30+ Horrific Data Breach Statistics & The Biggest Breaches

The cost, frequency, and sophistication of data breaches are on the rise. According to the latest data breach statistics, many high-profile companies have been targeted by major cyber attacks.

As a result, data privacy and security have moved to the forefront of boardroom visibility. 

The result was new legislation in the US, Europe, and Australia, most of it coming into effect in 2018.

Organizations must now adhere to new rules specifying user notifications and timeframes, business size applications, and reporting requirements. 

Even without the fines, the cost of data breaches was already high. Today there’s the cost behind updating data systems, hiring forensic investigators to look into the incident, briefing the legal department, and paying up settlements with dissatisfied customers.

This also includes the potential damages from the worst hacks involving espionage and IP theft, where your competitors can learn about your business practices and future plans.

With all this in mind, what are the risks for you as a customer, as a social network user, or as a company?

What particular type of data breach might affect you, depending on the data you’re storing?

And how can data breaches be prevented?

Check out these statistics and find out what you should be on the lookout for, as well as what steps you should take to minimize damage if you’ve been compromised.

Key Data Breach Stats Takeaways

  • According to the Breach Level Index, roughly 10 billion records have been breached since 2013.
  • The average total cost of a data breach is $3.86 million.
  • 24% of breaches affect healthcare organizations.
  • In 2018 Facebook compromised 50 million accounts.
  • 97% of people use their sensitive data on digitally transformative technologies.
  • Phishing and pretexting represent 93% of social attack-based breaches.

General Data Breach Statistics

1. You have a 27.9% chance of experiencing a data breach of at least 10,000 records.

With 6,466,440 records breached every day worldwide, this should come as no surprise. The threat is real and affects individuals and businesses alike. In both cases, the best steps to take are the following: Act quickly, seek help, and stop the problem from spreading. The quicker the recovery, the less it will cost you, especially if you run a small business. Unless you play it smart, you might not recover.

2. It takes organizations about 197 days to detect a breach.

Cybersecurity statistics from 2018 by the Ponemon Institute provide this invaluable insight. The mean time to contain the breach (MTTC) was 69 days. Companies that contain a breach in less than 30 days save over $1 million.

3. The average total cost of a data breach is $3.86 million, and the average total one-year cost increase is 6.4%.

According to the Ponemon Institute, the overall cost of a data breach involves more losses than you can imagine. There are the business disruption and revenue loss from system downtime, the lost customers that no longer trust your brand, the new customers you will fail to acquire, and finally, the lawsuits.

Recent trends suggest that the consequences of company data breaches are only going to get worse. The average total cost of a data breach, the average cost for each lost or stolen record (per capita cost), and the average size of data breaches have all increased in 2018.

4. The average cost for each lost record increased by 4.8%, from $141 to $148.

The United States, Canada, and Germany continue to have the highest per capita costs of cyber breaches at $233, $202, and $188. Turkey, India, and Brazil have much lower per capita costs at $105, $68, and $67. The increase isn’t too worrying, but the steady rise is still underway.

5. Europe’s General Data Protection Regulation fines for noncompliance may be as high as €20 million.

Paragraph 5 of Article 83 of the GDCR states that infringements can lead to huge fines for companies that have been hacked in Europe. The Office of the Australian Information Commissioner (OAIC) implemented the mandatory Notifiable Data Breach (NBD) Scheme in February 2018. This regulation requires organizations to notify the OAIC of data breaches likely to cause harm, while also notifying the individuals affected.

The Australian practice seems like a particularly good idea since it usually takes companies ages to admit to data breaches. In the Adobe hacking case, for example, the firm originally admitted that 2.9 million accounts had been affected. It was later revealed that the true number was 38 million.

6. 73% of breaches are perpetrated by outsiders, 28% by internal actors, 2% by partners, and 2% by multiple parties.

