Five men were indicted last week in the largest credit card hacking scheme in U.S. history, resulting in more than $300 million in losses and a data breach of more than 160 million credit and debit cards since 2005.
The four Russian nationals and one Ukrainian man targeted major American and international corporations, hacking into computer networks to steal credit and debit account numbers, as well as personal identifying information and more. They would then sell the data, from companies including JC Penney, Nasdaq, Dow Jones, JetBlue, Wet Seal, 7-Eleven and more.
While this may be the biggest hacking scheme in American history, there have been plenty of data breaches this year alone. Here’s a recap of Social Security number snafus, credit card slip-ups and personal information problems in the first half of 2013:
NYC Citi Bike
This rapidly-growing New York City bike sharing program, the largest in the U.S., began just two months ago. But Citi Bike’s beginnings were plagued with issues, including a software glitch that resulted in a data breach more than a month before it even launched. Credit card numbers, security codes, contact information, account passwords and other data for 1,174 individuals who had already signed up were accessible via the company’s website in April. NYC Bike Share, the operator of the program, hired a security firm to investigate the breach and offered those affected free credit and identity theft protection services.
University of Virginia, Aetna Health Care
In July, 18,700 students at the University of Virginia received a brochure from Aetna Health Care with a peculiar address label. A third-party mail vendor had unintentionally printed each student’s Social Security number on their mailing, making for a data breach in plain sight. Having dealt with several data breaches in the past, the university notified students and offered free credit monitoring services to those affected.
In April 2011, Citigroup discovered that they had accidentally exposed the Social Security numbers, birth dates and other sensitive data of approximately 146,000 customers who had filed for bankruptcy between 2007 and 2011. The bank failed to redact personal information on court records prior to filing them on the government-operated legal document system. Earlier this month, an independent auditor verified that they’ve fulfilled the terms of their settlement with the Justice Department by redacting the information at Citigroup’s expense, notifying customers and offering a year of free credit monitoring to those affected.
Morningstar Document Research, an investment-research firm and global database, revealed in an early July 2013 filing that they accidentally leaked personal details of about 2,300 users in April 2012. Names, addresses, email addresses, passwords and credit card details were compromised, and the account details (email addresses and user-generated passwords) for another 182,000 users were also revealed. The company informed users of the breach in its July 2013 monthly filing, saying financial damage was minimal and recommending that users monitor their credit accounts.
University of South Carolina
In June, the University of South Carolina notified 6,300 students that their personal information may have been on a laptop that was stolen from a locked physics classroom in late April. The password-protected laptop contained the names and Social Security numbers of students enrolled in physics courses beginning in January 2010, and this breach is the seventh that the university has faced in the same number of years. These breaches have exposed the data of 87,000 students and employees. As a result, USC is establishing new security programming in a six-year, $75 million software overhaul, nearly doubling their cyber security staff, and transitioning to identification numbers in place of Social Security numbers.
Florida State University
Beginning in late May of this year, personal information from about 47,000 participants in a teacher preparation program at Florida State University was publicly accessible for two weeks. As the university’s Florida Center for Interactive Media transferred information like students’ home addresses and Social Security numbers to a new server, viewing restrictions were not reinstated and the information was compromised.
Though the information may have been accessed by unauthorized users, the Department of Education said in a statement that there was no evidence it was misused, and Florida’s Education Commissioner Tony Bennett ordered a data review in response to the breach.
Kmart in Little Rock
In March, a robber held a Kmart assistant manager at gunpoint, demanding money from the safe and fleeing with more than $6,000. But the money wasn’t all he got away with, as he also stole an electronic backup disk with 788 patient records, including names, prescription information, birth dates and some Social Security numbers. Kmart sent letters notifying affected customers in April, though no arrests have been made related to the case.
Schnuck Markets, Inc. – St. Louis
From December 2012 through March 2013, an estimated 2.4 million credit and debit cards were compromised at the St. Louis-based grocery store chain, hacked through a magnetic strip swiping security breach. The breach resulted in a class action lawsuit filed against the chain, for damages related to managing the compromised information, and alleging that Schnuck Markets, Inc. was negligent and failed to properly inform customers of the mishap. However, the Missouri Attorney General stated in July that the company was not at fault, but rather the victim of a hacking scheme.
Kirkwood Community College
In March of this year, hackers from an international IP address accessed Kirkwood Community College’s database and stole personal data and application information from the Iowa institution’s archives. Information including names, birth dates, race, contact information and Social Security numbers for about 125,000 people was accessed. Anyone who applied to take college-credit courses from February 2005 through the breach could have been affected, and in response, the college offered personal identity theft assistance to victims.
While these incidents are a far cry from the massive hacking of 160 million credit and debit cards, they’re still of huge importance to those affected and indicate just how common data breaches really are. These are only a small fraction of some recent incidents, and there will surely be more as hacking technology grows more sophisticated. Since a breach can happen to anyone, the best way to protect yourself is to monitor your credit accounts and credit reports for any fraudulent charges, and alert your bank immediately should anything suspicious pop up.
Image: Lite Productions