Biggest data breaches of the last 20 years

Written by:
July 23, 2018
Alex Wong // Getty Images

Biggest data breaches of the last 20 years

In 2017, the Identity Theft Resource Center released its annual Data Breach Year-End Review. The report tallied 1,579 data breaches in 2017 alone, representing a shocking 44.7% increase over 2016—and 2016's numbers were a record high at the time.

The servers, databases, and networks maintained by businesses, banks, governmental entities, health care organizations, and even educational institutions are juicy targets for online criminals. Within those digital warehouses lies the personal data of millions and even billions of people, whose birthdays, passwords, Social Security numbers, and login credentials can be used to steal their identities, hack into their accounts, and take out loans in their names.

The last two decades have witnessed a shocking rash of successful attacks on what many people previously believed were impenetrable security networks. The worst of them netted their masterminds vast stores of personal and financial data belonging to regular customers and account holders, many of whom wouldn't find out for years that their data had been compromised.

Here's a look at the worst data breaches of the last 20 years.

#20. Uber

Year: 2017

Records obtained: 57,000,000

Organization type: Transportation

Data breach method: Hacked

By any measurable standard, Uber had an abysmal 2017. Among the rideshare company's biggest scandals that year was the revelation that in 2016, two hackers breached the company's databases and stole phone numbers, email addresses, and other private data belonging to 57 million Uber customers as well as 600,000 drivers license numbers belonging to the company's drivers. Uber’s decision-makers made a bad thing worse by failing to alert law enforcement, which is required by law, hiding the breach from the public for the better part of a year—including the names of the hackers' victims—and, perhaps worst of all, by paying the hackers a $100,000 bounty to delete the data: a move that was universally denounced by security experts.

 

#19. Tumblr

Year: 2013

Records obtained: 65,469,298

Organization type: Web

Data breach method: Hacked

In 2013, hackers stole personal and password information belonging to 65 million Tumblr users. The company, which at the time had not yet been purchased by Yahoo, didn't disclose the infiltration until 2016, when online sleuths found the information for sale on the so-called “dark web.”  

 

#18. Target Corporation

Year: 2014

Records obtained: 70,000,000

Organization type: Retail

Data breach method: Hacked

Since the data was stolen between Nov. 27 and Dec. 15, some publications referred to the 2014 Target data breach as "the nightmare before Christmas." The retailer originally said that credit and debit card information—including card numbers, expiration dates and CVV numbers—for as many as 40 million customers could have been stolen by hackers starting on Black Friday weekend. The retail giant later revealed that number was actually closer to 70 million, and that the breach also included email addresses, mailing addresses, and phone numbers.

 

#17. National Archives and Records Administration (U.S. military veterans' records)

Year: 2009

Records obtained: 76,000,000

Organization type: Military

Data breach method: Lost or stolen media

In 2010, the National Archives and Records Administration revealed that in March 2009, a two-terabyte external hard drive went missing from a processing room at a facility in College Park, Maryland. The drive contained personal information including the names and Social Security numbers of former Clinton administration staff and White House visitors.

 

#16. JPMorgan Chase

Year: 2014

Records obtained: 76,000,000

Organization type: Financial

Data breach method: Hacked

According to a New York Times report, the 2014 JPMorgan Chase computer breach, history's largest bank hack at that time, could have been prevented with a simple security fix. Hackers gained entry into the financial giant's vast computer network by accessing an employee's login credentials and targeting the bank's weak link: a single server that the Chase security team neglected to protect with basic dual-factor authentication.

 

#15. Sony PlayStation Network

Year: 2011

Records obtained: 77,000,000

Organization type: Gaming

Data breach method: Hacked

In 2011, gamers across the world wondered why they had been locked out of the PlayStation Network. While the lack of access was frustrating, the reason why was even more daunting. Between April 17 and 19, an unauthorized person hacked into the Sony system and stole a wealth of personal data—including birthdays, security questions, passwords, and login credentials—in one of history's biggest infiltrations into a cache of credit card data.

 

#14. Anthem Inc.

Year: 2015

Records obtained: 80,000,000

Organization type: Health care

Data breach method: Hacked

In 2015, the second-largest health insurance company in America was the target of a massive data breach. Anthem Inc.'s CEO was among the 80 million victims whose data—including names, Social Security numbers, home addresses, birthdays, email addresses, and medical IDs—was stolen by hackers. In 2017, the company settled a class-action lawsuit in the wake of the hack.

 

#13. AOL

Year: 2004

Records obtained: 92,000,000

Organization type: Web

Data breach method: Hacked/inside job

In 2004, a 24-year-old America Online software engineer was arrested by federal authorities for hacking into the company's computers to steal 92 million email addresses. He sold the data for $100,000 to an online gambling business owner in Las Vegas, who then relentlessly spammed those email addresses.

 

#12. MyHeritage

Year: 2018

Records obtained: 92,283,889

Organization type: Genealogy

Data breach method: Unknown

In 2018, Israel-based DNA and genealogy company MyHeritage revealed that in October of the previous year, hackers had broken into the company's computers and stolen a massive file containing more than 92 million email addresses and passwords. Although the passwords were "hashed," which is a security measure that renders them useless if inappropriately accessed, the attack forced industry experts to take a second look at the preparedness of the DNA and genealogy industry.

#11. TK / TJ Maxx

Year: 2007

Records obtained: 94,000,000

Organization type: Retail

Data breach method: Hacked

When hackers stole data from tens of millions of TJ Maxx and Marshall's customers in 2007, it was believed to be the biggest attack of its kind at that time—and that's when officials still thought there were only 45.7 million victims. It would soon come out that more than twice that number of accounts were compromised. The hackers easily bypassed the company's wired equivalent privacy (WEP) LAN security, which is notoriously weak.

 

#10. Rambler.ru

Year: 2012

Records obtained: 98,167,935

Organization type: Web

Data breach method: Hacked

Rambler.ru is a web portal that was informally known as "the Yahoo of Russia." When hackers stole nearly 100 million user logins in February 2012, the site's customers faced an especially grave threat of identity theft. The site had not even taken the basic step of encrypting their passwords.

 

#9. Heartland

Year: 2009

Records obtained: 130,000,000

Organization type: Financial

Data breach method: Hacked

In 2009, a skilled hacker pulled off what was at that time the largest data breach in history when he successfully infiltrated a massive database of customer records at credit card-processing company Heartland Payment Systems. Heartland was just one victim of hacker Albert Gonzalez, who received two concurrent 20-year federal prison sentences for digital attacks that also targeted Dave & Buster's, 7-Eleven and OfficeMax.

 

#8. Equifax

Year: 2017

Records obtained: 143,000,000

Organization type: Financial, credit reporting

Data breach method: Poor security

One of the things that made 2017's massive Equifax data breach so upsetting to its victims was that unlike Target or Uber, they never chose to give the company their information. As one of three major credit reporting agencies, Equifax compiles data on most Americans from a variety of sources, which makes it a particularly enticing target for data criminals. In 2017, thieves struck gold when they stole names, addresses, drivers license numbers, birthdays, Social Security numbers, and potentially even passport information for nearly 145 million people.  

 

#7. eBay

Year: 2014

Records obtained: 145,000,000

Organization type: Web

Data breach method: Hacked

In order for hackers to gain access to the personal information of 145 million eBay customers, all they had to do was hack three corporate employees. The 2014 eBay hack was bad enough, but eBay made it worse by keeping the attack quiet, then later claiming it believed that no customer data had been compromised.

 

#6. Under Armour

Year: 2018

Records obtained: 150,000,000

Organization type: Consumer Goods

Data breach method: Hacked

The recent Under Armour hack stood out not only for its massive number of victims, but because the cybercriminals who pulled it off infiltrated the company through an app. The breach originated in Under Armour's MyFitnessPal app, which eventually yielded private information belonging to more than 150 million people. There was some good news, however: since Under Armour did a good job of segmenting its user data, the criminals only got away with email addresses, usernames, and passwords—not critical information like financial data or Social Security numbers.

 

#5. Adobe Systems

Year: 2013

Records obtained: 152,000,000

Organization type: Tech

Data breach method: Hacked

When Adobe realized its system had been hacked in October 2013, the software company thought that as many as 2.9 million customers had been exposed. It turned out that more than 40 times that number had been compromised, with more than 152 million email addresses and passwords stolen and published online.

 

#4. Massive American business hack

Year: 2012

Records obtained: 160,000,000

Organization type: Financial

Data breach method: Hacked

In what is known as the massive American business hack, five Russians and and one Ukrainian spent a seven years launching sophisticated digital attacks on companies like 7-Eleven and the Nasdaq stock exchange. The international crooks got away with 800,000 bank account numbers, and more than 160 million debit and credit card numbers.

 

#3. Friend Finder Networks

Year: 2016

Records obtained: 412,214,295

Organization type: Web

Data breach method: Poor security/hacked

The FriendFinder Network includes sites like AdultFriendFinder.com, Cams.com, Stripshow.com, iCams.com, and Penthouse.com. When hackers breached the company's databases in 2016, they got away with two decades’ worth of information, totaling more than 412 million records. It was the largest breach of the entire year.  

 

#2. Yahoo

Year: 2014

Records obtained: 500,000,000

Organization type: Web

Data breach method: Hacked

It wasn't until 2016 that Yahoo confirmed hackers had stolen account information for a half billion of the online giant's customers. Telephone numbers, birthdays, encrypted passwords, and security questions and answers were all part of the haul. Yahoo took a full two years to go public with this fact, and only did so when an online criminal began selling the stolen data.

 

#1. Yahoo

Year: 2013

Records obtained: 3,000,000,000

Organization type: Web

Data breach method: Hacked

If Yahoo users were worried that half a billion records were compromised in 2014, they'd likely be even less happy to know that the year before, all three billion of the company's accounts were attacked. That's about one hacked account for every 2.5 people on the planet. In 2016, Yahoo said the hack affected 1 billion accounts, then increased the already-apocalyptic number by threefold the following year.


 

Trending Now