The scariness of this stat mainly originates from the fact that 1 in 4 data breaches were the fault of one of a company’s own people. And we don’t mean the ones who clicked on a dodgy link. The 2018 Verizon Data Breach Investigations Report (DBIR) suggests that the insider attackers were mainly motivated by financial gain, espionage, and yes, honest mistakes. System admins are the top internal actors responsible for these recent data breaches, at 25.9% of the time.

7. 50% of data breaches are carried out by organized criminal groups, while 12% of attackers are identified as government-related or those affiliated with a nation-state.

The report also suggests that organized cybercrime is the new guy in a hoodie. They have resources, large botnets, and the inner-workings of a legitimate company. State-affiliated groups were involved in more than 1 in 10 hacks worldwide. 

8. 48% of breaches feature hacking, 30% include malware, 17% are social attacks, 12% involve privilege misuse, and 11% are physical actions, according to Verizon’s look into data breaches from 2018.

Many of these types of attacks were used in a single breach, as is the case with malware and ransomware, as a diversion for data theft. It was therefore difficult to come up with the figure for every separate attack, so action varieties in breaches were introduced. The use of stolen credentials (hacking) took the lead, with RAM scraper (malware), phishing (social), and privilege abuse (misuse) trailing behind.

9. According to Verizon’s cyber attacks statistics from 2018, 24% of breaches affected healthcare organizations, 15% of breaches involved accommodation and food services, and 14% were breaches of public sector entities.

The healthcare industry has the dubious distinction of being the only one that has a greater insider threat than an external one. This somewhat bleak finding is linked closely to the fact that there can be a large number of errors and employee misuse. Healthcare is almost seven times more likely to feature a causal error than other verticals in our dataset.

So how can security breaches be prevented in healthcare? One huge step would be refusing to pay ransoms, not to mention minding the connected IoT devices. Paying ransom might seem like the best option to a healthcare organization. This act, however, is a guarantee that more attacks will follow, as criminals now see them as a paying client. Also, the industry’s huge number of IoT devices increases the risk of quick and easy breaches.

10. 58% of the victims are categorized as small businesses.

By small business, the 2018 Verizon report means organizations with fewer than 250 employees. Most people are surprised to hear that small businesses are hackers’ primary targets, but according to recent data breach statistics, it’s true. These incidents never hit the news, which is probably why they’re so invisible. Remember the Target breach when tens of millions of people lost their credit card details to hackers?

Here’s what most people don’t know: Target’s network was infiltrated via a small HVAC company. The attackers then stole access credentials to Target’s network. Small businesses lack sufficient security measures and, most of all, properly trained personnel. They also neglect to back up their files or data (ransomware bait right there). And finally, they are often leveraged so that bigger companies can be hacked.

11. 60% of small to mid-sized businesses forced to suspend operations after a cyber attack never recover enough to reopen for business.

Within 6 months of a successful cyber attack, most businesses of this size never recover. Frankly, most small businesses lack the necessary resources to recover. Because of this, sometimes a cybersecurity breach can cost you everything. For this size of company, the IT department has to protect user identities, the devices used, their network, and their cloud services. This means they have to operate on 4 separate security platforms. Additionally, they usually lack proper insurance coverage and the means to pay any ransom in case of ransomware. They also lack the resources and the infrastructure to handle any damage to their reputation.

12. Over 6,500 incidents that resulted in compromised data were disclosed publicly in 2018.

How many data breaches were there in 2018? The number of publicly known data breaches has decreased when compared to 2017, despite harsher breach notification legislation. Two-thirds of these breaches targeted businesses, according to a report from security intelligence vendor Risk Based Security (RBS).

13. A malicious email was the source of the installation of 49% of non-POS malware.

Social engineering seems to be hugely successful at extracting data. One of the most significant takeaways from this report is that phishing and pretexting represent 93% of social attack-based breaches. Email breaches continue to be the most common vector for launching social attacks, with 99% of the actors being external to organizations. 59% of phishing and pretexting attacks are motivated by financial gain, with an additional 38% attributed to corporate espionage.

