million customer credit card records and login data for an undetermined number of Adobe user accounts were impacted by an attack. According to some media outlets, 38 million users were affected by the cyberattack. Credit card data appears to have been encrypted, making it more difficult for criminals to exploit. Along with user data, Adobe reported that source code for Photoshop was also part of the data heist.

Adobe has offered one free year of credit monitoring to those users who encrypted credit card data was stolen.

Last September, Bloomberg reported that Vodafone suffered a data breach that could affect two million customers. The company later revealed that the attacker was an insider with intimate knowledge of their IT infrastructure. Deep inside its systems, the insider was able to grab what Vodafone refers to as a “Master Data” with details on more than two million users.

Cyberattackers got away with customer names, customer addresses, date of birth and partial bank account data. No credit card data, mobile passwords or PINs were reportedly taken in the breach. Vodafone identified the unspecified individual and, according to reports, Vodafone has filed charges.

Last June, the U.S. suffered what is regarded as one of worst leaks of classified material in its history. Booz Allen Hamilton IT contractor and infrastructure analyst Edward Snowden had access to and leaked classified materials to media outlets. Since then he has released details of unwarranted NSA hacking of friends and foe alike, the fallout damaging U.S. relations abroad and putting a spotlight on current security issues facing the U.S.

Some hail Snowden as a whistleblower while others consider him treasonous. Since June he has been on the run and reportedly living in Russia.

While Evernote was not directly hacked, its customers were impacted as a part of the Adobe data breach. Vigilant workers at Evernote analyzed leaked data from the Adobe breach (it was reported that Facebook did as well) and came to the conclusion that many of its customers had mirrored the username and login of their Adobe accounts. Its users were required only to reset their passwords, but that’s 50 million people who had to reset their password.

Ubuntu Forums, a volunteer, developer-centric website that focuses on the Ubuntu Linux distribution, reported a massive data breach in July 2013. Hackers were able to obtain encrypted passwords, email addresses and usernames of the site’s community that consists of approximately 1.8 million users. Hackers also defaced the homepage of the site with an image of a machine gun carrying penguin and the Twitter handle @sputn1k_.

Last April, daily deal website Living Social was the target of a massive data breach that affected 50 million people. Personal information that attackers stole included names, emails, date of birth and encrypted passwords. All of the Washington D.C.-based companies registered users were asked to reset their passwords.

Judging the severity or visualizing the scope of data breaches can be difficult, but thanks to the team at Information is Beautiful you can get a glimpse of how many organizations were attacked, the method of attack, how sensitive the data was and how many people were affected by looking at its chronological bubble chart.