109 Biggest Data Breaches, Hacks, and Exposures as of 2024

As more companies conduct business online, there has been a corresponding increase in cybersecurity breaches. As a result, businesses need to protect themselves from making mistakes that can lead to data theft.

To help businesses understand the consequences of not securing data, we’ve created a list of over 100 of the biggest data breaches of all time.

We’ve broken our list into different years for easier reading.

To start, we cover the top 10 data breaches of all time, and then we cover the largest data breaches of 2023 and all the way back to 2010.

Table of Contents

1. Top 10 Data Breaches of All Time
2. Biggest Data Breaches in 2023
3. Biggest Data Breaches in 2022
4. Biggest Data Breaches in 2021
5. Biggest Data Breaches in 2020
6. Biggest Data Breaches in 2019
7. Biggest Data Breaches in 2018
8. Biggest Data Breaches in 2017
9. Biggest Data Breaches in 2016
10. Biggest Data Breaches in 2015
11. Biggest Data Breaches in 2014
12. Biggest Data Breaches in 2013
13. Biggest Data Breaches in 2012
14. Biggest Data Breaches in 2011
15. Biggest Data Breaches in 2010
16. Wrapping Up

Top 10 Data Breaches of All Time

1. Yahoo – 3,000,000,000 records lost

In 2013, hackers breached Yahoo’s system and leaked customer info from over 3 billion accounts. Fortunately, the stolen data didn’t include crucial information such as payment data, unhashed passwords, or bank account numbers.

2. River City Media – 1,370,000,000 records lost

In March 2017, a spam email operator exposed 1.37 billion records by accident, making it one of the most major data breaches ever. This breach happened when River City Media accidentally published a snapshot of a backup from January 2017 without password protection.

3. Aadhaar – 1,100,000,000 records lost

In March 2018, India’s biometric database, Aadhaar, was breached through a leak at a state-owned utility organization. This breach meant that every registered Indian citizen was affected, and their identity numbers, bank details, and names were all leaked. The breached data was put on sale on WhatsApp for less than £6.

4. Indian Council of Medical Research (ICMR) – 815,000,000 records lost

In October 2023, the COVID testing data of 815 million people (81.5 crore) was stolen from the Indian Council of Medical Research. The bad actor attempted to sell the dataset for $80,000 on hacking forums. Four people have since been arrested in relation to the crime.

5. Spambot – 711,000,000 records lost

In August 2017, a spambot leaked passwords and emails due to a misconfiguration. As a result, over 700 million records — roughly equivalent to one email address for every man, woman, and child in Europe — were leaked. However, this breach of data included lots of repeated and fake accounts.

6. Facebook – 533,000,000 records lost

In March 2021, hackers scraped the social media giant Facebook due to a vulnerability that was patched in 2019. A whopping 533 million user records from 106 countries were posted onto a hacking forum. These included full names, phone numbers, user locations, biographical information, and email addresses.

7. Syniverse – 500,000,000 records lost

Syniverse, a company that forms a critical part of the global telecommunications infrastructure, revealed in a filing on September 27, 2021, with the US Securities and Exchange Commission (SEC) that hackers gained access to 500 million records.

Many telecommunications companies worldwide use Syniverse, including AT&T, Verizon, T-Mobile, China Mobile, and Vodaphone. The leaked information contained personal information of its employees, trade secrets, intellectual property, sensitive information of its suppliers, customers, vendors, and other important financial information.

Furthermore, the company discovered that hackers had been in its system for years, meaning the data leak could have potentially impacted more than 200 of its clients and millions of mobile users around the world.

8. Yahoo – 500,000,000 records lost

In September 2016, a state-sponsored actor stole 500 million records from Yahoo, including dates of birth, names, and security information. At the time, this was the biggest data breach in history.

9. MySpace – 427,000,000 records lost

In May 2016, a search engine for hacked data and a hacker obtained over 400 million records from MySpace. Both parties claimed that they had obtained the data from a past, unreported data security incident. The leaked information contained emails, passwords, usernames, and second passwords. The hacker tried to sell the information for $2,800 or 6 Bitcoin on the dark web.

10. Friend Finder Network – 412,000,000 records lost

In November 2016, the adult dating and entertainment company Friend Finder Network was targeted by cybercriminals. As a result, over 412 million accounts were exposed. The hackers also managed to leak 339 million accounts from AdultFriendFinder.com, including 15 million “deleted” accounts that had never actually been deleted from the site’s server.

Biggest Data Breaches in 2023

1. Indian Council of Medical Research (ICMR)

Date: October 2023

Impact: 815 Million People (81.5 crore)

Summary: A data breach impacting a massive number of Indian citizens’ personal data relating to COVID testing occurred at the Indian Council of Medical Research (ICMR).

First identified by a U.S. cybersecurity firm, someone on a hacking forum allegedly tried to sell the dataset for $80,000.

Four individuals have since been arrested in relation to the data breach incident, and further investigations are expected to continue.

2. X (formerly Twitter)

Date: January 2023

Impact: 200 Million Users

Summary: Hackers released the email addresses of more than 200 million X profiles — called Twitter at the time — and gained access to their user names, account handles, follower numbers, and the dates each profile was created.

Experts warned that such a breach could make it easier for the bad actors to gain access to the victims’ other accounts. They also expressed that this could lead to the malicious creation of phishing accounts masking as journalists, activists, or other high profile users.

3. MOVEit

Date: June 2023

Impact: 62 Million People

Summary: MOVEit, a file transfer software, was hit with several cyber attacks after vulnerabilities were discovered in the tool. The attacks led to a breach involving the personal information of over 2,000 companies, impacting an estimated 62 million people.

The attack targeted U.S. federal agencies, including the Department of Agriculture, Department of Energy, and Department of Health and Human Services.

But it also impacted state agencies, like the Oregon Department of Transportation and nearly the entire state of Maine, where 1.3 million people in a state with a population of 1.37 million are said to have been part of the breach.

4. T-Mobile

Date: January 2023

Impact: 37 Million Customers

Summary: T-Mobile announced that they experienced a  significant data breach in January 2023 that involved personal data, including names, billing addresses, emails, phone numbers, and birthdates.

The company reassured customers that no passwords, payment card information, government ID numbers, or financial account details were involved in the leak.

