data breach image

2015: The Year Of The Breach; Close To 200 Million Personal Records Exposed

2015 went down as the year of the personal data breach. Consumers worldwide are learning their personal information is unsafe with businesses, health insurers, financial institutions, the government, and even the educational sphere. Estimates of the number of personal records exposed in 2015 range from 176 million to 193 million from 730 breaches.

Research indicates hackers are concentrating on medical and healthcare sectors that store patient data that cannot be replicated, like credit card data.

The Identity Theft Resource Center (ITRC) data breach report tracks seven types of data losses: hacking, data on the move, insider theft, employee error and negligence, Internet exposure, -physical theft, and accident. The research tracks four types of information stolen: protected health information, Social Security numbers, email/passwords-user names, and credit/debit card numbers.

According to San Diego, Calif.-based ITRC, health care accounted for 68.1% of all breaches, followed by government/military, 19.4%, business, 9.2%, banking/credit/financial, 2.9%, and educational, 0.4%.

The full extent of the personal information exposed is unknown; in many cases, there were no reports of compromised records, the ITRC report notes.

Health Care Leads All Sectors In Exposed Data

In the health care sector, leading the list in terms of records lost was Anthem customers with 78.8 million, followed by Premera Blue Cross of Washington State, 11 million; Excellus Blue Cross
Blue Shield/Lifetime Healthcare, 10 million; Anthem Inc. – Blue Cross Blue Shield of Indiana, 8.8 million; UCLA Health, 4.2 million; Medical Informatics Engineering/NoMoreClipbo, 3.9 million; CareFirst BlueCross Blue Shield of Maryland, 1.1 million; and Empi Inc/DJO LLC of Minnesota, 160,000.

In the government/military sector, the Office of Personnel Management #2 lost 21.5 million records, followed by the Office of Personnel Management in Washington, D.C., 4.2 million, and Georgia Secretary of State, 6 million.

In the business category,

  • T-Mobile/Experian had 15 million records breached
  • Vtech with 5 million
  • Missing Links Networks Inc./eCellar of California, 250,000
  • SterlingBackcheck, 100,000
  •, 93,000
  • Alfa Specialty Insurance Corp./Alfa Vision Insu, 86,000
  • Firekeepers Casino in Michigan 85,000
  • We End Violence/California State Universities, 79,000
  • Securus Technologies in Texas, 63,000
  • Sally Beauty Holdings, Inc. of Texas, 62.210
  • Service Systems Associates/Zoos of Colorado, 60,000
  • Blue Sky Casino/French Lick Resort of Indiana, 54,624
  • Uber, 50,000
  • Autozone, 49,967

Nobel House Hotel and Resorts – The Commons in Washington State, 19,472.

(The Ashley Madison breach, which exposed an estimated 37 million accounts, was not included in the ITRC report.)

In the banking/credit/financial sector, Scottrade had 4.6 million records exposed, followed by Morgan Stanley, 350,000; Piedmont Advantage Credit Union, 46,000; and E*trade , 31,000.

Auburn University in Alabama topped the list in the education sector with 364,012 records breached, followed by Metropolitan State University in Minnesota, 160,000; and Career Education Corp. in Illinois, 151,6626.

Seven Top Breaches

10Fold, a San Francisco, Calif.-based B2B technology public relations firm, reviewed the ITRC data breach report and some additional information. 10Fold analyzed 720 data breaches and compiled a review of the top seven breaches.

The top seven breaches compromised more than 5 million records. Following is a summary of these seven.


The Anthem breach of 78.8 million patient records in early 2015 marked the most significant breach in history. By the end of February, Anthem reported the breach impacted an additional 8.8 to 18.8 million non-patient records, including names, Social Security numbers, birth dates, employment data, and addresses.

The breach began a series of healthcare hacks, including Premera Blue Cross, UCLA Health Systems, CareFirst BlueCross BlueShield, and Excellus BlueCross BlueShield.

Excellus BlueCross Blue Shield

The attack on the health insurer began in December 2013, following a series of attacks that occurred earlier that year. The breach compromised the personal information of more than 10 million members and left members vulnerable to identity theft and fraud. The information stolen included birth dates, Social Security numbers, names, member ID numbers, claims data, and financial account information.

Premera Blue Cross

The health insurer discovered the attack affecting 11 million members in January of this year after it began in May 2014. Investigators found the attackers infiltrated the information technology
system, enabling them to access the personal information of members and applicants, including Social Security numbers, member identification numbers, birth dates, and bank account information. Members included Microsoft, Starbucks, and Amazon employees.


VTech, the maker of tablets and gadgets for children, had kids’ and parents’ information compromised by the breach of the Kid Connect and Learning Lodge app store customer database. The breach affected 6.4 million kids and 4.9 million parent accounts globally, marking the first attack to target children directly. It exposed personal ID information like passwords, download history, IP addresses, names, and children’s birth dates and genders.


Attackers breached a server in a North American Experian/T-Mobile business unit containing the personal ID information of about 15 million T-Mobile customers. The information included birth dates, names, Social Security numbers, and alternate IDs like driver’s license numbers. One cause of the breach was that T-Mobile shared customer information with Experian to process credit card checks for device or service financing.

Personal data is not always protected when customers share information with a business.

Office of Personnel Management

The attack affected 19.7 million individuals who applied for security clearances, plus 1.8 million relatives and other government personnel associates and 3.6 million former and current employees. The compromised data included 5.6 million fingerprint records that belong to background check applicants.

The breach alarmed intelligence officials about data theft on government forms submitted for security clearance. These applicants shared information about themselves, including health history and prior relationships. Hackers that gain access to information about employees with security clearances can cause irreparable damage to users’ privacy.

Ashley Madison

A hacker group called The Impact Team accessed the website’s user database, including financial and proprietary information of 37 million users. The hackers released a manifesto noting the “full delete” feature on the Ashley Madison website was false and that the company did not remove the personally identifiable customer information for those who wanted it deleted.

The statement instructed Avid Live Media (ALM), the parent company, to permanently delete the forums, or all customer information would be released. The hackers released the customer information records two months later since ALM opted to keep the website running.

Featured image by igorstevanovic from