14. 76% of breaches were financially motivated.

According to Verizon’s report, 68% of breaches take months or longer to be discovered. This gives criminals a lot of leeway for putting your data up for sale on the black market. In his 2018 report for Bromium, Dr. Mike McGuire combined the data he found on the dark web with a McFee report.

He devised the following data breach statistics: Credit card data is worth approximately $10 each (the average sale value per record in 2016/2017). With 1.5 billion pieces of stolen data available at $10, the total revenue is $15 billion.  Banking or payment system data is worth $114 billion. Login credentials are worth approximately $495 million. Stolen cards have an estimated loss (in revenues) of $30 billion. And finally, the entirety of stolen data revenue amounts to $160 billion.

15. 13% of these breaches were initiated to gain a strategic advantage (espionage).

Some of the biggest cyber attacks show that advanced hacking groups are becoming bolder when conducting campaigns, with the number of organizations targeted by the biggest campaigns rising by almost a third. A combination of new groups emerging and attackers developing successful strategies for breaking into networks has seen the average number of organizations targeted by the most active hacking groups rise from 42 between 2015 and 2017 to an average of 55 in 2018.

According to recent data on these breaches, hackers associated with China’s Ministry of State Security breached the Hewlett Packard Enterprise and IBM, then accessed their clients’ computers. Their recent network attacks could indicate that China’s strategic plan to produce higher value products and services is taking off, and foreign intellectual property is of value for this.

16. In the case of 68% of breaches, it took months or longer before they were discovered.

The longer it takes to both detect and contain these breaches, the costlier the repairs—and the angrier your users. With the new legislature in Europe, Australia, and the US, a failure to notify your users or your superiors about a relevant breach will result in immense fines. And yet, new cyber crime facts and statistics are still expected to get worse.

If you want to avoid sanctions in 2019, follow the prescribed security protocols, and notify the authorities as quickly as possible. Also, don’t be tempted to play along with the attackers or pay a ransom. This would put you on the “payer” list, thereby increasing your risk of repeated attacks significantly.

17. 97% of people are using their sensitive data on digitally transformative technologies.

If faced with a choice between safety and convenience, most people choose convenience and run the risk of major cyber attacks. The 2019 Thales Data Threat Report concluded that people are using, and therefore exposing, a huge amount of confidential data entrusted to them by their users. The sensitive data includes client information, credit card info, payment or financial details, intellectual property, and even business databases or contract records.

18. Less than 30% of respondents use data encryption in these cases.

The 2019 Thales Global Threat Report study also found some key areas where the encryption rates are higher, like with the IoT (42%), containers (47%), and big data (45%). Data encryption that would render information unreadable and therefore useless to the attacker allows you to protect corporate secrets and other confidential information.

19. 44% of users consider the complexity behind data security as a perceived barrier to implementing it.

For reasons of competitiveness and usability, more and more companies are moving to cloud or multi-cloud environments. The job of storing data is done either by the company or a third party, which is then even more difficult to secure, says the 2019 Thales Data Threat Report. Most organizations find it difficult to manage all these internet security breach challenges and implement proper safety measures. What’s more, when it comes to smaller and mid-sized companies, budget restraints and staff shortages make this task even more difficult.

20. IDG Research reports that 25% of companies don’t have a cloud-first policy. Security concerns played a big role in this.

The ongoing migration of data to the cloud increases security risks. The data is available to multiple corporations in a shared space, and readily available to the companies’ employees. As always, if it’s there so you could have easy access, the black hat hackers will also have less trouble getting their hands on it. In one of the biggest data breaches in 2018, Facebook compromised 50 million accounts. All the platforms and third-party services that use the Facebook login feature are now vulnerable.

21. 59% of companies in the UK and US experienced a data breach after going through a third party. Only 16% consider their third-party risk management systems effective enough.

