2016: Data Breach Statistics


The ITRC tracks seven categories of data loss methods: Insider Theft, Hacking, Data on the Move, Subcontractor/Third Party, Employee Error/Negligence, Accidental Web/Internet Exposure, and Physical Theft.

The ITRC tracks four types of compromised information: Social Security number, Credit/Debit Card number, Email/Password/User Name, and Protected Health Information (PHI).

Total records exposed only include records for which count is available.

The year 2016, till now, has witnessed 980 data breaches affecting 35 million plus records. The highest number of records breached has been in the Medical/ Healthcare sector, at more than 15 million records, as per the report from Identity Theft Resource Center.

Zecurion offers deeper insight into selected incidents caused either by accidental or intentional data breaches. With all such incidents, the common elements describing the impact of this growing problem are financial loss, compromised intellectual property and dwindling customer confidence. Let us see how some sectors have been impacted. The excerpts below only provide a glimpse of some of these incidents – the list goes on.


November 23, 2016 – The Navy reported that PII of 134,386 sailors was compromised from a contractor’s laptop.  Hewlett Packard Enterprise Services, through which the contractor was hired, said that no information had been misused. However, it reported that data containing names and Social Security Numbers was accessed by an unknown number of people. The investigation is ongoing and will take a few weeks before identifying those affected and next steps.

Source: Navy Times

October 28, 2016 – A breach at the Office of the Comptroller of Currency resulted in leakage of sensitive information of more than 10,000 employees. It was found that a former employee had unintentionally downloaded the information. There is no evidence on any information being misused in any way. The incident was reported to Congress as required by law.

Source: Wall Street Journal


November 30, 2016 – Emblem Health has notified that its subsidiary company, Group Health Inc. (GHI), had an accidental breach wherein an unknown number of records were exposed. The disclosed information contained the Health Insurance Claim Number (HICN) which mirrors the Social Security Number. So far, there has been no report of any kind of misuse of leaked information. As a precaution, the affected members have been offered free professional identity monitoring service for 24 months, in addition to a 24-hour dedicated helpline and $1,000,000.00 in identity theft insurance through AllClear ID.

Source: California Attorney General


December 2, 2016 – San Jose Evergreen Community College District (SJECCD), California, reported that an employee accidentally uploaded a file containing the PII of an unknown number of students on the SJECCD website. The information could be accessed if search strings were run on the site. Upon learning about the mistake, the file was immediately removed from the server. Though there is no immediate report of any misuse, the management has offered complimentary one year credit monitoring services of AllClear ID to affected students.

Source: California Attorney General