A Comprehensive Analysis of the Biggest Data Breaches in History and What to Learn From Them

In the year 2022, there were 1802 instances of data breaches in the US. During the same year, data attacks, including data breaches, leaks, and exposure, impacted over 422 million people. Even though these are three distinct events, they all share a similar trait - the sensitive data of individuals is accessed by an unauthorized threat actor.

Top 15 Data Breaches of All Time

1.  CAM4

Year: 2020
Records: 10.88 billion (7TB of data)
Industry: Adult cam site
Method: Server breach

Adult video streaming website CAM4 had its Elasticsearch server breached, exposing 10.88 billion records. The breached records included sensitive information, such as full names, email addresses, sexual orientation, chat transcripts, email correspondence transcripts, password hashes, IP addresses, and payment logs.

 2. Yahoo

Year: 2013-2014
Records: 3 billion
Industry: Web
Method: Hacked

In 2013 and 2014, Yahoo suffered two massive data breaches that exposed the personal information of all 3 billion of its user accounts. The breaches included names, email addresses, dates of birth, phone numbers, and hashed passwords.

3. Aadhaar

Year: 2018
Records: 1.1 billion
Industry: Government of India
Method: Hacked

India’s largest biometric database, Aadhaar, exposed information on more than 1.1 billion Indian citizens, including their names, addresses, photos, phone numbers, and emails, as well as biometric data like fingerprints and iris scans.

4. First American Financial Corporation

Year: 2019
Records: 885 million
Industry: Financial
Method: Data leak due to poor security

The leaked information included users' sensitive records that date back more than 16 years, including bank account records, social security numbers, wire transactions, and other mortgage paperwork.

5. Verifications.io

Year: 2019
Records: 809 million
Industry: Email validation service
Method: Data breach

Exposed data included email addresses, names, gender, IP address, phone number, and other personal information.

6. LinkedIn  

Year: 2019
Records: 700 million
Industry: Social media platform
Method: Data breach

This exposure impacted 92% of the total LinkedIn user base of 756 million users. The hack included LinkedIn IDs, full names, email addresses, phone numbers, genders, links to LinkedIn profiles, links to other social media profiles, professional titles, and other work-related data.

7. Facebook

Year: 2019
Records: 533 million
Industry: Social media platform
Method: Data leak

The leaked data included personal information such as phone numbers, full names, locations, some email addresses, and other details from user profiles of 533 million Facebook users in 106 countries.

8. Marriott

Year: 2018
Records: 500 million
Industry: Hospitality service provider
Method: Data breach

Marriott’s reservation systems got compromised, with hundreds of millions of customer records, including credit card and passport numbers.

9. Syniverse

Year: 2021
Records: 500 million
Industry: Telecommunications
Method: Unauthorized access

The breach was noticed five years after it began, giving the hacker ample time to access virtually everything. The accessed data included caller and receiver numbers, locations, and the content of SMS messages, among other things.

10. Yahoo

Year: 2016
Records: 500 million
Industry: Web
Method: Data breach

Yahoo claims a "state-sponsored actor" was behind this initial cyberattack in 2014. The stolen data included personal information such as names, email addresses, phone numbers, hashed passwords, birth dates, and security questions and answers, some of which were unencrypted.

11. MySpace

Year: 2016
Records: 427 million
Industry: Social media platform
Method: Data breach

The data obtained from the data breach belonged to a past, unreported data security incident.

12. Friend Finder Networks

Year: 2016
Records: 412 million
Industry: Adult dating/entertainment website
Method: Data breach

Sensitive data regarding members’ usernames and passwords, sexual preferences, extramarital affairs, and purchases made on the site were stolen along with 15 million deleted accounts.

13. Exactis

Year: 2018
Records: 340 million
Industry: Data broker
Method: Data breach

The data breach included U.S. citizens’ names, email addresses, phone numbers, various physical addresses, ages, and gender of their children, smoking habits, religious affiliation, pet preferences, and things like scuba diving certifications, along with 400 entries of data per person.

14. Twitter

Year: 2018
Records: 330 million
Industry: Social media platform
Method: Data leak

A Twitter glitch caused some passwords to be stored in a readable format.

15. Airtel

Year: 2019
Records: 320 million
Industry: Telecommunication
Method: Data leak due to poor security

The security flaw provided access to information such as the user's name, email, birthday, residential address, and the IMEI number of the device on which the Airtel app was installed.

Lessons These Organizations Can Learn from Their Data Breaches

Data breaches can significantly impact organizations, including financial losses and reputational harm. However, organizations can also gain important insights from data breaches that can help them strengthen their cybersecurity procedures and avoid facing similar occurrences in the future. The following are some important lessons that these businesses can take away from their data breaches:

• Conduct regular risk assessments and security audits;
• Address cloud security misconfigurations; and
• Implement access controls for sensitive data.

In the case of these organizations, an improved security posture and a strong cybersecurity infrastructure would have probably enabled them to combat data breaches of such magnitude.

Biggest Data Breaches of 2024

1.  Mother of all Data Breaches

Records: 26 billion
Industry: Multiple industries
Method: Unauthorized access

In January 2024, security researcher Bob Diachenko discovered "The Mother Of All Breaches" (MOAB), a colossal data breach that included 12 gigabytes of user data from 3,876 domains and 26 billion records. The breach, which is thought to be a collection of records from several smaller breaches over time, contains information from giants, including Adobe (153 million), LinkedIn (251 million), Twitter/X (281 million), Evite (179 million), and Tencent (1.5 billion records exposed), which is at the top of the list.