The results of the third annual Ponemon Institute’s “Data Risk in the Third-Party Ecosystem” study remind us that the worldwide data hack risks are beyond our control more than we realize. Even with proper employee training, antivirus software, and firewalls, our data is at huge risk. A company might use a third-party hosting service that again works with a fourth-party systems integrator. The oversight of suppliers isn’t something many companies can afford or manage.

To top it off, cyber attack regulations will hold your company accountable even if a third-party was at fault. Also, in the case of 2018’s US information security breaches, as many as 61% of companies had a vendor or third-party data breach. That’s up 5% from 2017, and 12% from 2016.

22. In a 2018 Ponemon Institute survey, 52% of organizations that maintained IoT inventory said they had at least 1,000 IoT devices. However, the real study average was actually 15,000.

Knowing exactly what type of data you are storing, where you are storing it, and what the potential liabilities might be is of vital importance when implementing data security. As AON’s 2019 Cyber Security Risk Report concluded, most people can’t even do that. What causes data breaches? Criminals and human error, naturally. But most of all, it’s the failure of organizations to mind the details and do a fair assessment of their disadvantages. Weak passwords, untrained staff, improper configuration, and an outdated OS are all on you.

23. In the last year, 21% of companies experienced an attack or breach because of unsecured IoT devices, and 18% said the attacks were caused by third-party devices.

In a more ridiculous recent cyber security breach, hackers stole a casino’s customer data via a connected fish tank. Attackers gained access to the casino’s high-roller database. Devices with simple functions and default passwords that are rarely changed (if ever) are particularly easy targets. An IoT attack is an easy way to gain a foothold into a network.

24. Media reports surrounding 2018’s biggest data breaches have speculated that each company involved could face a potential fine of at least $500 million if certain GDPR violations are discovered.

Data breach statistics from 2018 and 2017 must have scared individuals and governments on a global scale to produce these regulations. In January 2019, Google was fined €50 million for their failure to disclose to users exactly how their data is collected across services, including the Google search engine, YouTube, and Google Maps.

British Airways could lose £500 million over the 2018 data leaks.

25. Only 4% of breaches were “secure breaches” in which proper encryption was used and no stolen data could be taken advantage of.

According to Breach Level Index, nearly 10 billion records have been stolen or breached since 2013, and out of said breaches, only the measly 4% mentioned above did its job. Here’s the deal: it’s a bother for most companies to use proper encryption, so they often end up switching it off. Every time you want to perform any type of data-focused operation, you have to decrypt the encryption. This makes data highly inaccessible, and, as the stats tell us, unattractive to users.

So how can you protect your customer data? A Medium article from June 2018 offers a solution. Homomorphic encryption is one alternative that can help you work both quickly and safely. Homomorphic encryption gives companies an easy way to run analytics on their data while staying safe. Up until recently, this process was way too slow. However, BM’s homomorphic encryption now runs 75 times faster, according to a paper from the International Association for Cryptologic Research.

26. 27% of all data breaches were unintentional or inadvertent in nature, according to the 2018 Verizon report.

So what percent of data breaches are caused by human error? Not many, and certainly less than there were in 2013. Back then, accidents were behind more than half of the data breaches that took place, according to the Information Commissioner’s Office. The figure covers human error and system glitches, including both IT and business process failures.

27. 48% of data breaches involved a malicious or criminal attack.

What causes the highest percentage of data breaches? Criminals, according to Verizon’s most recent report. They’re the bad guys with nasty intentions for organizations in all countries. The most common types of malicious or criminal attacks include malware infections, criminal insiders, phishing/social engineering, and SQL (structured query language) injection.

21+ Biggest Data Breaches

1. Yahoo

Year of Breach: 2013, 2014, and 2016

Data Breached: 3 billion, then 500 million, and then 200 million users’ accounts

Legal Action: $117.5 million—the biggest common fund ever obtained in a data breach case

In three subsequent data breach cases, Yahoo compromised information on every single one of its users.

