Home > Identity Theft > 2015: The Year in Data Breaches

Comments 0 Comments

Every year at about this time, technology reporters typically recount the big computer crimes from the past 12 months and proclaim “The Year of the Hacker” or some such moniker. This year, it fits.

Two years ago, the Target hack ushered in a new era of credit card theft awareness and ultimately helped inspire a big change in the way Americans use plastic. But as we all know, theft of credit and debit card information has a limited impact on consumers (fraud liability generally falls to the merchant or financial institution, if reported in a timely fashion).


On the other hand, theft of Social Security numbers, health care data and even fingerprints, by the millions … well, that’s a much bigger big deal. And that’s what U.S. consumers faced in 2015.

Data theft has moved far beyond credit card fraud. Today, millions of Americans have to live with the fact that agents acting allegedly on behalf of a foreign government now hold their SSNs and fingerprints — identity markets that are difficult, if not impossible, to change. And loss of that data makes them vulnerable, potentially, forever. That’s the real story of 2015.

A More Personal Breach

“This year proved once again the breaches have become the third certainty in life because the bad guys have proven they are more persistent, creative and increasingly sophisticated than the good guys,” Adam Levin, co-founder of Credit.com and author of new book, Swiped, which chronicles the extent of the ID theft problem, said. “While consumers, government and business are more aware of the issues, there is still a lack of understanding as to what needs to be done, resistance to allocate the proper resources to do what needs to be done and countless legacy systems that impede our ability to do what needs to be done.”

The Identity Theft Resource Center says there were 750 announced data leaks in 2015, and all tallied, 178 million records were lost or stolen. Also a headline from 2015: hackers’ new focus on healthcare data. Nearly 122 million healthcare records were stolen during 264 reported breaches, the most of any industry, the ITRC says. Government records were the second most commonly stolen — 24 million in 59 leaks. Comparatively speaking, the 5 million records lost in 69 leaks by the financial industry seems small.

The year in hacking got off to a fast start, when health insurance provider Anthem Inc. revealed it had been hacked in early February. Ultimately, the firm said that up to 80 million consumers were impacted. There were plenty of reports blaming China for the attack. While hack “attribution” is often an inexact science and the FBI rarely makes its conclusions public, it wouldn’t be the final allegations against Chinese hackers.

Nor would it be the last major health data hack. A month after Anthem’s announcement, Primera Blue Cross revealed that hackers stole data on 11 million consumers. There were plenty of reports that the same hackers were involved in both incidents, meaning the Chinese government might have been involved, but again, the allegations were denied by China and clear evidence was never made public.

Then, the big one hit.

Hackers Hit Home

In June, the Office of Personnel Management — Uncle Sam’s Human Resources department — revealed it had been hacked and 4 million government employees were at risk. Later, the number was raised to 18 million. Then 21.5 million. And the at-risk pool was expanded to former government workers and potentially anyone who had been used as part of an federal employee background check. Stolen data ranged from Social Security numbers to security clearance information to, in 5.6 million cases, fingerprints. Once again, reports blamed Chinese hackers. Once again, the culprits remain at large.

The hacking incident dominated tech headlines for months, and the federal government is still notifying victims. Meanwhile, all these alleged China-led hacker attacks became a major topic of discussion when President Obama and Chinese President Xi Jinping met in September. The two world leaders announced the U.S. and China wouldn’t attack each other through the Internet, though many security firms are skeptical the announcement had any real impact.

It certainly had little impact on computer criminals trying to gain illegal access to large consumer databases. Only a few weeks later, in October, T-Mobile revealed that its credit check provider Experian had been hacked and 15 million consumers were put at risk.

Meanwhile, big numbers aren’t the only reason consumers should be concerned. Smaller hacks can have a bigger impact, depending on the data that’s been leaked. The IRS “Get Transcript” service was hacked this year, and eventually, the agency had to reveal in August that criminals accessed more than 300,000 taxpayers’ accounts. Given the focused nature of the attack and the precise data stolen – old tax returns – victims are at serious risk for full-blown identity attacks.

Also this summer, password-storing service LastPass announced that criminals had gained access to encrypted passwords belonging to potentially 7 million users. The thieves still faced the uphill battle of cracking the password file’s encryption, so the incident was not quite the disaster it sounded like at first. Still, consumers were told to change master passwords immediately, and were put on notice once again about the fragility of seemingly safe computer systems in the 21st century.

More Big Breaches Ahead?

No doubt, 2016 will bring even more cautionary tales.