2. National Public Data

Records: 2.9 billion
Industry: Data Brokerage
Method: Unauthorized access via exposed credentials

In April 2024, National Public Data, a background check and fraud prevention service, experienced a significant breach. Attackers discovered a zip file on the company's website containing plaintext usernames and passwords, which they then made public on the dark web. The zip file contained sensitive personal data, including Social Security numbers.

3. Ticketmaster

Records: 560 million
Industry: Entertainment
Method: Vulnerability in customer service portal

On May 15, 2024, Ticketmaster disclosed a security issue. Attackers allegedly exploited a vulnerability in the company's customer support site to access its network and stole client information, including names, email addresses, payment details, and past ticket purchases.

4. Synnovis

Records: 300 million
Industry: Healthcare
Method: Cyberattack

A June cyberattack on U.K. pathology lab Synnovis — a blood and tissue testing lab for hospitals and health services across the U.K. capital — caused widespread disruption to patient services for weeks. Some data was already published online to extort the lab into paying a ransom. According to reports, Synnovis declined to pay the $50 million ransom demanded by the hackers, preventing the gang from making money off of the attack, but left the UK government frantically trying to devise a strategy in case the hackers uploaded millions of medical records online.

5. AT&T

Records: Approximately 110 million
Industry: Telecommunications
Method: Unauthorized access via stolen credentials

In 2024, AT&T had two serious data breaches. 60 million records were affected in the first breach in March, and another 40 million records were compromised in the second in August. Both incidents involved unauthorized access to customer data, including personal and account information.

6. United Healthcare

Records: Over 100 million
Industry: Healthcare
Method: Ransomware attack by ALPHV/BlackCat group

A ransomware attack on February 21, 2024, compromised United Healthcare's Change Healthcare (CHC) division, which handles medical billing and insurance processing. The hack made sensitive patient data, including medical records and financial information, public and disrupted healthcare services nationwide. The company minimized the attack's impact by paying a $22 million ransom.

7. Internet Archive

Records: 31 million
Industry: Non-Profit Digital Library
Method: Unauthorized access via website vulnerability

A cyberattack in October 2024 compromised the data of 31 million users at the Internet Archive, famous for the Wayback Machine. Coinciding with DDoS attacks that interrupted services, the hack involved a malicious popup on the website that directed users to verify whether their information had been compromised.

8. Pandabuy Data Breach

Records: Approximately 1.3 million user entries
Industry: E-commerce
Method: Unauthorized access and data exfiltration

In April 2024, threat actors Sangierro and IntelBroker released a database containing the private data of more than 1.3 million PandaBuy users. The information, accessible on a hacker forum for small cryptocurrency payments, exposed impacted consumers to serious privacy and security threats. It contains full names, contact information (phone numbers and emails), login IPs, order details, home addresses, zip codes, and countries of residence.

9.Europol Data Breach

Records: 9,128 confidential records
Industry: Law Enforcement
Method: Unauthorized access to web portals

In May 2024, hackers gained access to thousands of private details, including personnel data and internal papers, by infiltrating Europol's web portals. Despite acknowledging the breach, Europol said that no operational data was hacked.

10. Acuity

Records: Undisclosed number of confidential government documents
Industry: Government Contractor
Method: Unauthorized access to GitHub repositories

In April 2024, hackers accessed private data kept in a GitHub repository at Acuity, a US government technology contractor. The exposed data included U.S. military officials, communications, and documents about the Five Eyes intelligence collaboration.

Lessons These Organizations Can Learn from Their Data Breaches

As digitalization advances, cybercriminals continue to exploit vulnerabilities with increasingly sophisticated methods, targeting sensitive data, financial assets, and operations.

To mitigate these risks, organizations must invest in robust cybersecurity infrastructure, adopt proactive strategies, and foster a culture of cybersecurity awareness. Additionally, enhancing access controls, utilizing data encryption, and leveraging advanced threat detection tools are essential to safeguard digital assets.

Most importantly, regular vulnerability assessments and compliance with regulations like GDPR, HIPAA, or PCI DSS further ensure resilience against threats and reduce the risk of noncompliance penalties.

Biggest Data Breaches of 2023

1. ICMR

Records: 815 million records
Industry: Government (Healthcare)
Method: Unauthorized access

A significant data breach at the Indian Council of Medical Research exposed the contact information, passport information, and Aadhaar IDs of Indian nationals.

2. Kid Security App

Records: Over 300 million records
Industry: Parental Control Application
Method: Misconfigured databases

Due to improperly configured Elasticsearch and Logstash instances, the Kid Security app exposed user activity logs—including phone numbers and email addresses—that were available for over a month. 

3. MOVEit

Records: Approximately 100 million individuals
Industry: Information Technology
Method: Exploitation of a vulnerability in MOVEit file transfer software

The Cl0p ransomware group exploited a critical vulnerability in MOVEit, a managed file transfer platform, allowing unauthorized access and data theft across numerous organizations worldwide.

