Data breaches are impacting businesses at an exponential rate, representing one of the biggest threats to personal data in the history of the Internet.
From vulnerable AI platforms to poor data security protocols, bad actors exploit these vulnerabilities, stealing consumer data and using it for monetary gain or other illegal purposes.
In 2023, the number of reported data breaches in the U.S. was up 78% from 2022. (ID Theft Center)
Below, I list the 10 biggest data breaches ever and the biggest breaches that occurred by year.
10 Most Impactful Data Breaches Ever
To start us off, I’ve made a list of the top 10 data breaches that have ever occurred up until now.
1. Yahoo – 3,000,000,000 records lost
In 2013, hackers breached Yahoo’s system and leaked customer info from over 3 billion accounts. Fortunately, the stolen data didn’t include crucial information such as payment data, unhashed passwords, or bank account numbers.
2. National Public Data – 2,900,000,000 records lost
In April 2024, it was revealed that a historical data breach occurred, hackers gaining access to billions of individual’s Social Security numbers, among other personal data.
3. River City Media – 1,370,000,000 records lost
In March 2017, a spam email operator exposed 1.37 billion records by accident, making it one of the most major data breaches ever. This breach happened when River City Media accidentally published a snapshot of a backup from January 2017 without password protection.
4. Aadhaar – 1,100,000,000 records lost
In March 2018, India’s biometric database, Aadhaar, was breached through a leak at a state-owned utility organization. This breach meant that every registered Indian citizen was affected, and their identity numbers, bank details, and names were all leaked.
5. Indian Council of Medical Research (ICMR) – 815,000,000 records lost
In October 2023, the COVID testing data of 815 million people (81.5 crore) was stolen from the Indian Council of Medical Research. The bad actor attempted to sell the dataset for $80,000 on hacking forums. Four people have since been arrested in relation to the crime.
6. Spambot – 711,000,000 records lost
In August 2017, a spambot leaked passwords and emails due to a misconfiguration. As a result, over 700 million records — roughly equivalent to one email address for every man, woman, and child in Europe — were leaked. But the breach included lots of repeated and fake accounts.
7. Facebook – 533,000,000 records lost
In March 2021, hackers scraped the social media giant Facebook due to a vulnerability that was patched in 2019. A whopping 533 million user records from 106 countries were posted onto a hacking forum including full names, phone numbers, user locations, biographical information, and email addresses.
8. Syniverse – 500,000,000 records lost
Syniverse, a company that forms a critical part of the global telecommunications infrastructure, revealed in a filing on September 27, 2021, with the US Securities and Exchange Commission (SEC) that hackers gained access to 500 million records.
The leaked information contained personal information of its employees, trade secrets, intellectual property, sensitive information of its suppliers, customers, vendors, and other important financial information, and the company discovered that hackers had been in its system for years.
9. Yahoo – 500,000,000 records lost
In September 2016, a state-sponsored actor stole 500 million records from Yahoo, including dates of birth, names, and security information. At the time, this was the biggest data breach in history. Today, it lands at number eight on the list.
10. MySpace – 427,000,000 records lost
In May 2016, a search engine for hacked data and a hacker obtained over 400 million records from MySpace. Both parties claimed that they had obtained the data from a past, unreported data security incident. The leaked information contained emails, passwords, usernames, and second passwords.
Biggest Data Breaches By Year
Below I’ve listed the largest data breaches in each year dating back to 2010.
2024
2024 isn’t over yet, but I’ve made a list of the biggest breaches that have occurred this year so far — one even made the top 10 list above.