T-Mobile also reset account PINs for all impacted customers and offered two years of free credit monitoring and identity theft detection services.

5. HCA Healthcare

Date: July 2023

Impact: 11 Million Customers

Summary: HCA Healthcare, a large healthcare provider in the U.S., announced that they discovered certain patient information was made public by an unknown and unauthorized party.

The leaked data included patient names, addresses, emails, telephone numbers, birth dates, gender, service dates, and appointment information. However, it did not include clinical information about treatments or diagnoses, payment details, or other sensitive information.

6. JD Sports

Date: January 2023

Impact: 10 Million Customers

Summary: UK fashion brand JD Sports announced it experienced a data breach impacting the personal data of at least 10 million customers who made purchases between 2018 and 2020.

The breached information included names, billing and shipping addresses, the last four digits of payment cards, phone numbers, and order details. JD Sports representatives warned customers to be vigilant about potential scams, spam emails, calls, and text messages.

7. Freecycle Network

Date: August 2023

Impact: 7 Million Users

Summary: Freecycle Network, a nonprofit organization in the U.S. and UK that helps people trade goods to prevent the items from ending up in landfills, announced that they were part of a data breach impacting 7 million users.

Leaked data includes usernames and passwords, and all Freecycle Network users were asked to change their passwords.

8. 23andMe

Date: December 2023

Impact: 6.9 Million Users

Summary: According to a recent article from TechCrunch, ancestry and genetic testing service 23andMe confirmed they were victims of a cyber breach that impacted the personal information of 6.9 million users.

Initially, the company claimed only 0.1% of its customers were impacted (around 14,000 people).

However, the hackers were able to access the information of millions of other individuals through 23andMe’s DNA Relatives Feature, which allows users to share details with people they choose automatically.

The compromised information includes ancestry reports, names, birth year, reported user location, relationship labels, and percentage of information shared with others.

9. PharMerica

Date: May 2023

Impact: 5.8 Million Customers

Summary: One of the leading pharmacy service providers in the U.S., PharMerica, experienced a data breach that included social security numbers, health information, birth dates, and names of people both living and deceased.

Their parent company, Bright Springs Health, was also impacted by the cybercrime. It is still unknown who is responsible for the apparent ransomware attack.

10. Duolingo

Date: August 2023

Impact: 2.6 Million Users

Summary: It was revealed that bad actors scraped the personal information of more than 2.6 million DuoLingo users, including their email addresses, usernames, languages, and the languages the users are learning.

Duolingo helps people learn new languages and currently has an average of 72.6 monthly users. The data was put up for sale several times on different hacking forums.

11. Topgolf Callaway Brands

Date: August 2023

Impact: 1 Million Customers

Summary: Topgolf Callaway, a golf brand that sells goods and manufactures sports equipment, experienced a breach impacting the personal data of more than 1 million customers that included user profiles, names, addresses, security question answers, order histories, and account passwords.

The breach was disclosed by the Maine Attorney General’s Office.

Customers were urged to change their passwords immediately.

Biggest Data Breaches in 2022

1. Neopets

Date: July 2022

Impact: 69 Million Users

Summary: Hackers breached Neopets’s database and stole the personal data of potentially 69 million users (current and former) and 460 MB of source code. The hackers had access to this database from January 3, 2022, to July 19, 2022. The attackers attempted to sell this data for four bitcoins, which alerted Neopets to the breach.

The data stolen included users’ personal information such as names, usernames, email addresses, Ip addresses, gender, date of birth, PIN for Neopets, hashed passwords, and information about the users’ pets and gameplay.

2. SuperVPN, GeckoVPN, and ChatVPN

Date: May 2022

Impact: 21 million Users

Summary: In May 2022, attackers stole the personal information of 21 million users of networks SuperVPN, GeckoVPN, and ChatVPN. They then posted the stolen data on a Telegram group where anyone could freely download it. This information included users’ full names, email addresses, countries, passwords, payment information, and account status. It also had 10GB of sensitive information.

3. Singtel Optus Pty Limited

Date: September 2022

Impact: 9.8 million customers

Summary: Optus is an Australian telecommunications company. In September 2022, it reported a severe breach where possibly 9.8 million customers had their data leaked. Optus shut down the attack immediately after discovering it and its CEO — Kelly Bayer Rosmarin — believes the affected number of customers to be lower than 9.8 million.

Hackers may have exposed information that includes customers’ names, dates of birth, phone numbers, and email addresses. In addition, some customers’ addresses and identification document numbers (such as their driver’s licenses or passport numbers) were exposed. However, payment details and account passwords were not leaked.

4. Cash App Data Breach

Date: April 2022

Impact: 8.2 million customers

Summary: In April 2022, the owners of Cash App — a mobile payment company — reported that, in December 2021, a former employee breached their data and downloaded the personal information of 8.2 million current and former customers. The hacker stole information that included customers’ full names, their portfolio values, stock trading information, and brokerage account numbers. However, the stolen data did not include customers’ usernames, passwords, social security numbers, or bank account information.

5. Twitter

Date: July 2022

Impact: 5.4 million

Summary: In July 2022, an attacker compiled information from 5.4 million Twitter users due to a now-corrected system vulnerability. The attacker stole email addresses and phone numbers and connected them to user accounts. Twitter maintained that no passwords were stolen but urged all Twitter users to use two-factor authentication for their accounts.

6. Medibank

Date: October 2022

Impact: 3.9 million

Summary:  On October 12, 2022, Australian private health insurance company Medibank announced that it detected a data breach. It was contacted by the hacker, who claimed to have stolen 200GB of data.

On October 25, Medibank disclosed that 3.9 million customers’ data was exposed. Information stolen included personal data such as customers’ names, addresses, dates of birth, Medicare card numbers, and gender. The health information stolen consisted of claim codes made by customers.

7. FlexBooker

Date: January 2022

Impact: 3.7 million

Summary:  Booking software FlexBooer announced in January 2022 that it discovered that 3.7 million accounts were breached in December 2021. A breach in the cloud server shut off customers from accessing their accounts and prevented FlexBooker from servicing the customer accounts. During this time, the storage system was accessed and downloaded.

FlexBooker stated that the compromised information included customers’ full names, email addresses, and phone numbers. Payment information was not stolen.