“As breaches have become the third certainty in life and the identity theft that flows from them is the new norm, businesses and consumers need to follow the 3Ms: minimize the risk of exposure, monitor and manage the damage,” Levin said. “Business leaders need to shore up their cyber defenses by instituting data segmentation, encryption, employee training on security protocols and penetration testing. Consumers need to remain vigilant and adopt a culture of self-monitoring. They should check their accounts on a daily basis, sign up for transactional monitoring from their bank and use long and strong passwords that don’t repeat across accounts.”

Just about every consumer involved in all these hacks received some kind of free credit monitoring offer. They are always worth accepting, but it’s important to know that credit monitoring can offer only limited protection against identity theft. In the end, consumers are ultimately responsible for discovering ID theft themselves. The best way to do that is regular monitoring of credit reports through AnnualCreditReport.com and use of a free credit score tool like the one provided by Credit.com.

More Money-Saving Reads:

Image: iStock

Comments on articles and responses to those comments are not provided or commissioned by a bank advertiser. Responses have not been reviewed, approved or otherwise endorsed by a bank advertiser. It is not a bank advertiser's responsibility to ensure all posts and/or questions are answered.

Please note that our comments are moderated, so it may take a little time before you see them on the page. Thanks for your patience.

Credit.com receives compensation for the financial products and services advertised on this site if our users apply for and sign up for any of them.

Hello, Reader!

Thanks for checking out Credit.com. We hope you find the site and the journalism we produce useful. We wanted to take some time to tell you a bit about ourselves.

Our People

The Credit.com editorial team is staffed by a team of editors and reporters, each with many years of financial reporting experience. We’ve worked for places like the New York Times, American Banker, Frontline, TheStreet.com, Business Insider, ABC News, NBC News, CNBC and many others. We also employ a few freelancers and more than 50 contributors (these are typically subject matter experts from the worlds of finance, academia, politics, business and elsewhere).

Our Reporting

We take great pains to ensure that the articles, video and graphics you see on Credit.com are thoroughly reported and fact-checked. Each story is read by two separate editors, and we adhere to the highest editorial standards. We’re not perfect, however, and if you see something that you think is wrong, please email us at editorial team [at] credit [dot] com,

The Credit.com editorial team is committed to providing our readers and viewers with sound, well-reported and understandable information designed to inform and empower. We won’t tell you what to do. We will, however, do our best to explain the consequences of various actions, thereby arming you with the information you need to make decisions that are in your best interests. We also write about things relating to money and finance we think are interesting and want to share.

In addition to appearing on Credit.com, our articles are syndicated to dozens of other news sites. We have more than 100 partners, including MSN, ABC News, CBS News, Yahoo, Marketwatch, Scripps, Money Magazine and many others. This network operates similarly to the Associated Press or Reuters, except we focus almost exclusively on issues relating to personal finance. These are not advertorial or paid placements, rather we provide these articles to our partners in most cases for free. These relationships create more awareness of Credit.com in general and they result in more traffic to us as well.

Our Business Model

Credit.com’s journalism is largely supported by an e-commerce business model. Rather than rely on revenue from display ad impressions, Credit.com maintains a financial marketplace separate from its editorial pages. When someone navigates to those pages, and applies for a credit card, for example, Credit.com will get paid what is essentially a finder’s fee if that person ends up getting the card. That doesn’t mean, however, that our editorial decisions are informed by the products available in our marketplace. The editorial team chooses what to write about and how to write about it independently of the decisions and priorities of the business side of the company. In fact, we maintain a strict and important firewall between the editorial and business departments. Our mission as journalists is to serve the reader, not the advertiser. In that sense, we are no different from any other news organization that is supported by ad revenue.

Visitors to Credit.com are also able to register for a free Credit.com account, which gives them access to a tool called The Credit Report Card. This tool provides users with two free credit scores and a breakdown of the information in their Experian credit report, updated twice monthly. Again, this tool is entirely free, and we mention that frequently in our articles, because we think that it’s a good thing for users to have access to data like this. Separate from its educational value, there is also a business angle to the Credit Report Card. Registered users can be matched with products and services for which they are most likely to qualify. In other words, if you register and you find that your credit is less than stellar, Credit.com won’t recommend a high-end platinum credit card that requires an excellent credit score You’d likely get rejected, and that’s no good for you or Credit.com. You’d be no closer to getting a product you need, there’d be a wasted inquiry on your credit report, and Credit.com wouldn’t get paid. These are essentially what are commonly referred to as "targeted ads" in the world of the Internet. Despite all of this, however, even if you never apply for any product, the Credit Report Card will remain free, and none of this will impact how the editorial team reports on credit and credit scores.

Your Stories

Lastly, much of what we do is informed by our own experiences as well as the experiences of our readers. We want to tell your stories if you’re interested in sharing them. Please email us at story ideas [at] credit [dot] com with ideas or visit us on Facebook or Twitter.

Thanks for stopping by.

- The Credit.com Editorial Team