1. National Public Data (NPD)
2,900,000,000 records lost
In one of the largest data breaches of all time, hackers stole the sensitive information of billions of people, including full names, addresses, birth dates, and social security numbers. (Tech.co)
2. Financial Business and Consumer Solutions (FBCS)
4,200,000 records lost
Hackers stole full names, Social Security numbers, birth dates, and more from FBCS’s systems, a nationally licensed and bonded collection agency. (FBCS)
3. Ticketmaster
560,000,000 records lost
Ticketmaster confirmed hackers stole personal data from customers, including names, addresses, and phone numbers. (Ticketmaster)
4. Change Healthcare
145,000,000 records lost
A ransomeware attack expoed Social Security numbers, medical records, and addresses of millions of Change Healthcare patients. (UnitedHealth Group)
5. AT&T
110,000,000 records lost
In their second breach of the year, hackers stole data from all AT&T customers including approximate locations, phone numbers, and numbers of non-customers. (AT&T)
6. Dell
49,000,000 records lost
Dell confirmed that customer data was compromised in a breach, including home addresses and order information (LinkedIn)
2023
- Indian Council of Medical Research 815,000,000 records lost (Tech Informed)
- X (formerly Twitter) 200,000,000 records lost (CNN)
- MOVEit 62,000,000 records lost (AP News)
- T-Mobile 37,000,000 records lost (T-Mobile)
- HCA Healthcare 11,000,000 records lost (HCA Healthcare)
2022
- Neopets 69,000,000 records lost (CPO Magazine)
- SuperVPN, GeckoVPN, ad ChatVPN 21,000,000 records lost (Cybernews)
- Singtel Optun Pty Limited 9,800,000 records lost (Bloomberg)
- Cash App 8,200,000 records lost (TrendMicro News)
- X (formerly Twitter) 5,400,000 records lost (Malwarebytes)
2021
- Facebook (Meta) 533,000,000 records lost (Business Insider)
- Syniverse 500,000,000 records lost (SEC)
- Power Apps (Microsoft) 38,000,000 records lost (Wired)
- Amazon Vendors 13,124,962 records lost (Safety Detectives)
- Pandora Papers 11,900,000 records lost (The Guardian)
2020
- Pakistani Mobile Operators 115,000,000 records lost (ZD Net)
- SolarWinds 50,000,000 records lost (New York Times)
- MGM Hotels 10,600,000 records lost (ZD Net)
- Dutch Government 6,900,000 records lost (ZD Net)
- Marriott International 5,200,000 records lost (Marriott)
2019
- 16 Hackers Websites 617,000,000 records lost (The Register)
- MongoDB 275,265,298 records lost (Bleeping Computers)
- Microsoft 250,000,000 records lost (Forbes)
- 8 Hacked Websites 127,000,000 records lost (TechCrunch)
- Capital One 100,000,000 records lost (CSO Online)
2018
- Aadhaar 1,100,000,000 records lost (ZD Net)
- Marriott International 383,000,000 records lost (New York Times)
- X (Formerly Twitter) 330,000,000 records lost (Reuters)
- Chinese Job-seeking Websites 202,000,000 records lost (Hacken)
- Quora 100,000,000 records lost (New York Times)
- Google 500,000 records lost (Forbes)
2017
- River City Media 1,370,000,000 records lost (The Guardian)
- Spambot 711,000,000 records lost (The Guardian)
- Equifax 143,000,000 records lost (CBC News)
- Malaysian Mobile Phone Numbers 46,200,000 records lost (Lowyat)
- AI.Type 31,000,000 records lost (ZD Net)
2016
- Yahoo 500,000,000 records lost (CNBC)
- Friend Finder Network 412,000,000 records lost (ZD Net)
- Uber 57,600,000 records lost (New York Times)
- Morgan Stanley 15,000,000 records lost (Reuters)
- MySpace 427,000,000 records lost (Vice)
2015
- Deep Root Analytics 198,000,000 records lost (Reuters)
- Experian/T-mobile 15,000,000 records lost (T-Mobile)
- Anthem 80,000,000 records lost (New York Times)
- Securus Technologies 70,000,000 records lost (The Intercept)
- US Office of Personnel Management 14,000,000 records lost (BBC)
2014
- eBay 145,000,000 records lost (Business Insider)
- JPMorgan Chase 83,000,000 records lost (New York Times)
- The Home Depot 56,000,000 records lost (Krebs on Security)
- Korea Credit Bureau 20,000,000 records lost (Security Week)
- Sony Pictures 10,000,000 records lost (BuzzFeed News)
2013
These are the top 5 largest data breaches that took place in 2013.