8. Nelnet Servicing LLC

Date: July 2022

Impact: 2.5 million

Summary: In August 2022, student loan servicer Nelnet suffered a data breach when an unknown hacker accessed the data of 2.5 million individuals who secured loans with EdFinancial or the Oklahoma Student Loan Authority. The breach included full names, addresses, phone numbers, and Social Security numbers.

Nelnet now faces class action lawsuits for its failure to protect the loan borrowers’ data securely and for its late notice of the incident. The breach occurred in July, but Nelnet did not contact the U.S. Department of Education and the affected borrowers until August

9. Woolworths – MyDeal

Date: October 2022

Impact: 2.2 million customers

Summary: Australian retail company announced that its MyDeal online store was breached in October 2022. Hackers exposed the personal information of 2.2 million customers by gaining access via compromised user credentials. The information exposed included customers’ names, dates of birth, phone numbers, email addresses, and delivery addresses.

10. Shields Health Care Group

Date: March 2022

Impact: 2 million people

Summary: Shields Health Care Group is a medical services provider based in Massachusetts whose network was attacked by hackers on March 28, 2022. After an investigation, it was discovered that the hackers breached the network from March 7, 2022, to March 21, 2022, and the attack affected 2 million patients and 56 facilities.

The hackers had access to patient information, including the following: full name, social security numbers, date of birth, home addresses, provider information, patient diagnosis, billing information, insurance information, insurance numbers, medical record numbers, patient identification numbers, and other medical information.

11. Texas Department of Insurance

Date: May 2022

Impact: 1.8 million people

Summary:  A state audit released in May 2022 announced that the personal information of 1.8 million people who filed an insurance claim with the Texas Department of Insurance was leaked. According to the report, the leaked information was available publicly for almost three years – from March 2019 to January 2022.

The leak resulted from a problem with the programming code, which allowed access to protected information. An auditor noted the leaked information in January 2022 during a routine audit and reported it.

Personal information exposed included addresses, dates of birth, phone numbers, social security numbers, and information about work injuries.

12. Flagstar Bank Data Breach

Date: June 2022

Impact: 1.5 million people

Summary: Flagstar Bank suffered a data breach that affected over 1.5 million customers. Although the breach is believed to have occurred in December 2021, it wasn’t discovered until June 2022. The hackers accessed sensitive customer data, including names, personal identifications, and social security numbers.

Flagstar Bank stressed that no evidence suggests this information has been misused.

13. Illuminate Education

Date: January 2022

Impact: 820,000 students

Summary:  In January 2022, an investigation determined that an outage experienced by the school management platform Illuminate Education was actually a data breach. The NYC school system uses the platform for teachers to communicate with parents and check grades.

Although initially denying the claim that any personal information was leaked, it was announced later that 820,000 current and former students’ personal information was accessed. Hackers gained access to data such as students’ names, dates of birth, student identification numbers, genders, ethnicities, and languages spoken.

14. Red Cross

Date: January 2022

Impact: 515,000 people

Summary:  Hackers accessed the servers of the International Committee of the Red Cross by taking advantage of a vulnerability in an authentication module, where they were able to disguise themselves as legitimate users and administrators, gaining access to the data.

The initial attack is thought to have occurred in November 2021 but was not discovered until January 18, 2022, after an investigation. It is unknown who was behind the attack, but they gained access to the personal information of over half a million people, including names, locations, and contact information. Many of the victims were missing persons, detainees, and individuals receiving services from the Red Cross and Red Crescent Movement due to armed conflict, natural disasters, or migration.

15. Avamere Health Services, LLC

Date: July 2022

Impact: 380,000 people

Summary:  Avamere is a group of post-acute care companies for seniors. An investigation found that an unauthorized third party had access to and removed folders and files from Avamere’s network from January 19, 2022, to March 17, 2022.

The breach affected 380,000 patients over 96 different organizations. The information hacked included patient names, addresses, driver’s licenses, state identification numbers, claim information, lab results, medical information, social security numbers, financial account numbers, and medical diagnosis information.

16. Toyota

Date: October 2022

Impact: 300,000 people

Summary:  Toyota suffered a data breach after the source code for its “T-Connect” app was posted on GitHub, a software development platform, in December 2017. However, Toyota only realized that the source code was publicly available on September 15, 2022 — almost five years later. Toyota changed the access code, but the breach exposed the emails of 300,000 customers. However, the carmaker insisted that no other personal data was leaked.

17. Keystone Health

Date: July 2022

Impact: 235,000 patients

Summary:  After an investigation, Keystone Health discovered that an unauthorized party hacked into its computer network on July 28, 2022, and remained on the network until August 19, 2022, when Keystone health discovered its presence. Information breached included patients’ names, social security numbers, and health information of 235,000 patients.

18. Service Employees International Union, Local 32BJ

Date: February 2022

Impact: 230,487 people affected

Summary: This US-based union — which primarily consists of property maintenance workers, window cleaners, school, and food service workers in several Eastern Seaboard states — had a data security event. An unauthorized third party obtained access to several computers in the union’s network. As a result, they managed to access certain files that may have included the addresses, names, and Social Security numbers of up to 230,487 people.

19. Logan Health Medical Center

Date: February 2022

Impact: 213,543 people affected

Summary: This medical center in Kalispell, Montana, suffered a data breach on February 22, 2022. An unknown entity gained unauthorized access into one file server that included shared folders. As a result, it potentially accessed personal information related to business associates, patients, and employees. The accessed information varies by individual but includes dates of birth, names, and Social Security numbers.

20. North Face

Date: September 2022

Impact: 200,000 people

Summary: Apparel store North Face was the victim of a credential stuffing attack, where email addresses, usernames, and passwords are obtained to breach other websites’ accounts. The logic behind the attack is that users use the same login details for multiple accounts.

Hackers initiated the attack at the end of July 2022, but it was not detected and shut down until mid-August. The hackers breached almost 200,000 user accounts and obtained information such as customers’ full names, purchase history, billing addresses, shipping addresses, telephone numbers, account creation dates, genders, and rewards records.

21. Omnicell, Inc.

Date: May 2022

Impact: 126,000 patients

Summary:  Omnicell — a provider of medication management to hospitals, other medical facilities, and pharmacies — was recently attacked by ransomware. Hackers gained access to sensitive patient information, such as patient name, credit card information, financial account information, social security numbers, driver’s license numbers, health insurance details, and other protected health information.

