As of September 2, there have been 521 data breaches reported in the United States, according to the Identity Theft Resource Center (ITRC). Those breaches have exposed 17.83 million records. Breaches of medical and health care data account for 42.6% of incidents and 38.6% of exposed records.
For all of 2013, the ITRC reported 614 data breaches totaling nearly 92 million exposed records. Of those, 43.8% of the incidents were related to medical and health care data, but just 9.6% (8.8 million) of the exposed records. Backing out the records exposed in the data breach at Target stores, the percentage of medical records exposed rises to around 40%, a figure consistent with breaches reported so far this year.
The attacks that have compromised the most data have affected tens of millions of people and involved hundreds of millions of records. Here are the 10 largest of all time.
10. French gaming company UbiSoft never revealed how many accounts were compromised by an attack in July 2013, but a reasonable estimate is about 68 million user names, addresses and encrypted passwords. Because the company did not store payment data for its gamer customers, no credit/debit card or bank account information was stolen.
9. Target Corp. (NYSE: TGT) was hit late last year with at attack that compromised 70 million customer accounts. Details such as names, email addresses and phone numbers were compromised. Thieves also nabbed 40 million credit/debit card details. Card issuers spent about $240 million issuing new cards to their customers as a result of this breach.
8. Sony Corp.’s (NYSE: SNE) PlayStation Network was hit with an attack in 2011 that brought the company’s gaming network down for more than a month. About 77 million customers were affected as login credentials, names, addresses, phone numbers and email addresses of account holders were exposed. Sony estimated its payout to settle claims related to the data breach at around $170 million.
7. In the largest-ever data loss by the U.S. government, health and discharge records for some 76 million military veterans were compromised in 2005 when the agency that managed the records systems suffered a hard drive failure. The bad drive was returned to the agency’s contractor for repair where it was declared unrepairable and sent out to be recycled. What happened to the drive after that is unknown, but the agency claims no data was breached. How it reached that conclusion is unknown.
6. AOL Inc. (NYSE: AOL) customers were victimized by a former software engineer at the company who stole 92 million screen names and email addresses and then sold the information to spammers who sent out an estimated 7 billion unsolicited emails. The data were stolen in 2003 before AOL was spun out of Time Warner Inc. The thief was paid $28,000 by the spammers and was not caught and prosecuted until 2005.
5. Some 94 million credit card accounts may have been exposed in a data breach that hit TJX Companies Inc. (NYSE: TJX) in 2005 but was not discovered until 2006. The company, which operates T.J. Maxx and Marshall’s stores, at first said about 46 million accounts could have been affected — just a slight understatement. Visa Inc. (NYSE: V) reported fraudulent use of the account numbers in 13 countries. Albert “Soupnazi” Gonzalez was arrested for the crime and is currently serving a 20-year prison sentence.
4. Heartland Payment Systems Inc. (NYSE: HPY), a credit card payment processor, was the largest of several companies hit in 2009 with an attack that resulted in the loss of 130 million credit card records. Five people were ultimately indicted for the crimes in 2013 — four Russians and one Ukrainian. Three are at-large, one is under arrest and the fifth, Vladimir Drinkman, is dodging extradition from Russia.
3. Online auction site eBay Inc. (NASDAQ: EBAY) said in late 2013 that the company had been the target of a hacking attack, but it wasn’t until the spring of this year that the true scope of what had happened was revealed. The email addresses, encrypted passwords, mailing addresses and other personal data for 145 million eBay users had been compromised between February and May. The compromised files did not contain financial information and the company’s PayPal subsidiary was not affected.
2. In October 2013 hackers compromised an estimated 152 million records belonging to customers of Adobe Systems Inc. (NASDAQ: ADBE). Adobe initially reported about 3 million records stolen, including credit card information associated with the accounts. Adobe later upped the total to 38 million, but none of the added 35 million included payment information.
1. The largest hacker attack ever was actually launched against several companies by the Russian hacking group that also hit Heartland. The group is believed to have stolen more than 160 million records from companies like J.C. Penney Co. Inc. (NYSE: JCP), 7 Eleven, Dow Jones, and Nasdaq. Targeted companies lost at least $300 million. Listing this as the largest ever attack while including the Heartland attack as the fourth largest may appear to be double counting, but this is how most lists of these things keep score.
The list may soon have a new name at the top. An early August report at The Wall Street Journal Digits blog highlights a gang of Russian hackers that has accumulated a hoard of 1.2 billion usernames and passwords, according to Hold Security, a Milwaukee-based computer security firm.