The 10 Biggest Credit Card and Data Breaches in History – Part 2

Some of the biggest acts of mass theft and fraud come in the form of data breaches – we’ll take a look at the 10 biggest in U.S. history.

In our most recent blog entry, we looked at the five biggest credit card and personal data breaches so far. In this follow-up piece, we’ll examine the remaining list to flesh out the full top 10. Here are 6-10, and again – credit goes to Elizabeth Palmero at Tom’s Guide who put this list together that we are expanding upon. Also, to reiterate – some of these account numbers do not necessarily correlate into the amount of credit and debit cards leaked. It may also refer to personally identifiable information (PII) such as names, email addresses, phone numbers, etc.

  1. Epsilon (60 million accounts)

At the time this breach occurred, many thought it was the biggest ever – and it’s still rather interesting because of the uncertainty of precisely how many accounts became compromised. In 2011, Epsilon – one of the largest email marketing providers – was the victim of a cyberattack that saw at least 50 of its approximately 2,500 clients have their customers’ information exposed. The clients were heavy hitters as well, which made it all the more high-profile – massive companies such as Capital One, Barclaycard US (a subsidiary of the massive Barclays Bank), Tivo, Disney, JP Morgan, and Citigroup being some of the biggest. Epsilon itself was never able to confirm exactly how many accounts were compromised, nor how many simply had their email addresses stolen versus any sort of credit card or financial information. They set their estimate at 60 million, but a 3rd party investigation by Privacy Rights Clearinghouse put the possible total number of accounts as high as 250 million.

  1. Home Depot (56 million accounts)

This is one of the more notable ones, not only because of how large the institution was that was targeted (Home Depot is the largest home improvement retail outlet in the country), but also because of all the accounts stolen were indeed payment card accounts. Initially being only suspected by cybersecurity experts and those monitoring credit card fraud cases around the country, Home Depot eventually admitted (about a week after Brian Krebs wrote his piece on the matter) that their in-store card readers had indeed been infected by malicious entities, and that anyone who made a credit or debit card purchase at any one of their 2,220+ locations between April 2014 and September 2014 stood a good chance of having their account stolen. All in all, 56 million cards were hijacked, making it one of the largest card thefts in history. Home Depot responded by offering all of its customers a year of credit monitoring service, as well as updating their card reader technology.

  1. Evernote (over 50 million accounts)

The popular online note taking service Evernote suffered a major security breach in 2013 in which approximately 50 million of its users’ information was stolen – mostly email addresses, passwords, but no payment information. And especially heartening to those affected was that none of their notes or other content stored with Evernote was stolen. The biggest problem here resulted in the influx of SPAM messages that flooded the affected users’ inboxes. Worst among them were the phishing scams that resulted – appearing to come from Evernote and directly referencing the recent breach, they urged users to enter in their personal information to reset their passwords, when in fact it was a ploy to get even more data.

  1. Living Social (over 50 million accounts)

This is another breach where no specific payment card information was stolen, but as Ars Technica called it, still “graver than you may think”. In 2013, Living Social – an online forum of sorts that allows its users to buy and do things specific to their city for discounts – was attacked and had about 50 million of its accounts stolen. Even though their users’ passwords were encrypted, as Ars pointed out, the encryption method they used left a lot to be desired: “SHA1, the algorithm used by LivingSocial, is an extremely poor choice for secure password storage. Like MD5 and even the newly adopted SHA3 algorithms, it’s designed to operate quickly and with a minimal amount of computing resources. A far better choice would have been bcrypt, scrypt, or PBKDF2.” They did, thankfully, almost immediately switch to bcrypt after the breach.

  1. TJX (46 million accounts)

As one of the oldest breaches on this list (2006, but discovered in 2007), this breach also saw a very high number of actual payment card information stolen – about 45.6 million to be exact. At the time, the TJX breach was the largest of its type in the world, as it operates two of the larger retail outlets in the states in T.J. Maxx and Marshalls. Not only was it notable for the sheer size, but it was also one of the first breaches that opened retailers’ eyes to the fact that criminals could focus on other elements of the business other than the point-of-sale machines themselves, as this c-net article illustrates: “In the case of TJX, [Gartner security analyst Avivah] Litan suspects it was a case where attackers gained access through a wireless regional hub for the company’s store controllers that handle the point-of-sale system. From there, the attackers may have been able to work their way into TJX’s central system.”

We take security extremely seriously here at Valued Merchant Services. In addition to providing top of the line processing solutions for your business, we also deliver peace of mind – click here to learn more about us and our service offerings.

By Chris Del Grande

 

Menu