Initially, Omnicell reported that the breach affected almost 62,000 patients. However, in October 2022, that number rose by an additional 64,000 patients, increasing the total number of patients affected by the breach to more than 126,000.

22. South Shore Hospital Corporation

Date: February 2022

Impact: 115,670 people affected

Summary: South Shore Hospital, a non-profit hospital in Chicago, Illinois, which treats patients receiving Medicaid or Medicare benefits, noticed suspicious activity on its IT network. It discovered that the protected health information of certain employees and patients was compromised. The leaked data includes first and last names, dates of birth, financial information, medical information, health insurance policy numbers, diagnoses, and Medicare and Medicaid information.

23. GiveSendGo System

Date: February 2022

Impact: 93,000 donors

Summary:  Canadian truckers (called the Freedom Convoy) who protested against the COVID rules had a page on GiveSendGo, a Christian fundraising site. Hackers accessed GiveSendGo and launched a series of attacks on the fundraising page for the Freedom Convoy. Personal information almost 93,000 donors was leaked online. The information exposed included the donors’ names, identification, email addresses, and the amount they donated. Some donors had to close down their businesses due to threats, while others lost their jobs.

24. Alameda Health System

Date: June 2022

Impact: 90,000 patients

Summary:  Alameda Health System noticed suspicious activity in its employees’ email accounts. Alameda investigated and found that an unauthorized party had hacked the email accounts from May 2020 to March 2022. It is believed to have affected 90,000 patients and might have compromised patients’ names, dates of birth, ids, clinical or treatment information, health insurance information, claims information, social security number, or driver’s license numbers.

25. Revolut

Date: September 2022

Impact: 50,000 customers

Summary: In September 2022, an unauthorized third party accessed the Fintech Revolut database and accessed data from more than 50,000 customers. Examples of the information taken include customers’ names, addresses, email addresses, and payment cards (partial)

26. Deakin University

Date: July 2022

Impact: 47,000 students

Summary: An authorized third party gained access to the Deakin University server by using the username and password of a staff member and had access to private student information. Almost 47,000 students were affected, and nearly 10,000 became part of an SMS phishing campaign. If the student participated in the campaign, they were asked to give personal details, inkling credit card information.

27. Ethos Technologies, Inc.

Date: January 2022

Impact: 13,300 people affected

Summary: Ethos Technology, a San Francisco tech company that makes it easier for consumers to buy life insurance policies, noticed that hackers targeted the online system it uses to create life insurance policies in a cyber attack. After investigating the incident, they learned that an unauthorized third party may have obtained certain clients’ driver’s license numbers between July 15, 2021, and January 12, 2022. The hackers would have also been able to access the clients’ address, name, state of issuance, and date of birth.

Biggest Data Breaches in 2021

1. Facebook

Date: March 2021

Impact: 533,000,000 user records

Summary: Hackers scraped Facebook due to a security gap that the company had patched back in 2019. As a result, 533,000,000 user records from 106 countries were posted on a hacking forum. The leaked information included user locations, full names, biographical information, phone numbers, and email addresses. This information was discovered when a user in the hacking forum promoted an automated scraping bot that could extract phone numbers for hundreds of millions of Facebook users.

2. Syniverse

Date: September 2021

Impact: 500,000,000 user records

Summary: Syniverse is a telecommunications company used by many organizations worldwide, including T-Mobile, Verizon, China Mobile, AT&T, and Vodaphone. In 2021, they reported that unauthorized parties gained access to 500,000,000 records in a filing with the U. S. SEC. These records contained employees’ personal information, customers’ sensitive information, Syniverse’s trade secrets and other intellectual property, and other important financial information.

The incident affected major organizations, including Ford, the logistics company J.B. Hunt, American Airlines, the Maryland Department of Health, New York City public schools, and the New York City Municipal Transportation Authority.

3. Power Apps from Microsoft

Date: August 2021

Impact: 38,000,000 records

Summary: Over a thousand misconfigured web apps accidentally exposed 38 million records to the public. This breach included data from several COVID-19 contact-tracing platforms, job application portals, vaccination sign-ups, and employee databases. The leaked data consisted of people’s COVID-19 vaccination status and personal data, such as home addresses and phone numbers.

4. Amazon Vendors

Date: May 2021

Impact: 13,124,962 user records

Summary: An unclaimed and unprotected ElasticSearch database exposed more than 13 million records. These records included the personal data of people willing to provide fake reviews in return for free items from Amazon vendors. Specifically, these records included email addresses and Telegram and WhatsApp phone numbers. In addition, information related to the vendors was also exposed, including PayPal account details, email addresses, and usernames (many containing names and surnames).

5. Pandora Papers

Date: October 2021

Impact: 11,900,900 records

Summary: 11.9 million documents were leaked, revealing the assets of more than 30 world leaders, 300 public officials, and more than 100 billionaires. A cache of emails, incorporation records, compliance reports, and complex diagrams showing corporate structures — these papers reveal the inner workings of the lives of the world’s wealthiest and most influential people. They were leaked to the International Consortium of Investigative Journalists (ICIJ) in Washington, D.C., which shared access to the cache with media partners such as BBC Panorama, the Washington Post, the Guardian, and Le Monde.

Biggest Data Breaches in 2020

1. Pakistani Mobile Operators

Date: April 2020

Impact: 115,000,000 records

Summary: A hacker stole the data of 44 million Pakistani mobile users from Jazz and other mobile networks. This hack was part of a bigger cache of stolen information from 115 million user accounts. The hacker then tried to sell the data for $2.1 million in Bitcoin. The data contained personal information, such as customers’ full names, national identification (CNIC) numbers, landline numbers, mobile phone numbers, home addresses, dates of subscription, and more.

2. SolarWinds

Date: December 2020

Impact: 50,000,000 records

Summary: Russian hackers were said to have compromised SolarWinds, the network-monitoring software used by the Pentagon, nuclear labs, intelligence agencies, and many Fortune 500 companies. This hack happened due to a tainted software update, which allowed a trojan horse for hackers to get into the SolarWinds system. Fifty million records from an unknown number of companies and individuals were possibly affected.