4. SAP SE Bulgaria

Records: 95.5 million artifacts
Industry: Information Technology
Method: Exposure of Kubernetes Secrets on GitHub

Researchers discovered that SAP SE had inadvertently exposed Kubernetes Secrets in public GitHub repositories, potentially allowing unauthorized access to many artifacts.

6. TmaxSoft

Records: Over 56 million sensitive records
Industry: Information Technology
Method: Unsecured Kibana dashboard

Through an unsecured Kibana dashboard, TmaxSoft exposed 2 TB of data—including employee data and business emails—accessible for over two years.

6. T-Mobile

Records: 37 million customer accounts
Industry: Telecommunications
Method: Exploitation of an API vulnerability

T-Mobile disclosed that a data breach enabled threat actors to utilize an API vulnerability to expose customer data, including names, addresses, and contact information.

7. 23andMe

Records: 20 million records
Industry: Genetic Research
Method: Credential stuffing attacks

Hackers accessed genetic data profiles using credential-stuffing techniques. The leaks were initially limited to particular ethnic groups but eventually escalated to other groups.

8. PBI Research Services

Records: 13.8 million individuals
Industry: Research Services
Method: Exploitation of MOVEit vulnerability

One of the biggest MOVEit-related events occurred when PBI Research Services was breached by the MOVEit vulnerability, exposing millions of individuals’ personal data.

9. Duolingo

Records: 2.6 million user accounts
Industry: Educational Services
Method: Web scraping due to misconfiguration

Web scraping exposed user data from the language learning platform Duolingo, where settings errors gave hackers access to user data, including email addresses and usernames.

10. CommuteAir 'No Fly' List

Records: 1.75 million records
Industry: Transportation
Method: Misconfigured server

Concerns were raised over aviation security when a U.S. 'No Fly' list with more than 1.5 million data was discovered on a CommuteAir server that was misconfigured and made public on a hacking forum.

Lessons These Organizations Can Learn from Their Data Breaches

As digitalization prevails, cybercriminals engineer new tricks to gain access and exploit system vulnerabilities, targeting sensitive data, financial assets, and operational processes with increasingly sophisticated methods. As a best practice, organizations should:

• Invest in critical cybersecurity infrastructure to protect digital assets.
• Adopt a proactive cybersecurity strategy and foster a cybersecurity culture to stay ahead of cybercriminals.
• Implement and strengthen access controls to limit access to sensitive data to only those who need it.
• Invest in data encryption to ensure information security.
• Leverage advanced threat detection tools to identify and neutralize threats before they cause significant damage.
• Conduct regular vulnerability assessments and ensure compliance with evolving regulations such as the GDPR, HIPAA, or PCI DSS to avoid noncompliance penalties.

Biggest Data Breaches of 2022

1. Twitter

Records: 221.52 million
Industry: Social media platform
Method: Data breach 

From June 2021 until January 2022, there was a bug in a Twitter application programming interface, or API, that allowed attackers to submit contact information like email addresses and receive the associated Twitter account, 

2. Neopets

Records: 69 million
Industry: Virtual pet website
Method: Data breach

Attackers had gained access to the Neopets IT systems from Jan. 3, 2021, until July 19, 2022. The data breach included names, email addresses, zip codes, genders and birth dates were among the available information.

3. Shanghai COVID App

Records: 48.5 million
Industry: COVID application
Method: Data breach

The stolen data included details of unique users who “live in, or have visited, Shanghai” since the adoption of the QR code system. The details also included names, phone numbers, ID numbers and the health code status.

4. Sriraj Hospital

Records: 38.9 million
Industry: Hospital
Method: Data breach

The data includes names, addresses, Thai IDs, phone numbers, gender details, dates of birth and other information.

5. T-Mobile

Records: 37 million
Industry: Mobile telecommunication company
Method: Data breach

The data includes basic customer information such as their name, billing address, email and phone number.

6. Indian Railway Catering and Tourism Corporation

Records: 30 million
Industry: Railway company
Method: Data breach

The stolen data collection includes user information and invoices. Username, email, verified and verified mobile numbers, gender, city Id, city Name, state Id, and language preferences are among the data. The hacker's sample data includes a number of records containing the emails and phone numbers of people who have purchased tickets from Indian Railways.

7. Samsung

Records: 190 GB
Industry: Electronics corporation
Method: Data breach

The stolen information included source code related to Galaxy devices and over 6,000 secret keys, such as private keys, login data, and AWS, GitHub, and Google keys.

8. Pegasus Airline

Records: 23 million
Industry: Airline carrier
Method: Data breach

Pegasus Airlines’ “Electronic Flight Bag” (EFB) information was left without password protection, leaking a range of sensitive flight data. PegasusEFB’s open bucket left 6.5 TB of data, including flight charts, navigation materials, and crew PII accessible to anyone. The bucket also exposed the EFB software’s source code, which contained plain-text passwords and secret keys that someone could use to tamper with extra-sensitive files.

9. MangaToon

Records: 23 million|
Industry: Mobile application
Method: Data breach

The breach exposed names, email addresses, genders, social media account identities, auth tokens from social logins and salted MD5 password hashes.

10. SuperVPN, GeckoVPN, and ChatVPN

Records: 21 million
Industry: VPN service
Method: Data breach

This information included users’ full names, email addresses, countries, passwords, payment information, and account status. It also had 10GB of sensitive information.