The information included users’ names, telephone numbers, dates of birth, and email addresses, as well as encrypted and unencrypted security questions and answers.

In some cases, even the poorly scrambled passwords that used a lousy MD5 cryptographic hashing algorithm got stolen.

So if you’ve been wondering, What is the biggest data breach in history? Yahoo, by all means, is your answer.

No other data breach in internet history has counted its number of affected users in the billions.

US prosecutors charged two Russian intelligence agents and two hackers for being involved in one of the latest breaches. One of the hackers later pleaded guilty. 

It’s hard to pinpoint the worst part of the Yahoo data breach. The fact that it took Yahoo years to come out with the true severity of the breaches is our top favorite.

Even though the first, and the biggest, data breach occurred in 2013, it was only in October 2017 that Yahoo finally updated its assessment of the hack.

2. Marriott

Year of Breach: 2018

Data Breached: 383 million records

Legal Action: $100 million class-action lawsuits filed in Calgary

More than 150 guests have sued the hotel chain in a federal class-action lawsuit.

In one of the biggest data breaches of all time, the hotel did not do enough to protect its customers’ data.

What’s more, it “failed to provide timely, accurate, and adequate notice” to guests whose information was accessed by hackers.

The personal info included names, passport numbers, and credit card information. 

3. Adult Friend Finder

Year of Breach: 2016

Data Breached: 412 Million Accounts

The breached databases contained emails, passwords, and usernames, all stored as plain text or hashed using SHA1 with pepper—the sheer number of accounts placing it among the world’s biggest data breaches.

The stolen information also included computer IP addresses, dates of birth, users’ marital status, and the dates of their last visit.

LeakedSource, a breach notification site, claimed it cracked 99% of the passwords from the various databases.

The particularly sensitive nature of some of the exposed info left people all over the world exposed to phishing attacks and even worse, extortion. 

According to the 2018 Verizon data breach report, only 4% of people click on a phishing campaign.

However, it only takes one phish to blow the entire company’s confidential data.

There were 78,301 users who registered on FriendFinder with a .mil email address, and yes, the 5,650 users with a .gov email address were particularly vulnerable. The breach even affected over 15 million “deleted” accounts. 

4. MySpace

Year of Breach: 2013, reported in 2016

Data Breached: 360 million emails and passwords

This included the “email addresses, Myspace usernames, and Myspace passwords for accounts created prior to June 11, 2013, on the old Myspace platform,” according to a Myspace blog post that announced the hack. 

The hacker supposedly responsible is the same one who took responsibility for breaching 167 million LinkedIn accounts in 2013. Still, one of the world’s biggest data breaches, as it later turned out, could have been committed by pretty much anyone.

All someone needed was an account owner’s listed name, username, and date of birth, and they could have taken over their Myspace account. Yikes. 

5. Exactis

Year of Breach: 2018

Data Breached: Around 340 million records

Legal Action: Class-action lawsuit underway

This Florida data broker had its database exposed, which contained close to 340 million individual records on a publicly accessible server.

This breach impacted 110 million businesses and 230 million consumers. It’s still not clear whether this was a matter of intelligent design or just one of the biggest accidental data leaks ever. 

The nearly 2 terabytes of stolen data included phone numbers, email and home addresses, and oddly specific categories such as smoking habits, interests, and the gender of the users’ kids. Luckily, no social security numbers or credit card data was leaked.

6. Under Armour

Year of Breach: 2018

Data Breached: 150 million MyFitnessPal accounts

In 2018, a lawsuit was filed against Under Armour after the breach of their MyFitnessPal nutritional website and mobile app.

The Under Armour data breach involved data such as usernames, email addresses, and hashed passwords.

The lawsuit, however, states that Under Armour “also collects credit/debit numbers from its users in order for those users to access premium features of these websites and apps.” 