3. MGM Hotels

Date: February 2020

Impact: 10,600,000 users

Summary: The personal details of over 10.6 million users who had stayed at MGM Resorts hotels were posted to a hacking forum. The leaked information included full names, phone numbers, dates of birth, home addresses, and phone numbers. These details belonged to regular travelers and tourists but also contained the contact details and personal information for CEOs, celebrities, government officials, reporters, and employees at top tech companies.

4. Dutch Government

Date: March 2020

Impact: 6,900,000 records

Summary: Unauthorized parties stole two hard drives from the Dutch government. These drives contained data from 6.9 million registered organ donors, including ID numbers, signatures, and contact details.

5. Marriott International

Date: January to March 2020

Impact: 5,200,000 people

Summary: Hackers used the login credentials of two employees to access a large amount of guest information in mid-January 2020. After this was discovered, Marriott International disabled the accounts and started an investigation. It also notified guests and relevant authorities. The leaked information varies, depending on the guest, but includes contact details and personal details, such as birthday, company, gender, language preferences, partnerships and affiliations, and loyalty account information.

Biggest Data Breaches in 2019

1. 16 Hacked Websites

Date: February 2019

Impact: 617,000,000 records

Summary: Hackers stole the details of 617 million online accounts from 16 hacked websites, including Dubsmash, MyHeritage, Whitepages, Fotolog, BookMate, CoffeeMeetsBagel, HauteLook, and DataCamp. They then put the details on the dark web Dream Market cyber-souk for less than $20,000 in Bitcoin. Most of the leaked information consisted of email addresses, account-holder names, and hashed passwords that had to be cracked before they could be used.

2. MongoDB

Date: May 2019

Impact: 275,265,298 records

Summary: Security Discovery researcher Bob Diachenko discovered an extensive, unprotected MongoDB database with over 200 million personal information records of Indian citizens. The records included mobile phone numbers, professional information, gender, dates of birth, names, and current salaries.

3. Microsoft

Date: December 2019

Impact: 250,000,000 records

Summary: Two hundred fifty million customer records spanning 14 years were exposed without password protection. The information contained customer email addresses, geographical locations, descriptions of the support claims and customer service case, customer email addresses, and more. The database started being exposed on December 5, 2019, due to a hiccup in security rules and was fixed on December 31, 2019.

4. 8 Hacked Websites

Date: February 2019

Impact: 127,000,000 records

Summary: The hacker who stole 617 million records from the 16 sites earlier in this list stole another 127 million from 8 more websites. They pulled data from websites that included Houzz, Ge.tt, Ixigo, YouNow, Roll20, Coinmama, Stronghold Kingdoms, and PetFlow. After gathering all the information, the hacker put up the hacked data for $14,500 in Bitcoin. Most of the stolen information consisted of email addresses, names, scrambled passwords, and other account and login data.

5. Capital One

Date: March 2019

Impact: 100,000,000 people

Summary: A software engineer at Amazon Web Services (AWS) coordinated an attack on Capital One, exposing personal information such as bank account details. In total, she stole 80,000 bank account numbers and 140,000 Social Security numbers. The breach also compromised 1 million Canadian social insurance numbers.

Penalties: In 2020, the US Office of the Comptroller of the Currency (OCC) fined Capital One $80 million for this breach. Additionally, in December 2021, Capital One paid out a $190 million settlement for a class action from US customers for this data breach.

6. Wawa Inc.

Date: December 2019

Impact: 30,000,000 records

Summary: The convenience and fuel store chain had its payment card processing systems compromised during a nine-month breach. This breach led to the theft of card data from clients who visited any of its 850 locations throughout the nation. The hackers put the stolen information on sale at one of the dark web’s most popular shops, Joker’s Stash. The exposed data included credit and debit card numbers, cardholder names, and expiration dates. Luckily, the breach didn’t expose CVV records or personal identification numbers.

Biggest Data Breaches in 2018

1. Aadhaar

Date: March 2018

Impact: 1,100,000,000 records

Summary: Aadhaar, India’s biometric database, was breached via a security gap at a state-owned organization. As a result, every registered Indian citizen had their information leaked. Their identity numbers, names, bank details, and other personal information were put up for sale on WhatsApp for less than £6.

2. Marriott International

Date: September 2018

Impact: 383,000,000 records

Summary: Marriott International lost 383 million records when hackers compromised Starwood hotels’ reservation system, which included the reservation systems of hotel lines such as Sheraton, Westin, and Le Meridien. The hackers stole passport information, credit card details, and other personal information going back to 2014.

Penalties: The UK’s Information Commissioner’s Office (ICO) fined Marriott International £18.4 million ($23.98 million) for failing to secure customers’ personal data from this attack.

3. Twitter

Date: May 2018

Impact: 330,000,000 records

Summary:  A whopping 330 million records were exposed through a Twitter glitch that caused some passwords to be stored in a readable format. Twitter passwords are normally unreadable due to a process called “hashing.”

4. Chinese Job-seeking Websites

Date: December 2018

Impact: 202,000,000 records

Summary: An unauthorized third party scraped 202 million records from Chinese job-seeking websites. They then put these records on an unsecured database. The records included people’s weight, height, driving license, phone numbers, resumes, marital status, literacy level, salary expectations, and more.

5. Quora

Date: December 2018

Impact: 100,000,000 records

Summary: The question-and-answer website, Quora, was targeted by hackers in December 2018. They leaked around 100 million users’ private messages and login information.

6. Google

Date: October to December 2018

Impact: 500,000 Google+ accounts

Summary: When Google decided to shut down its Google+ social network in October 2018, they discovered a bug in the Google+ API that let developers access private data. Google said there was no evidence that hackers had exploited this bug, but over 400 applications used this bug. This meant that up to 500,000 accounts were potentially affected.

Penalties: Users filed two class actions in 2018 that later consolidated into one, and in January 2020, Google agreed to a $7.5 million settlement that allowed all users with Google+ accounts between January 2015 and April 2, 2019, whose private information was exposed to receive $5 to $12 each.

Biggest Data Breaches in 2017

1. River City Media

Date: March 2017

Impact: 1,370,000,000 records lost

Summary: A spam operator accidentally exposed at least 1.37 billion records due to a faulty backup. This leak happened when River City Media made a snapshot of a backup in January 2017 and accidentally published it to the internet without password protection.