Lessons These Organizations Can Learn from Their Data Breaches

Cyber threats are becoming increasingly prevalent and organizations can not afford to take nor should take security for granted and always invest in processes that strengthen their digital forefront.

Regardless of size or industry, every organization is at risk of a data breach, and the consequences can be severe. By prioritizing cybersecurity and taking a proactive approach to risk management, establishing formal security policies, implementing access controls, and employing encryption, organizations can better protect themselves and their stakeholders from the devastating effects of cyber attacks.

Biggest Data Breaches of 2021

1. Cognyte

Records: 5 billion
Industry: Cybersecurity company
Method: Data breach

A database containing 5 billion user records was exposed due to an insecure configuration. Information was leaked, including names, email addresses, passwords, and vulnerability data points.

2. Comcast

Records: 1.5 billion
Industry: Telecommunications company
Method: Data breach

The publicly visible records included dashboard permissions, logging, client IPs, @comcast email addresses, and hashed passwords.

3. LinkedIn

Records: 700 million
Industry: Social media platform
Method: Data breach

The stolen data, nearly 93% of the company’s members, was on sale online and included user’s full names, phone numbers, physical addresses, email addresses, geolocation records, LinkedIn usernames and profile URLs, personal and professional experiences and backgrounds, genders, other social media accounts, and usernames.

4. Facebook

Records: 533 million
Industry: Social media platform
Method: Data breach

The exposed data includes the personal information of over 533 million Facebook users from 106 countries, including over 32 million records on users in the US, 11 million on users in the UK, and 6 million on users in India. It includes their phone numbers, Facebook IDs, full names, locations, birthdates, bios, and, in some cases, email addresses.

5. Syniverse

Records: 500 million
Industry: Telecommunications company
Method: Data breach

These records contained employees’ personal information, customers’ sensitive information, Syniverse’s trade secrets and other intellectual property, and other important financial information.

6. Bykea

Records: 400 million
Industry: Ride-hailing company
Method: Data breach

The breach contained 200 GB of data, including full names, email addresses, phone numbers, physical addresses, body temperature, national id card numbers (CNIC), driver's license numbers, issuing city, and expiry dates.

7. Brazilian Resident Database 

Records: 223 million
Industry: Brazilian database
Method: Data breach

The databases included names, unique tax identifiers, facial images, addresses, phone numbers, email, credit scores, salary, and more. The data also contains the personal data of several million deceased individuals. In addition, 104 million vehicle records were available.

8. SocialArks

Records: 214 million
Industry: Trade marketing service platform
Method: Data breach

The data breach included biographies, phone numbers, email addresses, the total number of followers, comments, most used hashtags, etc.

9. Stripchat

Records: 200 million
Industry: Adult webcam platform
Method: Data breach

The database revealed the ID of users who sent the messages, usernames, gender, studio ID, live status, tip menus, the number of tips they gave to models, prices and strip score, user email addresses, IP addresses, internet service provider, tip balance, timestamp of account creation, last payment activity and blocked status.

10. Raychat

Records: 150 million
Industry: Communications application
Method: Data breach

The files stolen in the attack included information ranging from passwords to identification for login, email addresses, full names, IP addresses, and more.

Lessons These Organizations Can Learn from Their Data Breaches

While a data breach just be an incident for an organization that resulted in a fine and temporary loss of customer trust, for impacted users, a data breach could cripple the fabric of privacy that they will never get back. Organizations should implement robust security measures by:

• Limiting access to critical data by utilizing robust access restrictions and authentication procedures;
• Encrypting data while it is in transit and at rest to prevent unauthorized access;
• Regularly update and patch software and systems to address known vulnerabilities;
• Employing firewalls, intrusion detection systems, and tools that detect and prevent unauthorized access or malware attacks; and
• Implementing privacy by design and privacy by default to minimize vulnerabilities in applications and systems.

Biggest Data Breaches of 2020

1. CAM4

Records: 10.88 billion
Industry: Adult cam site
Method: Server breach

Adult video streaming website CAM4 had its Elasticsearch server breached, exposing 10.88 billion records. The breached records included sensitive information, such as full names, email addresses, sexual orientation, chat transcripts, email correspondence transcripts, password hashes, IP addresses, and payment logs.

2. Advanced Info Service (AIS)

Records: 8.3 billion
Industry: Telecommunications company
Method: Data breach

According to AIS, a small amount of non-personal, non-critical information was exposed for a limited period during a scheduled test. All of the data related to Internet usage patterns and did not contain personal information that could be used to identify any customer.

3. Keepnet Labs

Records: 5 billion
Industry: Telecommunications company
Method: Data breach

A contractor temporarily exposed a database containing five billion email addresses and passwords collated from previous data breaches. The data included the source of the breach; the year the breach was made public; breached email address; breached passwords or hashes, and the format of the breached passwords (e.g., plaintext, encrypted, or hash).

4. BlueKai

Records: 5 billion
Industry: Data management platform
Method: Data leak

Oracle’s BlueKai left exposed an unsecured database containing billions of records like names, home addresses, email addresses, and sensitive users’ web browsing activity — from purchases to newsletter unsubscribes.