Under Armor’s official statement, however, claims that payment data was unaffected since they collect and process this data separately.

One of the latest security breaches, it reportedly happened in February 2018, although the company discovered the hack on March 25. Under Armour’s stock dropped 3.8% in the aftermath of the breach, before paring losses. 

7. Target

Year of Breach: 2013

Data Breached: 40 million payment card credentials, 110 million customer records

Legal Action: $18.5 million 

Hackers obtained names, credit and debit card numbers, and other personal information such as email addresses, encrypted PIN data, phone numbers, and card expiration dates.

As one of the major data breaches of its day, the millions of dollars in damages covered 47 states and the District of Columbia as part of its settlement.

Target also spent $202 million on legal fees and other costs. As part of the settlement, Target agreed to strengthen its digital security, and regularly maintain its software and encryption programs. 

8. Equifax

Year of Breach: 2017

Data Breached: nearly 150 million US consumers affected

Legal Action: Fine of up to $700 million

The 2017 Equifax data breach included data such as social security numbers, taxpayer ID numbers, names, credit card numbers, and expiration dates. It took the company a full six weeks to expose the breach.

Equifax confirmed that at least 209,000 credit card credentials were stolen in the attack. 

The US Government Accountability Office report confirms that attackers made 9,000 queries to one web server with out-of-date software.

These attacks went unnoticed for 76 days. Ridiculously enough, the then-CEO testified before Congress in 2017, blaming the whole ordeal on a single employee in an attempt to evade responsibility.

A set of consolidated lawsuits against Equifax in the Georgia federal district court were approved and resulted in fines totaling $650 million to $700 million. 

9. eBay

Year of Breach: 2014

Data Breached: 145 million users compromised 

The eBay data breach started in late February or early March of 2014 when some employee logins were compromised.

These credentials then allowed attackers to infiltrate eBay’s corporate network. Luckily, the attackers failed to access any financial information.

However, they did compromise other details such as names, dates of birth, phone numbers, emails, and shipping addresses. 

Forrester Research Security Analyst Tyler Shields noted that this is enough information to commit fraud, including identity theft and other criminal activities.

Al Pascual, Senior Fraud and Security Analyst at Javelin Strategy and Research, blamed this, one of the worst data breaches of the decade, on a spear phishing campaign. “I guess that’s a major lesson here—the system is only as secure as its weakest link, and that is very often its people,” he stated.

Nevertheless, a federal judge dismissed the class-action lawsuit filed against eBay. 

10. Heartland Payment Systems

Year of Breach: 2007

Data Breached: 130 million credit and debit cards were compromised

Legal Action: $140 million

Heartland was the victim of an SQL (standard query language) injection—a code injection technique that can destroy a database. The breached Heartland computer network resulted in malware being placed in its payment processing system. 

As one of the earliest and biggest data breaches, the criminals somehow made off with the gold once they intercepted and looted the so-called Track 2 data from the magnetic stripe on the back of credit cards. In this way, they were able to make counterfeit cards.

Heartland accrued $139.4 million in expenses following the breach’s aftermath.

The figure accounts for a settlement totaling nearly $60 million with Visa, another of about $3.5 million with American Express, and over $26 million in legal fees.

11. Linkedin

Year of Breach: 2012

Data Breached: 167,370,910 compromised accounts

Legal Action: Lawsuit dismissed

One of the biggest email breaches, Linkedin initially reported 6.5 million breached accounts.

In reality, attackers compromised nearly 170 million credentials from this business networking site’s users. Of the compromised accounts, only 117 million had passwords. Others probably logged in via Facebook or some other alternative network. 

LeakedSource purchased the credentials for 5 Bitcoins—an equivalent of $2,300—on the dark web forum “The Real Deal.”

A Bank Info Security article stated that of the list of 117 million email addresses and hashed passwords, the top three were “123456,” “linkedin,” and “password.” So 2012, right? 