2. Spambot

Date: August 2017

Impact: 711,000,000 records

Summary: A misconfigured spambot leaked emails and passwords, leading to one of the biggest data breaches in recent years. Almost one email address for every person in Europe was leaked. The information became visible to the public because the spammers forgot to secure one of their servers. As a result, anyone could download the data without credentials.

3. Equifax

Date: September 2017

Impact: 143,000,000 records

Summary: Hackers breached the database of the credit report agency Equifax, exposing the Social Security numbers, names, birth dates, driver’s license numbers, addresses, and credit card information of US, Canadian, and UK citizens.

Penalties: Equifax had to pay US regulatory bodies up to $700 million in penalties and fines for failing to mitigate and prevent the breach. Equifax also gave affected consumers ten years of free credit monitoring. The company has also made it easier for consumers to dispute inaccurate information in credit reports and freeze their credit.

4. Malaysian Mobile Phone Numbers

Date: October 2017

Impact: 46,200,000 records

Summary: Around 46.2 million mobile phone numbers from Malaysian mobile virtual network operators and telephone companies were posted online. The leak included prepaid and postpaid numbers, addresses, customer details, and SIM card information, including IMSI and IMEI numbers. Timestamps indicated that the leaked data was from May and July 2014. As with the other data leaks, the hackers tried to sell this information by posting it on a forum.

5. AI.type

Date: December 2017

Impact: 31,000,000 people

Summary: Personal data from over 31 million customers of AI.type, a customizable on-screen keyboard app, was leaked online. This data leak happened because the app’s developer failed to secure the app’s server. The server had no password, which meant that anyone could access the company’s 557 gigabytes of personal data.

Biggest Data Breaches in 2016

1. Yahoo

Date: December 2014, but was only reported in September 2016

Impact: 500,000,000 records

Summary: In December 2014, Yahoo had 500 million records stolen by a “state-sponsored actor.” However, the company didn’t disclose this data breach until 2016. The leaked data included security information, telephone numbers, birth dates, and names.

Penalties: The U.S. SEC fined Altaba, Yahoo’s owner, $35 million for failing to disclose their breach in time. Although Yahoo’s senior management knew about the breach in December 2014, they failed to investigate the circumstances of the breach. They also failed to consider whether they should disclose the breach to investors.

2. Friend Finder Network

Date: November 2016

Impact: 412,000,000 records

Summary: The adult entertainment and dating company Friend Finder Network was the target of a data breach that exposed over 412 million accounts. The hack included 339 million accounts from AdultFriendFinder.com, including over 15 million “deleted” accounts that were never actually deleted. In addition, around 70 million accounts from the company’s other properties, including Cams.com and Penthouse.com, were also leaked.

The leaked information was 20 years’ worth of data, including sensitive information such as whether users were looking for extramarital affairs and sexual preferences.

3. Uber

Date: Late 2016

Impact: 57,000,000 user accounts and 600,000 driver accounts

Summary: In late 2016, Uber was the victim of a large data breach. Instead of reporting the hack to authorities, the ride-hailing app Uber paid the hackers $100,000 to keep the incident under wraps. They managed to keep it a secret for more than a year. The stolen data included Uber drivers’ and riders’ email addresses, names, and phone numbers.

Penalties: Uber was fined a whopping $148 million in 2018 for violating New York’s data breach notification laws.

4. Morgan Stanley

Date: 2016 and 2019

Impact: 15,000,000 customers

Summary: Morgan Stanley failed to take proper precautions when retiring its older technology. This lack of oversight led to the accidental exposure of 15 million customers’ personal data.

Penalties: In October 2020, Morgan Stanley paid a $60 million civil fine. The OCC had ruled that the company had unsound and unsafe information security practices. The company will also have to give affected customers at least two years of fraud insurance coverage and the ability to apply for reimbursement of up to $10,000 in losses if US District Judge Analisa Torres approves a proposed action on behalf of the 15 million customers.

5. MySpace

Date: May 2016

Impact: 427,000,000 records

Summary: A hacker allegedly stole a massive amount of data from MySpace. It’s unclear exactly when they took the data from MySpace, but the hacker said that they got the data from a past, unreported breach. Each record in the database contains a username, an email address, a password, and in some records, a second password. The hacker put the information on the dark web and asked for 6 Bitcoins, or $2,800, in exchange for it.

Biggest Data Breaches in 2015

1. Deep Root Analytics

Date: December 2015

Impact: 198,000,000 records

Summary: A researcher discovered an unsecured database containing US voter information. The leaked information contained addresses, names, contact details, and party affiliations.

2. Experian/T-mobile

Date: October 2015

Impact: 15,000,000 records

Summary: Experian, the world’s largest data-monitoring firm, revealed a massive data breach that had exposed the details of T-mobile consumers. Specifically, the breach exposed the details of customers who were applying for credit checks from September 1, 2013, to September 16, 2015. These records included sensitive information, such as addresses, names, birth dates, and encrypted fields with ID and Social Security numbers.

In the spirit of fairness and transparency, CEO John Legere offered two years of identity resolution services and free credit monitoring to affected customers.

3. Anthem

Date: February 2015

Impact: 80,000,000 records

Summary: Anthem, one of the US’s most prominent health insurers, was the target of a sophisticated cyberattack. The attackers uncovered Social Security numbers, addresses, names, dates of birth, and employment information.

Penalties: Anthem paid $179.2 million to settle legal actions and lawsuits due to this cyber attack. It also paid a $48.2 million financial penalty and agreed to improve its data security practices. Specifically, it has promised to implement a full-suite information security program based on the concept of zero-trust architecture. In addition to reporting major security breaches and events to the CEO, the company has also started sending regular security reports to its board of directors.

4. Securus Technologies

Date: November 2015

Impact: 70,000,000 records

Summary: A hacker leaked over 70 million prisoner phone calls from at least 37 states. The calls spanned almost two years, with the earliest record from December 2011 and the latest record from spring 2014. This leak potentially violated constitutional attorney-client protections since these records included links to recordings.

5. US Office of Personnel Management

Date: July 2015

Impact: 14,000,000 records

Summary: Hackers gained access to sensitive data on US military and intelligence personnel, leading to fears about potential blackmail attempts. A 127-page document called the Standard Form 86 might have been accessed, which revealed prospective and current employees’ answers to the following questions:

• Have you illegally used any controlled substances or drugs in the last seven years?
• Have you defaulted on any loans in the last seven years?
• Have you ever decided to seek treatment or counseling due to your use of alcohol?

