We used 1 million records exposed as our floor in creating this list. Starting with a number that big says a lot about the state of data security.
The Identity Theft Resource Center found 85,611,528 records exposed last year in the 783 breaches. The list unfortunately just seems to grow with every update. 2015 is proving to be no different with the Anthem and Premera breaches occurring. But before we move on to this year's compromises, here are the greatest number of records breached from lowest to highest from 2014.
JPMorgan Chase (JPMC) updated investors about their disclosed data breach in an 8-K filing with the Securities and Exchange Commission. The 8-K report says that user contact information, including names, addresses, phone numbers, and email addresses, as well as internal JPMC information relating to such users was compromised.
Department of Public Health and Human Services - Montana
Hackers of unknown origin gained access to a computer server tied to the Montana Department of Public Health and Human Services, exposing sensitive or confidential information of current and former medical patients, health agency employees and contractors, according to Reuters.
Neiman Marcus was unaware attackers had harvested payment card details until six weeks after the activity had ended, when its merchant processor zeroed in on a fraudulent spending pattern. Neiman Marcus characterized the malware involved as "complex" and described in part how it collected card details despite security measures that the retailer says exceeded industry recommendations.
Staples, one of the nation's largest office supply retailers, said that at least 1.16 million credit and debit cards were impacted after POS malware infected systems at 115 stores nationwide.
Taxpayer and other SBU information may be at risk due to a lack of background investigation requirements in five contracts for courier, printing, document recovery, and sign language interpreter services, according to audit reports.
Texas Health and Human Services (Xerox)
A report at the time said: Xerox, a company that worked on the Texas Medicaid program, may still have files that contain information about 2 million current and former Medicaid clients. The company is being sued by the state and has refused to return the files.
Sitesearch Corp., LeapLab LLC; Leads Company LLC
Security researcher Brian Krebs reported: “The Federal Trade Commission announced this week it is suing a consumer data broker that sold payday loan application data to scammers who used the information to pull money out of consumer bank accounts. The scam brings to mind an underground identity theft service I wrote about in 2012 that was gathering its data from a network of payday loan sites.”
CEO Chuck Rubinsaid said "it is in the best interest of our customers to alert them to this potential issue" so they can scan payment card statements for unauthorized charges, according to the statement.
Community Health Systems / Tennova / Complete Heal
The company said that in April and June of 2014, attackers believed to be from China (a determination made by Mandiant after CHS hired them to do clean-up), compromised 4.5 million records. The records contained information related to people who had been referred to or received services from CHS over the last five years. The compromised records included valuable personal data such as names, addresses, birth dates, phone numbers, and Social Security Numbers.
Home Depot released an update on the status of their breach investigation. The update didn't include many details, but the retailer did confirm that the incident impacted 56 million customers, making their breach larger than the incident at Target.
In a statement Home Depot said that the company's investigation, with includes elements of the US Secret Service, Symantec, and their own internal teams, has determined that "unique, custom-built malware" was used in order to help the criminals evade detection. That investigators are calling the malware new puts to rest speculation that said it was related to BlackPOS, the malware used during the Target breach.