5. Whisper

Records: 900 million
Industry: Social application
Method: Data breach

The application exposed PII, including intimate confessions, ages, locations and other details, and allowed anyone to access all of the information tied to anonymous “whispers” posted to the app. The exposed records also included a user’s stated age, ethnicity, gender, hometown, nickname and any membership in groups, many of which are devoted to sexual confessions and discussion of sexual orientation and desires.

6. Sina Weibo

Records: 538 million
Industry: Chinese microblogging website
Method: Data breach

The records contained PII, such as real names, site usernames, gender, location as well as phone numbers for 172 million users.

7. Estée Lauder

Records: 440 million
Industry: Cosmetics company
Method: Data breach

The records contained user emails in plain text, references to reports and other internal documents, IP Addresses, ports, pathways, and storage information.

8. Broadvoice

Records: 350 million
Industry: Voice over IP company
Method: Data breach

The leaked database included caller names, phone numbers, and locations, among other data. One database included transcriptions of hundreds of thousands of voicemails, many involving sensitive information such as details about medical prescriptions and financial loans. More than 2 million voicemail records were included in that subset of data, 200,000 of which had been transcribed. Most of these records contained the caller's name (full name, business name, or a generic name such as “wireless caller”), caller phone number, a name or identifier for the voice mailbox (for example, a first name or general label, such as “clinical staff” or “appointments”), and internal identifiers.

9. Wattpad

Records: 268 million
Industry: Social networking website
Method: Data exposure

The incident exposed extensive personal information, including names and usernames, email and IP addresses, genders, general geographic location, birth dates, and passwords stored as bcrypt hashes.

10. Microsoft

Records: 250 million
Industry: Technology corporation
Method: Access misconfiguration

The exposed records included conversations with customers and Microsoft support agents from 2005 to December 2019. Most of the information exposed was customer service and support logs. For some customers, additional information was exposed, such as customer email addresses, IP addresses, Microsoft support agent emails, case numbers and resolutions, and internal notes marked as confidential.

Lessons These Organizations Can Learn from Their Data Breaches

The following are some important lessons that businesses can take away from their data breaches:

• Conduct regular risk assessments and security audits;
• Identify and assess potential risks and vulnerabilities to customer data;
• Perform regular security audits and penetration testing to identify and address weaknesses;
• Encourage vendors or third-parties with whom data is shared to conduct risk assessments; and
• Stay updated on emerging threats and security best practices.

Biggest Data Breaches of 2019

1. Social Media Profile Leak

Records: 1.2 billion
Industry: Social media platform
Method: Data leak

The exposed data included names, email addresses, phone numbers, LinkedIn, and Facebook profile information.

2. Orvibo

Records: 2 billion
Industry: Smart home manufacturer
Method: Data leak

The data breach affected users from around the world. Rotem and Locar found logs for users in China, Japan, Thailand, the US, the UK, Mexico, France, Australia and Brazil. The exposed data included email addresses, passwords, account reset codes, precise geolocation, IP address, username, user ID, family name, family ID, smart device, a device that accessed the account, and scheduling information.

3. TrueDialog

Records: 1 billion
Industry: Communications-as-a-service
Method: Data leak

The sensitive data contained in millions of SMS messages included, but was not limited to: full names of recipients, TrueDialog account holders and TrueDialog users, content of messages, email addresses, phone numbers of recipients and users, dates and times messages were sent, status indicators on messages sent, like read receipts, replies, etc. TrueDialog account details.

4. First American Financial Corporation

Records: 885 million
Industry: Financial services company
Method: Data leak

Records included bank account numbers and statements, mortgage and tax records, Social Security numbers, wire transaction receipts and driver's license images.

5. Verifications.io

Records: 808 million
Industry: Email verifiers
Method: Data breach

Records included email addresses and associated personally identifiable information (PII), including names, gender, dates of birth, phone numbers, IP addresses, job titles and employers.

6. Collection #1

Records: 773 million
Industry: Online database
Method: Data breach

The database contains over 773 million unique email addresses and 21 million unique passwords, resulting in more than 2.7 billion email/password pairs.

7. Dream Market

Records: 617 million
Industry: Online darknet market
Method: Data breach

Hackers stole data from 16 websites, including Dubsmash (162 million) MyFitnessPal (151 million) MyHeritage (92 million) ShareThis (41 million) HauteLook (28 million) Animoto (25 million) EyeEm (22 million) 8fit (20 million) Whitepages (18 million) Fotolog (16 million) 500px (15 million) Armor Games (11 million) BookMate (8 million) CoffeeMeetsBagel (6 million) Artsy (1 million) DataCamp (700,000).

8. Third-Party Facebook App

Records: 540 million
Industry: Social media platform
Method: Data breach

This database contained columns for user information such as username IDs, friends, likes, music, movies, books, photos, events, groups, check-ins, interests, passwords and more.

9. MongoDB

Records: 275 million
Industry: Database
Method: Data breach

The records of Indian citizens were exposed, including their mobile phone numbers, professional information, gender, dates of birth, names, and current salaries.

10. Microsoft

Records: 250 million
Industry: Technology company
Method: Data breach

Records spanning 14 years were exposed without password protection. The information contained customer email addresses, geographical locations, descriptions of the support claims and customer service case, customer email addresses, and more.

