Biggest Privacy Breaches of 2016, so far

Here are some of the recent and biggest data privacy breaches of 2016. Overall hundreds of millions of records/accounts were compromised – spread across a dozen major companies. It is very important for consumers to understand the privacy practices of companies that they do business with.

Yahoo

September, 2016: In what appears to be the most expansive data breach of all time, Yahoo announced that a hacker had stolen information from a minimum of 500 million accounts in late 2014. It is not clear why Yahoo decided to remain quiet till now. The company believes the hacker is likely to be working on behalf of a foreign government. Privacy breach includes e-mail addresses, passwords, full user names, dates of birth, telephone numbers, and in some cases, security questions and answers.

DropBox

August, 2016: In 2012, Dropbox announced that some of their user accounts were stolen and the company helped a small amount of users secure their accounts. At the end of August 2016, however, it was revealed that more than 68 million users had their usernames and passwords compromised in that initial breach. The company prompted all Dropbox users who have not reset their passwords since 2012 to do so.

LinkedIn

May, 2016: Four years ago, 117 million email and password combinations stolen by hackers, but it popped up back online to haunt LinkedIn. At the time the breach occurred, members who had been affected were told to reset their passwords. The information then became publicly available in May 2016. LinkedIn acted quickly to invalidate passwords of all LinkedIn accounts that were created prior to the 2012 breach. It is not clear who stole the information or published it online, but the company is said to be actively working with law enforcement.

ADP

May, 2016:  Payroll giant ADP experienced a breach in May that exposed the payroll, tax and benefits information of nearly 640,000 companies. This is quite significant because each of these companies could potentially have thousands of employees whose information may have been compromised. The breach occurred because of a vulnerability in ADP’s customer portal, the company said, giving hackers access to the W-2 information. One example: U.S. Bancorp (U.S. Bank), the nation’s 5th largest commercial bank – is among one of those companies. It warned some of its employees that their W-2 data had been stolen. It appears that over 60,000 US Bank employees were affected. Here is a quote from a letter that was sent:

“The incident originated because ADP offered an external online portal that has been exploited. For individuals who had never used the external portal, a registration had never been established. Criminals were able to take advantage of that situation to use confidential personal information from other sources to establish a registration in your name at ADP. Once the fraudulent registration was established, they were able to view or download your W-2.”

ADP said the hackers already appeared to have access to users’ personal data before accessing the systems, likely from a previous hack. The breach was part of a flurry of W-2 attacks that occurred during this year’s tax season. Interesting blog post on this here.

Oracle

August, 2016: Oracle’s MICROS POS (point-of-sale) system, used in more than 330,000 cash registers around the world, is the victim of a data breach. A large foreign cybercrime group was likely to blame and it appears that they had placed malware on company computers and on the MICROS customer support portal to steal usernames and passwords. Many experts also believe the hackers were probably able to plant malware in the MICROS point-of-sale systems and that they could be responsible for major data breaches at retailers around the country.

Centene

January 2016: Healthcare sector is continuing to see its share of privacy breaches in 2016, following up on a tough 2015. In January, Centene announced that 950,000 members had potentially been impacted by a data breach. The breach was caused by the loss of six hard drives that included personal health information on members who had had lab services between 2009 and 2015. It also included names, addresses, dates of birth, Social Security numbers, ID numbers and other health information, the company said.