Biggest Data Breaches in 2014

1. eBay

Date: May 2014

Impact: 145,000,000 records

Summary: Hackers targeted eBay between late February and early March. They used the login credentials of three employees to access a database of the entire company’s user records. The leaked information consisted of usernames and emails.

2. JPMorgan Chase

Date: June to August 2014, disclosed in September 2014

Impact: 76,000,000 households and 7,000,000 small businesses

Summary: The US’s largest bank, JP Morgan Chase, was hacked in June 2014, though this data hack wasn’t discovered until July 2014. By this point, the hackers had already gotten the highest admin privilege level for dozens of servers.

The hackers managed to access the bank’s database by getting a list of programs and applications on JPMorgan’s computers. They then cross-checked this list with known vulnerabilities in each app and program to look for an entry point. Fortunately, although the hackers managed to gain access to the names, phone numbers, addresses, and emails of JPMorgan account holders, there was no evidence of fraud involving this information.

3. The Home Depot

Date: September 2014

Impact: 56,000,000 records

Summary: Hackers installed malware on cash register systems at 2,200 Home Depot branches. As a result, the credit card details of around 56 million customers were stolen, some of which were sold online.

Penalties: In 2020, The Home Depot paid a $17.5 million settlement for this breach. The company also agreed to upgrade its security training and program and hire a chief information security officer. Additionally, it agreed to undergo a post-settlement security assessment to evaluate the implementation of new security measures.

4. Korea Credit Bureau

Date: January 2014

Impact: 20,000,000 bank and credit card users in South Korea

Summary: An employee from the personal credit rating firm Korea Credit Bureau was arrested for stealing the personal data of up to 20 million bank and credit card users in South Korea. The employee then sold the data to phone marketing companies. The stolen data includes social security numbers, names, credit card numbers with expiration dates, and phone numbers.

5. Sony Pictures

Date: December 2014

Impact: 10,000,000 records

Summary: Hackers accessed potentially every record held by Sony Pictures, including employees’ Social Security numbers, criminal background checks, doctors’ letters for leaves of absence, unreleased films, and sensitive documents. This leak was embarrassing for Sony because it came just three years after a major hack in 2011 when customers went through a three-week hacking issue that compromised the financial and personal information of up to 25 million customers and took Sony’s Playstation Network (PSN) offline.

Penalties: Sony agreed to pay up to $8 million for the hack.

Biggest Data Breaches in 2013

1. Yahoo

Date: 2013

Impact: 3,000,000,000 user accounts

Summary: In 2013, Yahoo’s system was breached, and hackers stole data from over 3 billion user accounts. Luckily, the stolen data didn’t include any unhashed passwords, bank account numbers, or payment data.

2. Court Ventures

Date: October 2013

Impact: 200,000,000 records

Summary: A Vietnamese man posing as a private investigator in Singapore contracted with Court Ventures (owned by Experian) to gain access to 200 million Americans’ private information, including their Social Security numbers, names, and dates of birth. The cybercriminal then used this information to operate an identity theft business, which attracted more than 1,300 customers. In total, he made at least $1.9 million between 2007 and February 2013.

3. Multiple American Businesses

Date: July 2013

Impact: 160,000,000 records

Summary: Hacking gangs targeted several American businesses for seven years, leaking 160 million credit and debit card numbers. The targeted businesses included 7-Eleven, JC Penney, Wet Seal, Heartland Payment Systems, Dexia, Dow Jones, Visa Jordan, Diners Singapore, Visa Jordan, and Ingenicard.

4. Target

Date: November 2013

Impact: 70,000,000 records

Summary: 70 million credit and debit card accounts were stolen during 2013’s Black Friday sales rush at Target. The cyber attackers had gained access to Target’s server through credentials they had stolen from a third-party vendor. Then, they installed malware onto the system and captured customers’ full names, addresses, email addresses, phone numbers, and credit and debit card numbers.

Penalties: In 2017, Target paid an $18.5 million settlement for this breach. They also agreed to pay up to $10,000 to consumers who could provide evidence that they suffered losses due to this breach.

5. Excellus Health Plan

Date: December 2013 to May 2015

Impact: 9,300,000 people

Summary: Excellus Health Plan, a New York-based health insurer, experienced a data breach that exposed the personal data of over 9.3 million people between late 2013 and May 2015. The breached information included a variety of sensitive information, such as names, dates of birth, addresses, email addresses, bank account information, Social Security numbers, medical treatment information, and health plan claims.

Penalties: Excellus agreed to pay $5.1 million for violating Health Insurance Portability and Accountability Act (HIPAA) security and privacy rules. The company paid the fine to the US Department of Health and Human Services Office for Civil Rights (OCR).

Biggest Data Breaches in 2012

1. Zappos

Date: January 2012

Impact: 24,000,000 records

Summary: Zappos, an Amazon-owned eCommerce firm, was targeted by cyber criminals. They hacked into Zappos’ internal network, exposing email addresses, names, addresses, phone numbers, and encrypted passwords.

2. KT Corp

Date: February 2012

Impact: 8,700,000 people

Summary: Two hackers leaked the personal information of 8.7 million mobile phone users from the network system of KT Corp, South Korea’s second-largest mobile carrier. The leak contained the personal information of phone users and data about their mobile phones and monthly plans.

Several telemarketers were also charged with buying the stolen data for telemarketing purposes. The number of records stolen was nearly half of the total number of mobile phone users in South Korea.

3. South Carolina State Department of Revenue

Date: Mid-September to October 20, 2012

Impact: 3,600,000 Social Security numbers and 387,000 debit and credit numbers

Summary: An international hacker exposed 3.6 million Social Security numbers and 387,000 credit and debit card numbers. Fortunately, most of the credit and debit numbers were encrypted, with only 16,000 being unencrypted. The hacker had stolen the data in mid-September after looking at the State Department’s system for security gaps in late August and early September. The vulnerability was finally closed on October 20, 2012.

4. Three Iranian Banks

Date: April 2012

Impact: 3,000,000 debit account numbers and PINs

Summary: Khosrow Zarefarid, a hacker and security researcher, attacked three Iranian banks. Zarefarid was frustrated because the Shetab payment network ignored his request to fix security bugs he discovered in the network. So he sent a report about the flaws to the heads of Iran’s major banks. However, he received no response, and as a result, he decided to steal account numbers and post them online to highlight Iran’s banking system vulnerabilities.