- Yahoo 3,000,000,000 records lost (BBC)
- Court Ventures 200,000,000 records lost (Krebs on Security)
- Multiple American Businesses 160,000,000 records lost (Technology Review)
- Target 70,000,000 records lost (USA Today)
- Excellus Health Plan 9,300,000 records lost (USA Today)
2012
- Zappos 24,000,000 records lost (Forbes)
- KT Corp 8,700,000 records lost (Korea Times)
- South Carolina State Department of Revenue 3,987,000 records lost (InfoWorld)
- Three Iranian Banks 3,000,000 records lost (DataBreachToday)
- Apple 1,000,000 records lost (CNET)
2011
- Sony PSN 77,000,000 records lost (Playstation Blog)
- Steam 35,000,000 records lost (BBC)
- Nexon Korea Corp 13,000,000 records lost (Reuters)
- The New York City Health and Hospitals Corp 1,700,000 records lost (InfoRiskToday)
- The Washington Post 1,270,000 records lost (PC Mag)
2010
- Educational Credit Management Corp 3,300,000 records lost (MPR News)
- Gawker 1,500,000 records lost (The Guardian)
- Ohio State University 760,000 records lost (The Lantern)
- Lincoln Medical and Mental Health Center 130,000 records lost (The New York Times)
The Increasing Threat of Data Breaches
Data breaches are on the rise, in large part thanks to our dependency on the internet and the fast advancements in technology, like AI and the Internet of Things.
Meanwhile, security practices, education, and regulatory guidance move much slower and cannot keep up with the fast pace of cybercriminals and bad actors.
Data suggests that more and more businesses are reporting falling victim to a data leak or other cybercrimes impacting consumer personal data:
- In 2023, total data breaches increased by 78% compared to 2022. (ID Theft Center)
- This number represents an increase of 72 percentage points from the previous all-time high in 2021. (ID Theft Center)
- 82% of data breaches included information stored in digital ‘clouds.’ (IBM)
- In the U.S., in 2024, a data breach costs businesses $4.88 million on average, a 10% increase from 2023. (IBM)
- The most common type of data breach in 2023 involved compromising sensitive personal information. (ID Theft Center Annual Data Breach Report)
The data is clear — businesses of all sizes need to take data security seriously to prevent unauthorized access, cybercrimes, and data breaches from occurring.
I suggest businesses use this massive list of data breach examples as a warning; technology has progressed, and data breaches are increasingly widespread.
While most breaches in the 2010s concerned medical centers, government departments, and large corporations, more recently, a significant percentage now involves social media apps and ecommerce platforms.
It’s clear every company, regardless of size and industry, must be vigilant about security.
If you don’t have adequate security measures, you may become the target of malicious cyber attacks that jeopardize the safety of the personal data you collect, and recent data privacy statistics show that consumers demand increased efforts to protect their personal information.
Implement privacy protocols for your organization now to ensure your employees understand the importance of security and why they need to play a role in protecting data.
More about the author
Written by Masha Komnenic CIPP/E, CIPM, CIPT, FIP
Masha is an Information Security and Data Privacy Specialist and a Certified Data Protection Officer. She has been a Data Protection Officer for the past six years, helping small and medium-sized enterprises achieve legal compliance. She has also been a privacy compliance mentor to many international business accelerators. She specializes in implementing, monitoring, and auditing business compliance with privacy regulations (HIPAA, PIPEDA, ePrivacy Directive, GDPR, CCPA, POPIA, LGPD). Masha studied Law at Belgrade University, and she passed the Bar examination in 2016. More about the author
