Worst customer data breaches of 2014

The Sony breach is making headlines, but this type of corporate espionage doesn’t directly harm consumers.

122914 breaches 1
Worst data breaches

Here are 10 of the worst breaches this year in which consumer information was compromised. We put these in order of the number of people affected.

RELATED: See a list of all of Network World's stories looking back at 2014

122914 breaches 2
CurrentC

Breach announced: October 28

If you’re launching a mobile payment system aimed at competing with Apple Pay and Google Wallet, it’s probably not a good thing to have a breach even before the system has launched. But people who signed up to try an early pilot version of the CurrentC mobile payment app were alerted in an email sent by the company behind it (the Merchants Consumer Exchange) that hackers may have acquired their email addresses. MCX wouldn’t say how many customers were affected, but the Android version of the app has been downloaded by 5,000-to-10,000 probable users. The iTunes store doesn’t list the number of downloads of apps, but there are over 3,500 user ratings.

122914 breaches 3
Yahoo Mail


Breach announced: January 30

In what Yahoo described as a ``coordinated effort,’’ hackers gained login access to an undisclosed number of Yahoo Mail accounts. The company claimed that the hackers did not steal a list of Yahoo email addresses with corresponding passwords from Yahoo’s own systems but “likely” from a third-party database that was compromised. Number of customers affected: Yahoo didn’t provide a number, but according to comScore, there were 298 million users of Yahoo Mail as of May 2012.

122914 breaches 4
AOL Mail

Breach announced: April 28

Hello -- You’ve got spoofed mail! Investigating a significant increase in the amount of spam being sent from spoofed AOL Mail email addresses, AOL concluded that someone gained unauthorized access to a “significant number” of user accounts. (The company didn’t explain how this could have occurred.) This apparently allowed the intruder to use the email contacts list of breached accounts to send spoofed spam emails. Number of customers affected: About 480,000? AOL said “roughly 2%” of AOL Mail accounts were compromised.

122914 breaches 5
Oregon Employment Department

Breach announced: October 14

Looking for a job can be stressful enough, without having your identity stolen. That’s what possibly happened when the WorkSource Oregon Management Information System was attacked, exposing addresses, birth dates, Social Security numbers, and other typical personal information one provides when filling out job applications. People with records on the site that were compromised were sent letters advising how to protect themselves from identity theft. The breach became known when the Oregon Employment Department received an anonymous tip. Number of customers affected: 851,322 job seekers.

122914 breaches 6
Staples

Breach announced: December 19

That was easy. Customer payment card info was stolen from 115 Staples stores throughout the U.S. Malware was found to have been installed on point-of-sale machines at the affected stores, which would have allowed probable outside access to cardholder names, card numbers, card expiration dates, and card verification codes from July to September. Number of customers affected: 1.16 million payment cards. Staples is offering free identity theft protection services to anyone using a card at one of their 115 stores that had the malware.

122914 breaches 7
Community Health Systems

Breach announced: August 18

Chinese hackers were suspected in the April and June cyber attacks that stole personal information of patients from one of the largest hospital networks in the U.S., Community Health Systems, which comprises 206 hospitals across 29 states. Patient names, addresses, phone numbers, birth dates, and Social Security numbers were taken. But credit card numbers were untouched, as well as data regarding medical devices.

Number of customers affected: 4.5 million people, who over the last five years had received services from, or been referred by, doctors affiliated with Community Health Systems.

122914 breaches 8
South Korea

Breach announced: October 14


Nearly 80 percent of South Koreans had their national ID number stolen from the nation’s citizen identity number database by hackers. Under the current system, these ID numbers cannot be changed after they are issued: Their digits indicate a citizen’s birth date, sex, and where they are from. The ID numbers are required to do almost anything in the South Korean economy, from opening a bank account to shopping online. The breach was so dire that the whole system will likely need to be overhauled and each citizen given a new ID number, at an estimated cost of up to $1 billion. Number of customers affected: 40 million.


122914 breaches 9
Home Depot

Breach announced: September 2


Hackers deployed malware -- a variant that hit the in-store payment systems of Target in 2013 -- to steal credit and debit card numbers that were used to buy things at Home Depot stores from April to September. The good news, at least, is that debit card PINs were not compromised. Home Depot is offering free credit monitoring and identity protection to those who used a credit or debit card at one of their stores since April 2014. Number of customers affected: 56 million payment cards. 53 million customer email addresses were also pilfered.

122914 breaches 10
JPMorgan

Breach announced: October 2


In an SEC filing, JPMorgan revealed that it had been a victim of a breach in which customer names, addresses, phone numbers, and email addresses had been taken. The attack affected anyone who visited Chase.com or used the Chase mobile app. Chase account numbers, passwords, user IDs, birth dates, and Social Security numbers were not compromised, said the company. The attack began in June, exploiting a flaw in one of the company’s websites, and investigators believed it originated from Russia. Number of customers affected: 76 million households, and 7 million small businesses.

122914 breaches 11
eBay

Breach announced: May 21

The online auction site announced that from late February to early March hackers used an eBay employee’s login credentials to attack their database and access encrypted user passwords. Thus, everyone with an eBay account had to change their passwords. No user accounts on the company’s online payment service, PayPal, were compromised, since PayPal data is stored on a separate network. Number of customers affected: All 152.3 million users of eBay.