12. VK

Year of Breach: 2012–2013

Data Breached: 171 million accounts

In another of the more famous data breaches on a global scale, one of the biggest Russian social networks was hacked.

The database of this St. Petersburg–headquartered social networking giant leaked and exposed its users’ full names, plain-text passwords, email addresses, and often even their phone numbers and home addresses.

The hackers sold 100 million accounts, a bit more than 17 gigabytes in size, for 1 Bitcoin, or around $580 at the time.

13. Rambler.ru

Year of Breach: 2012

Data breached: 98 million accounts

The Russian internet portal and email provider became a victim of one of the biggest hacks ever. LeakedSource obtained a copy of the internal customer database.

The breached data included email addresses, usernames, passwords, and social account data. The data was stolen in unencrypted plaintext, so passwords were easily readable by both humans and computers. 

This was one of the biggest websites in Russia, and nowadays this situation would have been unthinkable.

Now, all data is usually encrypted and additional checkups exist, such as mobile phone verification, as well as regular reminders for users to change their passwords.  

14. TJX

Year of Breach: 2007

Data Breached: 45.7 million accounts

Legal Action: $40.9 million in payments 

As one of the early security breach examples, TJX—an American multinational off-price department store corporation—noted that cyberthieves first accessed its systems in July 2005.

They installed malicious software and stole such information as names and addresses, account information, military and state ID numbers, and driver’s license numbers. The data harvesting continued for two years. 

Following the breach, TJX agreed to pay $40.9 million to some financial institutions. The MBA, which represents 205 banks in the state, the Connecticut Bankers Association, and the Maine Association of Community Banks, along with a number of individual banks, filed the lawsuit together.

15. MyHeritage

Year of Breach: 2018

Data Breached: Over 92 million users’ info

MyHeritage is a DNA-testing website for tracking one’s heritage. In one of the more recent data breaches, attackers exposed users’ email addresses and hashed passwords.

This breach is a reminder that you have little to no control over the personal data you share with a variety of organizations.

You should therefore never forget to use several different unique, complex passwords for each respective account in order to stay safe.

16. Sony PlayStation Network

Year of Breach: 2011

Data Breached: 77 million user accounts

Legal Action: $15 million settlement

Sony suffered one of the biggest cybersecurity breaches in its video game online network. During a 23-day outage at Sony’s PlayStation Network and Qriocity services, hackers prevented users from accessing the service.

They also took over the PC of a system administrator and obtained users’ home and email addresses, usernames, full names, passwords, logins, birth dates, security questions, and other data. 

Hacktivist collective Anonymous took responsibility for the crime. In the aftermath of the breach, Sony provided a “Welcome Back” program, granting many free membership privileges and new content. The $15 million data breach settlement was also generous, all things considered. 

17. JP Morgan Chase

Year of Breach: 2014

Data Breached: 83 million households and small businesses

This American multinational investment bank and financial services company suffered a massive data breach. It impacted 76 million households and 7 million small businesses.

The breach affected customers who used their Web and mobile services.

Being that the hack didn’t compromise financial data or account information, Chase refused to provide free credit monitoring or identity theft protection to victims. 

The hackers likely gained access to the bank’s network via an employee’s personal computer, which they’d compromised beforehand. In one of the biggest data breaches to date, the criminals then penetrated the bank system. 

18. Tumblr

Year of Breach: 2013

Data Breached: 65 million accounts

The leaked Tumblr database included users’ email addresses and hashed, protected passwords.

The sad fact about this data theft is that the sale price of the breached data was only $150 on the darknet marketplace “The Real Deal.” 

19. Uber

Year of Breach: 2016

Data Breached: 57 million riders’ and drivers’ personal data

Legal Action: $148 million settlement

The Uber data breach exposed the personal information of both users and drivers. Among that data, the hackers stole as many as 600,000 driver’s license numbers.