Lessons These Organizations Can Learn from Their Data Breaches

The following are some important lessons that businesses can take away from their data breaches:

• Establish data governance and privacy policies as required by applicable regulations;
• The policies should mention security measures being taken by the organization;
• Develop comprehensive data governance policies that outline how customer data is collected, stored, processed, and shared;
• Clearly define data retention periods and securely dispose of data that is no longer required;
• Obtain and document explicit consent from customers for collecting and using their personal data; and
• Establish effective incident response plans.

Biggest Data Breaches of 2018

1. Aadhaar

Records: 1.1 billion
Industry: India’s biometric database
Method: Data breach

Aadhaar numbers, names, email and physical addresses, phone numbers, and photos of almost 1.1 billion Indians were found susceptible to the data breach.

2. Marriott

Records: 500 million
Industry: Hospitality service provider
Method: Data breach

Marriott’s reservation systems got compromised, with hundreds of millions of customer records, including credit card and passport numbers.

3. Exactis

Records: 340 million
Industry: Marketing company
Method: Data breach

Records included names, addresses, email addresses, phone numbers and other personal information, including habits and hobbies, and the number, ages, and genders of the person’s children.

4. Twitter

Records: 330 million
Industry: Social media platform
Method: Data breach

A bug exposed Twitter’s user credentials in plain text. Twitter urged 330 million users to change their passwords immediately.

5. Chinese Job-seeking Websites

Records: 202 million
Industry: Employment website
Method: Unsecured database

The records included people’s weight, height, driving license, phone numbers, resumes, marital status, literacy level, salary expectations, and more.

6. Under Armour

Records: 150 million
Industry: Sportswear company
Method: Data breach

The criminals responsible for the breach accessed individuals’ usernames, email addresses, and hashed passwords.

7. Quora

Records: 100 million
Industry: Social question-and-answer website
Method: Data breach

Records included user names, email addresses, hashed passwords, profile data, public and non-public actions.

8. MyHeritage

Records: 92 million
Industry: Online genealogy platform
Method: Data breach

Records exposed include email addresses and hashed passwords.

9. Facebook (via Cambridge Analytica)

Records: 87 million
Industry: Political consulting firm
Method: Data breach

Exposed data included Facebook user profile data and Facebook user preferences and interests.

10. Google+

Records: 52.5 million
Industry: Social network
Method: Data breach

Exposed data included private information on Google+ profiles, including name, employer and job title, email address, birth date, age, and relationship status.

Lessons These Organizations Can Learn from Their Data Breaches

Its shocking to see megacorpoations with millions of dollars in revenue and profits to not invest heavily on their digital security infrastructure. The following are some important lessons that businesses can take away from their data breaches:

• Implement access controls for sensitive data;
• Conduct rigorous employee training on best practices;
• Educate employees about data privacy best practices, including the importance of handling and protecting customer data;
• Conduct regular training sessions to reinforce security protocols and raise awareness about social engineering and phishing attacks; and
• Regularly backup data and keeps systems updated.

Biggest Data Breaches of 2017

1. River City Media

Records: 1.37 billion
Industry: Video production service
Method: Data breach

Records exposed include email addresses, personal information, including real names, IP addresses and physical addresses.

2. Spambot

Records: 700 million
Industry: Computer program
Method: Data breach

A misconfigured spambot leaked email addresses, as well as a number of passwords.

3. Deep Root Analytics

Records: 198 million
Industry: Data analytics company
Method: Data breach

Exposed information includes names, birthdates, phone numbers, and, most troubling, voter registration details.

4. Equifax

Records: 143 million
Industry: Credit bureau company
Method: Data breach

The hack of the Social Security numbers, names, birth dates, driver’s license numbers, addresses, and credit card information of US, Canadian, and UK citizens.

5. Edmodo

Records: 77 million
Industry: Educational technology platform
Method: Data breach

The records in the breach included usernames, email addresses and bcrypt hashes of passwords.

6. Uber

Records: 57 million
Industry: Technology company
Method: Data breach

The stolen information included names, contact information, ride information, and other sensitive data.

7. Malaysian Mobile Phone Numbers

Records: 46.2 million
Industry: Telecommunication company
Method: Data breach

The leak included prepaid and postpaid numbers, addresses, customer details, and SIM card information, including IMSI and IMEI numbers.

8. Dun & Bradstreet

Records: 33.6 million
Industry: Data analytics company|
Method: Data breach

The leak exposed very specific details about each person, from their job title to their email address.

9. AI.type

Records: 31 million
Industry: Application
Method: Data breach

Some 577 gigabytes of data are said to have been exposed, representing more than three-quarters of the app's total user base.

10. Verizon

Records: 6 million
Industry: Telecommunications company
Method: Data breach

Each record included the customer’s name, mobile number, account PIN, home address, email address, and Verizon account balance.

Lessons These Organizations Can Learn from Their Data Breaches

The following are some important lessons that businesses can take away from their data breaches:

• Implement encryption;
• Employ access controls;
• Monitor and detect anomalies;
• Ensure network security;
• Authenticate and authroize data sources; and
• Implement data validation and data quality checks.

Biggest Data Breaches of 2016

1. Yahoo

Records: 500 million
Industry: Web
Method: Data breach

Yahoo claims a "state-sponsored actor" was behind this initial cyberattack in 2014. The stolen data included personal information such as names, email addresses, phone numbers, hashed passwords, birth dates, and security questions and answers, some of which were unencrypted.