Zarefarid posted all the details he had stolen, including PINs and debit card numbers, on his blog. Iranian banks responded by telling cardholders to change their passwords, and Iran’s Central Bank issued an apology for the incident. Google eventually took down Zarefarid’s blog.

5. Apple

Date: September 2012

Impact: 1,000,000 records

Summary: AntiSec, a hacker group associated with the decentralized international hacker group Anonymous, claimed to have posted 1 million Apple Unique Device Identifiers (UDIDs). UDIDs are the unique strings of numbers that identify each Apple device and are used by developers to track app installations. AntiSec also claimed to have obtained names, notification tokens, and addresses from a laptop used by an FBI agent. They were able to access the laptop via the AtomicReferenceArray vulnerability on Java.

Biggest Data Breaches in 2011

1. Sony PSN

Date: April 2011

Impact: 77,000,000 records

Summary: A hacker accessed 77 million Sony PSN and Qriocity user accounts. These users were also unable to go online for 23 days due to the hack. Although Sony encrypted all of the credit card information on its systems and there was no evidence that credit card data had been stolen, the hacker may have been able to access credit card numbers and CVV numbers. In addition, other personal data, such as names, email addresses, dates of birth, account passwords, and addresses, were also compromised.

Penalties: The UK’s data privacy watchdog, the Information Commissioner’s Office (ICO), fined Sony Computer Entertainment Europe Limited for £250,000, or $395,775. According to the ICO, Sony could have prevented the attack if the software had been up to date. Sony should’ve also done more to protect their users’ personal data.

2. Steam

Date: November 2011

Impact: 35,000,000 records

Summary: Hackers broke into the video game service Steam by using login details from a forum hack. They were able to access Steam users’ usernames and encrypted passwords, game purchases, credit card information, and billing addresses.

3. Nexon Korea Corp

Date: November 2011

Impact: 13,000,000 people

Summary: Hackers obtained the personal information of up to 13 million subscribers of Maple Story, a popular online game by Nexon Korea Corp. The leaked data included resident registration numbers, user IDs, names, and passwords.

4. The New York City Health and Hospitals Corp

Date: February 2011

Impact: 1,700,000 people

Summary: The New York City Health and Hospitals Corp was hacked, and the personal records of up to 1.7 million individuals were potentially jeopardized. On December 23, 2010, computer backup tapes were stolen from a truck that was moving them to a secure location. The tapes included backup information collected throughout the past 20 years and included vital data such as patient medical histories, names, Social Security numbers, and addresses. They also had the employee/occupational health information of contractors, staff, vendors, and others.

The New York City Health and Hospitals Corp responded to this leak by giving one free year of credit protection services to everyone who was affected.

5. The Washington Post

Date: June 27-28 2011

Impact: 1,270,000 user accounts

Summary: An unauthorized third party broke into The Washington Post’s job listing site and accessed user information on June 27 and 28. The unauthorized party stole email addresses and user IDs, but no other personal information was affected.

Biggest Data Breaches in 2010

1. Educational Credit Management Corp

Date: March 2010

Impact: 3,300,000 records

Summary: A US Department of Education contractor stole a device containing student loan records. This breach affected up to 5% of the US’s federal student loan borrowers.

2. Gawker

Date: December 2010

Impact: 1,500,000 records

Summary: Hackers stole the source code of the celebrity blog Gawker.com, along with 1.5 million emails, usernames, and passwords. The personal details of Gawker’s founder, Nick Denton, were also leaked. The attack was done over 24 hours and dug deep into the site’s computer systems, totally decimating its security shield.

3. Ohio State University

Date: December 2010

Impact: 760,000 records

Summary: In December 2010, Ohio State University suffered a data breach that jeopardized over 760,000 people. The university notified former and current applicants, students, faculty, and others with connections to the universities that hackers had accessed the server that stored their Social Security numbers, names, addresses, and dates of birth.

The breach cost the university around $4 million in expenses related to investigative consulting, credit security, notification of the breach, and a calling center to answer concerns and questions.

4. Lincoln Medical and Mental Health Center

Date: June 2010

Impact: 130,000 records

Summary: New York’s Lincoln Medical and Mental Health Center lost 130,000 records when seven CDs full of unencrypted data were lost in transit. The hospital’s billing processor, Siemens Medical Solutions USA, sent the CDs through FedEx around March 16, 2010, but they never arrived at the intended destination.

The leaked information included sensitive health and personal information, such as Social Security numbers, dates of birth, health plan numbers, addresses, driver’s license numbers, and details about medical procedures. The CDs were password-protected but unencrypted.

Wrapping Up

As technology progresses, data breaches have become increasingly widespread and dangerous. As this list of famous data breaches reveals, most major data breaches in the early 2010s concerned medical centers, universities, government departments, international gaming platforms, and other large corporations.

However, a more significant percentage of data breaches involve social media apps and eCommerce platforms in recent years. This means that every company — regardless of size and industry — needs to be vigilant about security. They should use these data breach examples as a warning.

If your organization doesn’t have adequate security measures, it can quickly become the target of malicious third parties. What’s more, security hacks can also jeopardize the safety of your clients, employees, contractors, and anyone else who has their information on your servers. This can lead to hefty fines imposed on you by security watchdogs and expensive class-action lawsuits.

As such, you must have up-to-date security software (i.e., firewalls, anti-ransomware software, and antiviruses) at all times.

You also need to create and implement privacy protocols for your organization because recent data privacy statistics show that consumers demand increased efforts to protect their personal information. A robust privacy culture will help your employees understand the importance of security and why they need to play a role in protecting data.

More about the author

Written by Masha Komnenic CIPP/E, CIPM, CIPT, FIP

Masha is an Information Security and Data Privacy Specialist and a Certified Data Protection Officer. She has been a Data Protection Officer for the past six years, helping small and medium-sized enterprises achieve legal compliance. She has also been a privacy compliance mentor to many international business accelerators. She specializes in implementing, monitoring, and auditing business compliance with privacy regulations (HIPAA, PIPEDA, ePrivacy Directive, GDPR, CCPA, POPIA, LGPD). Masha studied Law at Belgrade University, and she passed the Bar examination in 2016. More about the author