Some of the biggest acts of mass theft and fraud come in the form of data breaches – we’ll take a look at the 10 biggest in U.S. history.
In the credit and debit card world, nothing grabs headlines quite the way a major data breach does. Not only does it strike fear and legitimate concern in the heart of average everyday card users, but stories with major corporate negligence always make for a big media splash.
Let’s take a look at the 10 largest credit card breaches in history, sorted by the amount of personal credit records compromised (with a special thanks to Elizabeth Palmero at Tom’s Guide who initially put this list together). We’ll cover the amount of personal accounts that were exposed (which are all approximations), but note that this doesn’t necessarily correlate into the amount of credit and debit cards leaked. It may also refer to personally identifiable information (PII) such as names, email addresses, phone numbers, etc.
Heartland Payment Systems (130 million accounts)
Occurring in 2008 (but not announced by Heartland until 2009), this is one of the earliest big data breaches to occur and is still the largest breach to hit an American company. It’s even made all that more remarkable when you consider that A) it was largely the work of a singular hacker, Albert Gonzales, and B) Heartland wasn’t even the sole company targeted in the hack and resulting breach. In addition, Hannaford Brothers had 4.6 million card numbers stolen, and J.C. Penny and Target both had an undisclosed number of cards stolen – but all pale in comparison to the approximately 130 million Gonzales was able to grift from Heartland. He was sentenced to 20 years in prison for the breach.
Target (110 million accounts)
After having their physical point of sale card readers infected and manipulated, hackers were able to get their hands on 40 million credit and debit card numbers from Target – the nation’s second largest retailer. Target later had to make the painful announcement that the amount of consumer accounts exposed had increased from 40 to 70 million. Due to their system, hey had no way of knowing how many of the 70 million accounts that contained PII overlapped with the initial 40 million credit and debit card accounts compromised – the total number accounts therefore could be as high as 110 million, or as low as 70. Either way, it constituted a big breach and a major financial and PR disaster for Target.
Sony Online (102 million accounts)
Those who follow the cyber security space know that video games – both the companies that develop and publish them as well as the gamers who play them – are rife with cybercrime, hacking, and DDoS attacks. A band of unknown hackers (who have yet to be identified, much less caught) were able to work their way into Sony’s online platform, the PlayStation Network (PSN), as well as Sony Online Entertainment (SOE), a company which is the backbone and host for many popular online games. While first reported as only the login information of 78 million PSN gamers, approximately 24 million more were later discovered when SOE was discovered to have also been hacked/breached. An undisclosed number of credit cards were included in the breach.
National Archive Records Administration (76 million accounts)
While having and implementing all the best fire walls, end-to-end encryption, passwords, and other forms of cybercrime defenses are great, you still have to employ individuals on the inside of your business and network who know which keys to turn to access confidential information. And as the National Archive Records Administration (NARA) found out in 2009, sometimes the biggest threat to your company’s security can often come from within. The independent agency of the U.S. Federal Government in charge of preserving historical and governmental records noticed that one of their external hard drives was faulty. After attempts to fix it failed, the agency sent it out to be scrapped rather than have it be destroyed on site. The only problem? NARA was unclear whether or not the drive was actually ever destroyed, along with the records of 76 million American Veterans. NARA thankfully updated their policies regarding hard drive retirement moving forward, and even offered free credit monitoring services to anyone that may have been affected by the leak.
Anthem (80 million accounts)
This breach, the most recent on our entire list (both this Part 1 and the upcoming Part 2), didn’t approach the Target breach in terms of the sheer number of accounts compromised. But as the second largest health care provider in the country, it instilled the same level of consumer fear and lost trust as Target – if our major retail outlets and health care providers aren’t safe from hackers and breaches, is anything? The result of what Anthem called a “sophisticated attack” turned out to be anything but – vast amounts of data were left un-encrypted, and high-level IT access credentials were stolen from likely phishing schemes. Approximately 80 million current and former Anthem members’ data was exposed.
Note: We’ll cover the next batch of five, breaches 6-10, in our next blog article. Stay tuned to the Valued Merchant Services blog for future updates. And as a closing note, we take security extremely seriously here at Valued Merchant Services. In addition to providing top of the line processing solutions for your business, we also deliver peace of mind – click here to learn more about us and our service offerings.