 2. MySpace

Records: 427 million
Industry: Social media platform
Method: Data breach 

The data obtained from the data breach belonged to a past, unreported data security incident.

3. Friend Finder Network

Records: 412 million
Industry: Adult dating/entertainment website
Method: Data breach

Sensitive data regarding members’ usernames and passwords, sexual preferences, extramarital affairs, and purchases made on the site were stolen along with 15 million deleted accounts.

4. Multiple Email Providers

Records: 270 million
Industry: Email providers
Method: Data breach

According to Milwaukee-based Hold Security, more than 270 million email identities and passwords were found to be freely available online in the Russian criminal underworld. About 57 million Mail.ru accounts, 40 million Yahoo accounts, 33 million Hotmail accounts, and 24 million Gmail addresses.

5. VK.com

Records: 100 million
Industry: Social media platform
Method: Data breach

The database contains information like full names (first names and last names), email addresses, plain-text passwords, location information, phone numbers, and, in some cases, secondary email addresses.

6. Uber

Records: 57 million
Industry: Technology company
Method: Data breach
Penalty: $148 million Uber for violating New York’s data breach notification laws

The stolen data included 57 million records + and 600,000 driver accounts – Uber drivers’ and riders’ email addresses, names, and phone numbers were breached.

7. Philippine Commission on Elections

Records: 55 million
Industry: Elections
Method: Cyberattack

The 340 GB leaked file contained sensitive data of Filipino registered voters, including passport numbers and expiry dates.

8. Weebly

Records: 43 million
Industry: Web hosting service company
Method: Data breach

Stolen data includes usernames, passwords, email addresses, and IP information.

9. Morgan Stanley

Records: 15 million
Industry: Investment banking company
Method: Data breach
Penalty: The Office of the Comptroller of the Currency (OCC) fined $60 million for repeated failures to adequately protect customer data when disposing of old equipment

The breach records included the PII of clients.

10. The Panama Papers

Records: 11.5 million
Industry: Leaked documents
Method: Data leak

The leaked data included 4.8 million emails, 2.2 million PDF documents, 1.1 million image files, 3 million database records, and 320,000 other text files.

Lessons These Organizations Can Learn from Their Data Breaches

The following are some important lessons that businesses can take away from their data breaches:

• Ensure cross department flow of information that concerns the security of personal data;
• Have a dedicated security team in place to continually identify and rectify vulnerabilities;
• Conduct regular risk assessments and security audits; and
• Implement access controls for sensitive data.

Biggest Data Breaches of 2015

1. Anthem

Records: 80 million
Industry: Insurance company
Method: Data breach

The attackers uncovered Social Security numbers, addresses, names, dates of birth, and employment information.

2. Securus Technologies

Records: 70 million
Industry: Technology company
Method: Data breach

The leak comprises over 70 million records of phone calls placed by prisoners to at least 37 states, in addition to links to downloadable recordings of the calls.

3. Ashley Madison

Records: 37 million
Industry: Online dating service and social networking service
Method: Data breach

The hackers leaked maps of sensitive information - including internal company servers, employee network account information, company bank account data, and salary information.

4. US Office of Personnel Management

Records: 21 million
Industry: Government agency|
Method: Data breach

The leaked information included Social Security Numbers and other sensitive information, including the fingerprints of individuals.

5. Experian/T-Mobile

Records: 15 million
Industry: Mobile telecommunication company
Method: Data breach

The breach exposed the details of customers who were applying for credit checks from September 1, 2013, to September 16, 2015. These records included sensitive information, such as addresses, names, birth dates, and encrypted fields with ID and Social Security numbers.

6. Premera Blue Cross

Records: 11.2 million
Industry: Health insurance company
Method: Data breach

The breach compromised subscriber data, which includes names, birth dates, Social Security numbers, bank account information, addresses, and other information.

7. Excellus BlueCross BlueShield

Records: 10 million
Industry: Health insurance company
Method: Data breach

Excellus claims that the person(s) responsible for the attack might have gained access to personal information, including "name, date of birth, Social Security number, mailing address, telephone number, member identification number, financial account information and claims information.

8. LastPass

Records: 7 million
Industry: Password manager
Method: Data breach

LastPass revealed that it had been the victim of a cyberattack, compromising email addresses, password reminders, server-per-user salts, and authentication hashes.

9. Vtech

Records: 6 million
Industry: Electronics company
Method: Data breach

The stolen information included the name, email address, secret question and answer for password retrieval, IP address, mailing address, download history, and encrypted password.

10. Slack

Records: 65,000
Industry: Instant messaging platform
Method: Data breach

Slack said hackers accessed some Slack infrastructure, including databases storing user credentials. Hackers stole hashed passwords but planted code on the company's site to capture plaintext passwords that users entered when logging in.

Lessons These Organizations Can Learn from Their Data Breaches

The following are some important lessons that businesses can take away from their data breaches:

• Conduct data protection impact assessments;
• Engage in third-party vendor assessment;
• Conduct due diligence when selecting third-party vendors and ensure they have robust security measures in place; and
• Establish clear data protection requirements in contracts with vendors and regularly monitor their compliance.

Biggest Data Breaches of 2014

1. eBay

Records: 145 million
Industry: E-commerce company
Method: Data breach

The attackers stole username information, emails, and addresses from the e-commerce company.