However, the breach didn’t cover any credit card info or social security numbers. 

The worst thing about this incident is that it took Uber a year to come clean about the breach.

Two employees paid the hackers $100,000 to destroy the breached data, even though they had no way of knowing if this occurred. Uber fired its CSO soon after the breach went public. 

In its attempt to save face and cover the whole thing up, Uber lost quite a bit of their reputation. 

The financial losses extended far beyond the $148 million settlement. Adding itself to the list of the sorrier global data breaches and statistics, the leak was a significant factor in Uber’s stake sale to Softbank. The initial $60 billion valuation soon dropped to $48 billion. 

20. Home Depot

Year of Breach: 2014

Data Breached: 50 million customers’ emails or credit card information

Legal Action: $25 million settlement, over $170 million total

This American home improvement store had a major data protection flaw. The breach allegedly affected people who used payment cards in both its US and Canadian stores, specifically at its self-checkout terminals.

In one of the world’s greatest data breaches, Home Depot was obliged to pay at least $134.5 million to Visa, MasterCard, and various banks in compensation. 

21. Facebook

Year of Breach: 2018

Data Breached: 87 million user data

Cambridge Analytica, a Trump-affiliated data-mining firm, used Facebook’s data on nearly 87 million people to try to influence the presidential elections, making the Facebook data breach probably the most famous one on our list for people who read up on politics.

Facebook CEO Mark Zuckerberg said the company had made a “huge mistake” when it failed to recognize its responsibilities toward users.

Honorable Mentions

1. Anthem Blue Cross

In January 2015, around 79 million patients were affected in one of the worst healthcare data breaches of all time. An unknown hacker broke into Anthem’s database, acquiring patients’ names, addresses, birthdays, social security numbers, email addresses, and even income and employment info. 

No credit card information or medical data was included on the list of breached information, luckily. In the breach’s aftermath, the people affected filed 100 lawsuits against Anthem, consolidated before Judge Koh.

In 2017, they reached a settlement of $115 million in compensation for the damages.  

2. The US Office of Personnel Management (OPM)

Another of the major government breaches, this one took place in June 2015 and saw 21.5 million US government employment records breached, along with other personal information.

The agency oversees the legal minutiae of how federal employees are hired and promoted, and it manages the benefits and pensions for millions of current and retired civil servants.

Even though the OPM stores data on the government workforce, it still employed ancient filing techniques, where paper forms get filled out in triplicate. Surprisingly for 2015, the data was not encrypted. 

3. 620 million accounts were breached from 16 websites.

The compromised websites include 500 px, Dubsmash, Armor Games, ShareThis, Whitepages, and more. These recent cyber security breaches affected 620 million accounts.

Located in the Tor network, this data can be purchased for $20,000 in Bitcoin, in the Dream Market cyber-souk.

Among these 2019 attacks, the levels of data protection varied. For example, if a person bought the 500 px database, they could decode the weaker passwords, but the rest would remain impossible to read.

Even then, the attacker could log into a stranger’s Gmail or Facebook account.

The Takeaway

Uber tried to bribe hackers to destroy the private data on their users and drivers with no way of knowing if they would execute this order. The Yahoo security breach somehow compromised the data of every single user, amounting to billions of accounts. And then it happened again. Twice. 

The breach of Adult Friend Finder, a hookup website, made millions of users easy targets for phishing attacks and extortion. And simple malware cost Heartland Payment Systems $140 million dollars in legal fees and compensation. 

These failures are a testimony to just how safe—or unsafe—your belongings are in an online environment. Not to mention how oblivious, dishonest, and unaffected businesses can be unless state legislation forces them to care. 

Still, the list leaves us on one positive note—things have changed, and businesses and people keep adapting. Keeping confidential info stored in plaintext and using ridiculously simple passwords are now merely a funny concept from a past long gone. 

SafeAtLast.co