In terms of the number of records breached, October was overshadowed by September 2014, which saw 83 million records exposed in the JPMorgan Chase breach and 56 million credit card records exposed in the Home Depot breach. Even so, October saw major attacks on public institutions: state employment departments, universities, and healthcare organizations (along with the malware attacks on point-of-sale systems that we’re becoming all too accustomed to). These breaches serve as a strong reminder that no organization is too small or seemingly insignificant to be the target of a cyberattack.
1. Oregon Employment Department (OED) – 851,322 records exposed
After receiving an anonymous tip, the OED discovered a vulnerability in their web application on which candidates can sign up for job search help. The threat was eliminated and the OED website is back up and running, according to a notification posted on Oregon.gov. The breached personal information included Social Security numbers and other data found on job applications.
2. NeedMyTranscript – almost 100,000 records exposed
The website of NeedMyTranscript, an online portal for exchanging student records, had a vulnerability that exposed the data of almost 100,000 users. The vulnerability was discovered when someone tried to order a transcript and instead received links to almost 100,000 other people’s personal account information, according to the Washington Post.
3. North Dakota State College of Science (NDSCS) – more than 15,000 records exposed
An attacker obtained unauthorized access to NDSCS’s computer systems and stole the personal information of current and former students, NDSCS announced on their website. The malware was discovered on September 1, but NDSCS notified students and set up a hotline to answer questions in October (to allow the investigations to play out first, according to their site). The personal information included Social Security numbers and addresses.
4. Macomb County, Michigan – 6,302 records exposed
In accordance with the HITECH Act requirement that the public must be notified of breaches involving over 500 records, Macomb County sent a press release to local news organizations like the Macomb Daily revealing that over 6,000 of their employees’ data had been exposed. The data of these employees and their dependents had been vulnerable on Macomb County’s website for 40 days.
5. Dairy Queen – 395 stores affected
The credit card data of Dairy Queen customers may have been stolen by Backoff malware on their POS systems, according to a post on the company’s site. The widespread Backoff malware has threatened retailers around the country over the past few months. The number of credit cards affected at Dairy Queen is unknown, and only time will tell how much fraud will result from the breach.
Staples and Kmart also revealed that they’re investigating potential data breaches, but have not yet shared details about how many stores or records were affected. To read about more 2014 data breaches, see the Identity Theft Resource Center’s comprehensive list.