The Identity Theft Resource Center has been working to empower breach victims with the resources and tools to resolve their cases since 1999. That includes helping people proactively reduce their risk of becoming a victim of identity theft, especially after they were impacted by a data breach. Since 2005, the ITRC has recorded over 10,000 publicly notified breaches. Here is a look at five watershed moments that created systemic change for consumers.
In 2017, 148.8 million people were affected by this impactful data breach that through the Freedom from Equifax Exploitation Act led to credit freezes being free and regulation changes as noted in ITRC’s “Equifax One Year Later Aftermath Report.” On July 22, 2019, Equifax reached a $700 million settlement with the Federal Trade Commission (FTC) where Equifax agreed to spend up to $425 million to help victims of the breach. And it’s changing the standard of proof for settlements – shifting the onus from the entity that was breached to the consumer having to prove that they were impacted. Because of Equifax, we’re still seeing people push for data breach law reform.
During the busy holiday season in 2013, Target was hit by a data breach that exposed the credit card data of 40 million people and the personal information of 70 million, upsetting lawmakers. This breach made customers uneasy about using payment cards and was a catalyst for pushing forward the adoption of chip card technology. It also created a greater understanding of the need for authentication options. Consumers are now more acutely aware of their transactional engagements with retailers and how their financial information could be a gateway to other types of compromise.
In 2015, Anthem suffered a large consumer data breach that impacted nearly 80 million people. The information compromised included names, birthdates, Social Security numbers, addresses, phone numbers, email addresses and employment data that could have included income information. Minors who were on their parent’s health plans were affected, which is particularly troubling due to the long shelf-life of the static data (SSNs) that was compromised. In 2018, Anthem agreed to take corrective actions and pay the U.S. Department of Health and Human Services, Office for Civil Rights $16 million to settle violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules. In order to place a claim for the settlement, victims needed to provide proper documentation for out-of-pocket costs. The Anthem breach is considered to be the largest health data breach and the largest HIPAA settlement in the United States.
Over 21 million people were affected by the second Office of Personal Management (OPM) impactful data breach, which occurred in 2016. Investigators determined that 19.7 million applicants for security clearances had their Social Security numbers and other personal information stolen – including biometric and protected health information. Not only did it impact those that were under OPM’s jurisdiction, but it also impacted those that were dependents as well. It was a sophisticated, large-scale hacking event that resulted in the creation of the National Background Investigations Bureau (NBIB).
ChoicePoint was part of a large impactful data breach in 2005 that led to the personal information of at least 163,000 Americans being sold to a crime ring. Fraudsters, posing as customers of the company, gained access to the company’s background check database – giving them the ability to mine sensitive personal information for nefarious purposes. In 2008, ChoicePoint agreed to pay $10 million to settle a class-action lawsuit. Since the breach, Senators have proposed a law to regulate the data broker industry called the “Data Broker Accountability and Transparency Act.”
Bonus Breach: U.S. Department of Veteran Affairs
This 2006 data breach affected 26.5 million veterans, spouses, active-duty military personnel and reserve military personnel. It led to the acknowledgment of many vulnerabilities in the VA. It also heightened awareness of the importance of protecting computer equipment containing personally identifiable information and responding to effectively to a breach that poses privacy risks. Lessons learned included rapid notification of key government officials being critical, a core group of senior officials being designated to make all decisions regarding an agency’s response and determining when to offer credit monitoring to affected individuals requires risk-based management solutions.
As we recap the last 10,000 breaches, the ITRC hopes that we can help those impacted – both as consumers and business – understand how to minimize their risk and mitigate their identity compromises. If you received a data breach notification letter, don’t just toss it aside. Call us at 888.400.5530 or LiveChat to talk with a live-advisor on what you should do. As part of this series, in our next 10,000 Breaches Later blog we will take a look at some of the top retail breaches since 2005. To stay up to date on the latest news in identity theft and data breaches, sign-up for our newsletters.
You might also like…