2. JP Morgan Chase

Records: 76 million
Industry: Financial services company
Method: Data breach

The hackers managed to gain access to JPMorgan account holders' names, phone numbers, addresses, and emails and steal the credit card information of 76 million users and 7 million small businesses.

3. Home Depot

Records: 56 million
Industry: Home improvement company
Method: Data breach

Hackers stole credit card details, some of which were sold online. In 2020, Home Depot paid a $17.5 million settlement for this breach.

4. Korea Credit Bureau

Records: 20 million
Industry: Credit risk management company
Method: Data breach

An employee stole data, including social security numbers, names, credit card numbers with expiration dates, and phone numbers.

5. Sony Pictures

Records: 10 million
Industry: Entertainment company
Method: Data breach

The hackers accessed employees’ Social Security numbers, criminal background checks, doctors’ letters for leaves of absence, unreleased films, and sensitive documents. Sony had to pay a hefty fine of $8 million for the hack.

6. Gmail

Records: 5 million
Industry: Email service
Method: Data breach

Hackers targeted Gmail servers and exposed a list of 5 million Gmail addresses and passwords on a Russian Bitcoin forum.

7. Snapchat

Records: 4.6 million
Industry: Instant messaging app
Method: Data breach

A security breach affected nearly 5 million Snapchat users and compromised their phone numbers and usernames.

8. Community Health Systems

Records: 4.5 million
Industry: Hospital healthcare company
Method: Data breach

The hackers may have obtained the patient's names, birth dates, addresses, telephone, and social security numbers.

9. Michael

Records: 3 million
Industry: Specialty retail company
Method: Data breach

The hackers targeted point-of-sales machines and affected customers who used their credit or debit cards in their stores between May 8, 2013, and January 27, 2014, which totaled 2.6 million cards.

10. U.S. Postal Service

Records: 1 million
Industry: Mail company
Method: Data breach

Just under a million workers were affected as social security numbers and home addresses were stolen in a hack of the US Postal Service.

What Can Organizations Learn from These Data Breaches?

First and foremost, organizations must prioritize data security and handle it seriously. They need to implement robust security measures, keep their systems updated, and train employees on how to identify threats and respond to potential threats. Companies should also be transparent with their users about how they collect, process, utilize and share user data.

Additionally, individuals can take measures to protect their personal data by using strong passwords, keeping track of their credit reports, and being cautious when disclosing personal data online. Governments and regulators must play a role in holding companies accountable for data breaches and enforcing strict penalties for those who fail to protect their users' data.

Best Practices for Organizations to Avoid Falling Victim to Data Breaches

For businesses, data breaches can have serious financial and reputational repercussions.  Following are some of the best practices that businesses may use to prevent data breaches:

Implement Strong Passwords

Employers should mandate the use of strong passwords and alphanumeric passwords that contain a combination of uppercase and lowercase letters, numbers, and symbols. Likewise, passwords must be updated frequently.

Implement Multi-Factor Authentication

Multi-factor authentication adds an extra layer of security by requiring employees to provide two or more forms of identification, such as a password and a code sent to their mobile phones.

Conduct Data Risk Assessments

Analyze the existing security of the sensitive data in your organization. Examine the organization's data landscape to determine what sensitive data you have and whether any regulatory security requirements apply to it. Additionally, evaluate the sensitive data's current security status to identify security vulnerabilities and reasonably foreseeable threats that could take advantage of operational weaknesses and system vulnerabilities.

Regularly Update Software and Systems

Organizations should ensure that all software and systems have the most recent security updates and patches.

Address Cloud Security Misconfigurations

Conduct an in-depth analysis to identify and address security misconfigurations across all of your cloud data assets. Resolve the setup issues as quickly as possible to limit data exposure.

Restrict Access to Sensitive Data

Restrict employee access to sensitive data and only allow access to those who need to know. Implement access controls and monitoring to prevent unauthorized individuals from accessing sensitive information.

Regularly Backup Data

Regularly backup data to a secure cloud or an offsite location in case of a breach or disaster and implement a review policy to systematically assess the system's security posture and promptly apply any security patches.

Educate Employees on Security Best Practices

Employees should receive training on security best practices, including identifying and reporting phishing scams and suspicious activities. This is crucial because an organization may still face data breaches due to human mistakes or neglect, even if it does everything possible to protect its corporate infrastructure from security incidents. Humans are the weakest link in the cybersecurity chain, and the effects of human negligence on an organization's cyber security and, eventually, its reputation are extensive.

Conduct Regular Security Audits

Conduct regular security audits to identify potential vulnerabilities and implement necessary changes to improve security measures.

The biggest data breaches in history have taught us important lessons about the value of data security, accountability, and transparency. The best technique to avoid data breaches is to follow the foundational concepts stated above and improve our data protection posture going forward by learning from these instances.

How Securiti’s Data Breach Automation Helps

Securiti’s DataControls Cloud framework enables organizations to simplify breach prevention and response with automated Data Breach Analysis. The module automates data breach analysis before or after an incident, provides clear insights into the data breach radius and its financial impact, and ensures accurate and timely notifications to those impacted by the breach, enabling organizations to comply with evolving global regulatory obligations.

Request a demo to see Securiti in action.