10 Worst Breaches So Far in 2018

Experts say we are witnessing a record number of personal data records compromised this year.

At 2018’s halfway point, there were 668 breaches representing almost 23 million records exposed, according to reports from the San Diego-based Identity Theft Resource Center and Providence, R.I.-based CyberScout (formerly IDT911).

The number of U.S. data breaches tracked through July 2, 2018 was less than 2017’s half-year high total of 791. However, this year, the approximately 22.5 million reported records exposed so far is almost double the 12.4 million records reported breached last year at this time (which came before Equifax’s 145.5 million exposed records).

Here’s how the breaches broke down by industry category:

What qualifies as a breach? “The ITRC defines a data breach as an incident in which an individual name plus a Social Security number, driver’s license number, medical record or financial record (credit/debit cards included) is potentially put at risk because of exposure. This exposure can occur either electronically or in paper format. The ITRC will also capture breaches that do not, by the nature of the incident, trigger data breach notification laws. Generally, these breaches consist of the exposure of user names, emails and passwords without involving sensitive personal identifying information.”

In addition, the ITRC reports suggested data breaches are not alike. Security breaches fall into additional sub-categories based on what happened and the type of data exposure. “What they all have in common is they usually contain personal identifying information in a format easily read by thieves, in other words, not encrypted,” the report said.

The ITRC currently tracks seven categories of data loss methods: Insider theft, hacking (which includes spear phishing, ransomware and skimming), data on the move, employee error/negligence/improper disposal/lost data, accidental web/internet exposure, physical theft and unauthorized access.

Following the March 2018 reports that data analysis firm Cambridge Analytica reportedly acquired and used Facebook data (at last count, of some 71 million Americans) the ITRC took the extraordinary step of responding to those developments in a press release. “The misuse of millions of Facebook users’ data cannot be classified as a breach one way or another given the lack of specifics currently available.” It did warn consumers about underestimating the value and potential mine-ability of their personal identifying information. Eva Velasquez, president/CEO of the ITRC, said, “Many times, users do not understand that there can be unintended consequences to adding information to their account.”

The ITRC breach list is a compilation of data breaches confirmed by various media sources or notification lists from state governmental agencies. This list, updated daily and published each Tuesday, typically includes incidents that have exposed personal information, including Social Security numbers, financial account information or medical information, which could potentially lead to identity theft.

With no central federal data breach law, states have taken the lead, passing an increasing number of laws that necessitate the protection of citizens’ personally identifiable information and speedy alerts of any breach of privacy. With the last two holdout states, South Dakota and Alabama, recently passing laws governing data breaches, all 50 states (plus the District of Columbia, Guam, Puerto Rico and the Virgin Islands) have passed data breach notification laws.

The following are the worst 2018 U.S. data breaches, at the halfway point, based on ITRC’s list of confirmed, exposed PII records. Every record exposed, whether reported or unknown, represents the disruption and upheaval of an individual somewhere, and the undermining of an organization’s infrastructure.

1. Hudson Bay Company dba Saks Fifth Avenue, Lord & Taylor and Saks OFF 5th: Five million records.

The Toronto, Canada-based corporation that owns the luxury retail chains confirmed a breach had occurred. A ring of cybercriminals used malware planted into the cash register systems to collect customer payment card information, including cardholder names, payment card numbers and expiration dates. The retail company announced the breach on April 1, 2018 and said it began as early as July 1, 2017 before its March 31, 2018 containment.

2. Firebase: 4.05 million records.

The security issue, referred to as the Firebase vulnerability, leaked 100 million records (113 gigabytes) of data from unsecured databases. Analysis of the exposed data revealed 2.6 million plain text passwords and user IDs; more than four million protected health information records (including chat messages and prescription details); 25 million GPS location records; 50,000 financial records including banking, payment and bitcoin transactions; and more than 4.5 million Facebook, LinkedIn, Firebase and corporate data store user tokens.

3. Jason’s Deli: 3.4 million records.

A family food chain with 275 delis in 28 states discovered criminals deployed RAM-scraping malware on several of its point-of-sale terminals at various corporate-owned restaurants starting on June 8, 2017. On Dec. 22, 2017, payment processors notified the deli that a large quantity of its payment card information had appeared for sale on the dark web. The data possibly included cardholder names, credit or debit card numbers, expiration dates, cardholder verification values and service codes.

4. SunTrust Bank: 1.5 million records.

The bank announced in April a former employee may have tried to steal and share data of about 1.5 million customers, including names, addresses, phone numbers and account balances.

5. Orbitz (Expedia subsidiary): 880,000 records.

While investigating a legacy Orbitz travel booking platform, the company uncovered evidence on March 1, 2018 suggesting that, between Oct. 1, 2017 and Dec. 22, 2017, an attacker may have accessed personal information submitted for certain purchases made between Jan. 1, 2016 and June 22, 2016. Personal information likely accessed may have included full names, payment card information, dates of birth, phone numbers, email addresses, physical and/or billing addresses, and genders.

6. FastHealth Corporation: 657,529 records.

On Nov. 2, 2017, the health organization received a report from law enforcement indicating that an unauthorized third party may have accessed or acquired certain information from its databases. It was its second cyberattack that year. The investigation, conducted by an external firm, took almost three months to complete. FastHealth provides website and operational tools and services, including online bill payment.

7. National Stores, Inc.: 609,064 records.

On Dec. 22, 2017, National Stores, which has 350 locations in 22 states and Puerto Rico, received an alert about a malware infection of its point-of-sale systems, possibly exposing customer payment card information including names, card numbers, card expiration dates and security codes.

8. California Department of Developmental Services: 582,000 records.

On Sunday, Feb. 11, 2018, unknown persons broke into the department’s legal and audits offices, ransacked the offices and paper files, vandalized property and started a fire. Some of the paper documents displaced or damaged in the fire included personal information of employees of regional centers and service providers, applicants seeking employment with the department’s audits office and parents of minors enrolled in DDS fee programs.

9. LifeBridge Health/LifeBridge Potomac Professionals: 538,127 records.

On March 18, 2018, the company discovered malware had infected the server that hosts LifeBridge Potomac Professionals’ electronic medical records, and LifeBridge Health’s patient registration and billing systems. The information potentially accessed may include patients’ names, addresses, dates of birth, diagnoses, medications, clinical and treatment information, insurance information, and in some instances Social Security numbers.

10. Florida Virtual School: 368,000 records.

FLVS learned that unauthorized individuals appeared to have gained access to some of its computer systems that stored personal information relating to certain students, parents of students and Leon County Schools’ teachers. This affected information records, including but not limited to students’ names, dates of birth, school account usernames and passwords, and physical school identifications, as well as parents’ names and emails.