The biggest data breaches of 2014 (so far)

Hackers, mistakes, bad security and stupidity are putting your data at risk like never before

In the battle to keep your personal information private, it's not just hackers you have to worry about but lax security and stupidity.

A survey of data breaches in the first six months of this year shows an increasing number of incidents in which data, including names and addresses, credit card and Social Security numbers, and medical records was lost to criminals or exposed.

In many of the cases, the breaches were put down to poor data security practices or simple errors: like St. Vincent Breast Center in Indianapolis sending 63,000 letters containing information on upcoming appointments to the wrong people, or Stanford Federal Credit Union accidentally attaching a file with information on 18,000 customers to an email, or the thousands of paper medical records dumped at a public incineration site in York, Pennsylvania.

In other cases, laptops or thumb drives containing information were stolen -- in some cases with apparently nothing more than the login password to protect the data.

One of the biggest such cases involving laptop theft occurred at the Torrance, California, office of Sutherland Healthcare Solutions, which lost eight laptops in a February break-in. The laptops contained medical information on almost 400,000 people in California, and their theft has sparked lawsuits.

According to the Identity Theft Resource Center, there have already been 395 data breaches in the U.S. this year that have been reported to regulators or covered by media outlets, a 21 percent increase over the same period last year.

Here are the top five data breaches of the first half of 2014, with an extra entry for eBay. That breach appears to be one of the largest yet, but the exact extent of the problem has not yet been divulged by the company, so it's difficult to quantify how big it actually was.


The online retailer suffered one of the biggest data breaches yet reported by an online retailer. Attackers compromised a "small number of employee log-in credentials" between late February and early March to gain access to the company's network and, through it, compromised a database that contained customer names, encrypted passwords, email addresses, physical addresses, phone numbers and dates of birth. The breach is thought to have affected the majority of the company's 145 million members, and many were asked to change their passwords as a result.

Michaels Stores

The point-of-sale systems at 54 Michaels and Aaron Brothers stores "were attacked by criminals using highly sophisticated malware" between May 2013 and January 2014. The company said up to 2.6 million payment card numbers and expiration dates at Michaels stores and 400,000 at Aaron Brothers could have been obtained in the attack. The company received confirmation of at least some fraudulent use.

Montana Department of Public Health and Human Services

Triggered by suspicious activity, officials conducted an investigation in mid-May that led to the conclusion that a server at the Montana Department of Public Health and Human Services had been hacked. The server held names, addresses, dates of birth and Social Security numbers on roughly 1.3 million people, although the department said it has "no reason to believe that any information contained on the server has been used improperly or even accessed."

Variable Annuity Life Insurance Co.

A former financial adviser at the company was found in possession of a thumb drive that contained details on 774,723 of the company's customers. The drive was provided to the company by law enforcement as the result of a search warrant served on the former adviser. The thumb drive included full or partial Social Security numbers, but the insurance company said it didn't believe any of the data had been used to access customer accounts. It's not the first time the company has lost data on a thumb drive. In 2006, it wrapped up a lawsuit against a former financial adviser for downloading "confidential customer information" onto "a portable flash drive."


A 17-month-long "criminal attack" on the Texas wine retailer's network resulted in the loss of information of as many as 550,000 customers. The intrusion began in October 2012 and affected 34 of the company's stores across the state. It continued until as late as March 20 this year, and the company fears hackers got away with customer names, debit or credit card details, card expiration dates, card security codes, bank account information from checks and possibly driver's license numbers.

St. Joseph Health System

A server at the Texas health care provider was attacked between Dec. 16 and 18 last year. It contained "approximately 405,000 former and current patients', employees' and some employees' beneficiaries' information." This included names, Social Security numbers, dates of birth, medical information and, in some cases, addresses and bank account information. As with many other hacks, an investigation wasn't able to determine if the data was accessed or stolen.

Martyn Williams covers mobile telecoms, Silicon Valley and general technology breaking news for The IDG News Service. Follow Martyn on Twitter at @martyn_williams. Martyn's e-mail address is

Join the CSO newsletter!

Error: Please check your email address.

Tags Michaels StoresVariable Annuity Life Insurance CosecurityStanford Federal Credit UnionMontana Department of Public Health and Human Servicesdata breachebaySpec'sSutherland Healthcare SolutionsSt. Vincent Breast CenterSt. Joseph Health System

More about eBayIDG

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Martyn Williams

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts