What Are The Biggest Data Breaches in History?
Some of the biggest data breaches in history have involved Fortune 500 companies including Microsoft, Home Depot, JPMorgan Chase, Facebook and Target. Virtually no large company has been immune to data breaches. Inadequate cyber security over the last ten years has cost businesses billions of dollars and left consumers vulnerable to financial crime.
Corporations across industries use data to build and leverage their products and services. In the absence of strict security and compliance, their massive amounts of data can be vulnerable to cyberattacks. Types of data breaches seeking access to sensitive data include ransomware, phishing and malware.
Yahoo
Hackers stole account and personal information impacting 3 billion user accounts in 2013, though hackers did not get credit card and bank account data. At the time, it was the largest-ever disclosed data breach.
Another attack took place in 2014, which was believed to be state-sponsored and led to charges against Russian government agents and a Canadian hacker. The second breach affected 500 million accounts, but wasn’t discovered until 2016. The company’s top lawyer resigned and then CEO Marissa Meyer lost millions in bonuses after a board investigation found the company failed to act on prior indications of the breach. These data breaches are still considered the largest discovered in the internet’s history.
Microsoft
Two separate data breaches took place in 2021. One of the attacks that year is considered one of the largest possible data leaks in recent history. The personal data of 38 million users was accidentally leaked because of a flaw in Microsoft’s Power Apps software.
The other attack is attributed to Chinese hackers. Around 30,000 customers and 60,000 companies globally were affected when hackers exploited holes in the Exchange, Microsoft’s popular mail and calendar server. Hackers stole emails and were then able to install malware to continue surveillance of their targets in attacks that occurred over several months or years.
Because of the massive amount of information stolen from small- and medium-sized American businesses, experts believe that the goal of Chinese hackers isn’t financial or espionage but to gather and aggregate as much data as possible. But the reason for this remains unknown.
First American Financial Corp.
Title insurance provider First American announced in 2019 a fix to a vulnerability in its website. The vulnerability exposed 885 million records related to mortgages over a 16-year period. Anyone could gain access to personal information, including bank account details, mortgage and tax records, social security numbers and driver’s licenses.
The company is party to the buyer and lender sides of real estate transactions across the country. It’s not known how much, if any, data was stolen. However, First American paid $490,000 in a settlement with the Securities and Exchange Commission for its lack of disclosure controls and procedures relating to cybersecurity, a breach of the disclosure provisions of the Exchange Act.
A user in a low-level hacking forum published the personal data of more than 530 million Facebook users from 106 countries in 2021. Although the data was a couple of years old because of a vulnerability patched in 2019, it was the type of data that criminals would use to perform social engineering or hacking attempts. Ireland’s Data Protection Commission imposed a fine of €265 million ($276 million) and corrective measures in relation to the breach.
Cambridge Analytica used information taken without authority from Facebook to build a system to profile individual U.S. voters in 2014 to target them with personalized political ads. Former President Donald Trump advisor Steve Bannon was vice president of Cambridge Analytica at the time.
Marriott International
Starwood Hotels group, which Marriott acquired in 2016, was attacked in 2014. Names, contact details, passport information and loyalty program numbers of guest records of customers in the U.K. were compromised. The attack continued until 2018, when Marriott first noticed the problem and acted quickly to improve its systems.
Marriott has experienced seven data breaches since 2010, including a 2015 credit card breach from malware on its point-of-sale systems. These attacks have resulted in millions of fines and a $100 million class action lawsuit.
The U.K. Information Commissioner’s Office fined the hotel chain €18.4 million for the 2014 data breach. At that time, the breach affected an estimated 500 million people. In 2022, in yet another breach, hackers tried to blackmail the hotel after obtaining 20GB of data from a hotel server, but the hotel refused to pay.
Exactis
Florida-based marketing and data aggregation firm Exactis exposed a database with nearly 340 million records on a publicly accessible server in 2018. The entirely accessible and unsecured database contained personal information such as phone numbers and emails, as well as children’s ages, gender and interests. Financial information and security numbers were not shared. Experts note scammers can use this type of information to impersonate individuals.
Lawsuits were filed in response to Exactis’ massive data breach, which exposed 110 million business contacts and 200 million consumers. As of 2023, no decision or settlement has been reached regarding the breach.
Equifax
Equifax, one of three major credit reporting agencies, discovered unauthorized access in 2017. Hackers gained access to the confidential information of 147 million consumers. The information included names, birthdates, social security numbers, drivers’ licenses and credit card numbers. Although experts began searching for the data, it never appeared, leading them to conclude that Chinese state-sponsored hackers carried out the breach for the purpose of espionage.
Multiple lawsuits were filed in relation to the breach. In 2019, Equifax settled with the Federal Trade Commission, the Consumer Financial Protection Bureau and all U.S. states and territories. As part of the settlement, affected consumers had the option to sign up for free credit monitoring with all three of the major credit reporting firms or receive $125.00.
Other Notable Data Breaches
Since the 2013 data breach of Target, many other companies have experienced similar breaches. Companies often continue to blame employees or third parties for corporate security failures, and some fail to disclose breaches publicly.
In 2022, hackers phished an employee at games giant Activision, gaining access to internal employee and corporate data. However, management did not disclose the breach to employees because no sensitive data had been accessed, according to the company. GoDaddy revealed a multi-year breach that redirected customers’ website URLs to malicious domains. The breach was only made public in 2022 via a corporate filing with the U.S. Securities and Exchange Commission.
Governments are warning of Chinese state-sponsored actors targeting Europe and the U.S. One high-profile example is the scrutiny of social media giant TikTok and its parent, Byte Dance, which has been accused of aggressive data harvesting.
In 2021, the data of more than 700 million LinkedIn users was posted for sale on the dark web, including emails, usernames, phone numbers, social media accounts and other work-related details. LinkedIn denies that the actions constituted a breach, arguing it is merely a result of too much publicly available information.
Since then, hackers have put other collections of information from LinkedIn databases on sale on the dark web. Experts warn threat actors may target LinkedIn users via phishing attacks, spamming and “brute forcing” attacks, which involves trying different variations of passwords until they guess the correct one.
Capital One
Capital One bank determined someone gained unauthorized access and stole files in 2019. The files contained more than 100,000 social security numbers, 80,000 bank account numbers and the personally identifiable information of customers and credit card applicants.
The FBI successfully identified the individual responsible. Paige Thompson, a former Amazon employee, was convicted and sentenced to time served and five years of probation in 2022. Because of the data breach, which related to server firewall vulnerabilities, the U.S. Treasury Department fined Capital One $80 million. The company also settled lawsuits with customers for $190 million.
Target
A Latvian computer programmer was sentenced to 14 years in prison for designing a program used in the 2013 Target breach, in which the personal and financial data of 110 million Target customers was stolen. The program helped hackers improve malware against antivirus programs.
The scale of Target’s negligence in failing to respond to multiple warnings from its security software and the magnitude of the data loss was so significant, businesses, organizations and governments re-evaluated their security practices and regulatory frameworks. Since then, many companies have adopted best practices regarding cybersecurity, including staff training.
JPMorgan Chase
A cyberattack on JPMorgan Chase in 2014 breached the accounts of 7 million small businesses and 76 million households, making it one of the largest attacks of its time. The attack began in June but wasn’t discovered until July.
Overseas hackers’ successful attack on JPMorgan spotlighted the vulnerability of banks. JPMorgan, however, said there was no evidence that social security numbers or passwords had been stolen, nor was there fraud involving customer information.
Home Depot
Criminals using a vendor’s stolen login credentials hacked Home Depot, the world’s largest home improvement retailer, in 2014. Once on Home Depot’s network, the hackers installed malware on self-checkout registers that stole customer payment card data and email addresses.
The breach went undetected for several months and cost $62 million. It allowed criminals to obtain data from more than 50 million credit and debit cards and 70 million customer emails.
FriendFinder Networks
The adult FriendFinder Network dating and entertainment site was hacked in 2015 and 2016, exposing information about 412 million accounts. Unprotected user passwords and other security failures also led to hacks of the company’s network of other sites.
The data stretched over 20 years and included email usernames and visit dates. The FriendFinder network breach was the largest industry hack, including the Ashley Madison hack that impacted 36 million users.
Anthem
Anthem, one of the nation’s largest health insurers, was the subject of a cyberattack in 2015. As many as 80 million records of customers and employees were breached. Names, birthdays, addresses and social security numbers were accessed. It remains the largest breach of healthcare information to date, though the company claimed no medical or credit card information was stolen.
According to experts, Anthem didn’t take basic security steps, such as protecting its data via encryption. Class action lawsuits relating to the breach were filed. In 2015 Anthem paid class members in the form of credit monitoring or cash equivalent and reimbursem*nt for costs.
Data Breaches Settlement Amounts
Some of the biggest and most notable settlements have been agreements reached with states and federal agencies. The government has levied fines against a number of companies over the years for their security failures that led to data breaches. Some companies have also faced fines and penalties from other governments.
- Anthem: Agreed to pay $16 million to the U.S. Department of Health and Human Services and take corrective actions. The company also paid a multi-state coalition $39.5 million in penalties and fees.
- Equifax: Agreed to a global settlement with the U.S. Federal Tax Commission, the Consumer Financial Protection Bureau and 50 U.S. states and territories for an amount up to $425 million.
- Facebook: Agreed to pay a £500,000 ($643,000) fine under the Data Protection Act 1998 to the U.K.’s Information Commissioner’s Office for its role in the Cambridge Analytica scandal, though it admitted no liability.
- First American Financial Corporation: A civil penalty of $487,616 was paid to the U.S. Securities and Exchange Commission for violation of the Exchange Act.
- Marriott International, Inc.: The U.K.’s Information Commissioner’s Office fined the company £18.4 million ($23.9 million) for a data breach that began in 2014.
- Target: Paid $18.5 million to 47 states over its 2013 cyberattack
Companies and individuals have also filed many data breach class action lawsuits. For example, in addition to Marriott’s government fine, Marriott lawsuits stemming from stolen data are ongoing. Settlement and verdicts from data breach lawsuits include:
- Capital One: The company has paid $190 million into a settlement fund to compensate plaintiffs.
- Equifax: The company settled and plaintiffs are eligible for payments for out-of-pocket losses, time spent and other cash benefits from the $425 million restitution fund.
- Facebook: Meta Platforms paid $725 million to settle a class action lawsuit seeking damages for allowing third parties, including Cambridge Analytica, to access user data.
- Home Depot: The retailer settled a multi state lawsuit for $17.5 million, which included injunctive terms to tighten information security program.
- Target: Ending a class action lawsuit, a $13 million settlement fund was established with $10,000 to individual consumers with documented losses from the data breach.
Individuals receiving settlements in data breach lawsuits may be customers, employees or others the breach may have impacted. Data breaches continue to make headlines and impact companies and individuals globally. An experienced lawyer can help people navigate the complexities of filing a case, successfully settling or taking the case to trial.
Please seek the advice of a qualified professional before making decisions about your health or finances.
