This is a list of reports about data breaches, using data compiled from various sources, including press reports, government news releases, and mainstream news articles. The list includes those involving the theft or compromise of 30,000 or more records, although many smaller breaches occur continually. Breaches of large organizations where the number of records is still unknown are also listed. In addition, the various methods used in the breaches are listed, with hacking being the most common.
Most reported breaches are in North America, at least in part because of relatively strict disclosure laws in North American countries. 95% of data breaches come from government, retail, or technology industries.[1] It is estimated that the average cost of a data breach will be over $150 million by 2020, with the global annual cost forecast to be $2.1 trillion.[2] [3] As a result of data breaches, it is estimated that in first half of 2018 alone, about 4.5 billion records were exposed.[4] In 2019, a collection of 2.7 billion identity records, consisting of 774 million unique email addresses and 21 million unique passwords, was posted on the web for sale.[5] In January 2024, a data breach dubbed the "mother of all breaches" was uncovered.[6] Over 26 billion records, including some from Twitter, Adobe, Canva, LinkedIn, and Dropbox, were found in the database.[7] [8] No organization immediately claimed responsibility.[9]
Government | Agency | Year | data-sort-type=number | Records ! | Organization type | Method | Sources |
---|---|---|---|---|---|---|---|
50 companies and government institutions | Various | 2022 | 6,400,000 | various | poor security | [10] [11] | |
India | Indian Council of Medical Research | 2023 | 815,000,000+, including Aadhaar IDs, passport details, names, phone numbers, addresses | government | hacked by pwn0001 | [12] | |
Australia | Australian Immigration Department | 2015 | G20 world leaders | government | accidentally published | [13] | |
Australia | Australian National University | 2019 | 19 years of data | academic | hacked | [14] | |
Sydney, Australia | Western Sydney University | 2024 | 7,500, including email accounts, SharePoint files, and the Microsoft Office 365 environment | academic | hacked | [15] [16] | |
Bangladesh | Office of the Registrar General, Birth & Death Registration | 2023 | 50,000,000+ | government | data leak due to security vulnerabilities | [17] | |
United Kingdom | BBC | 2024 | 25,290 employee pension records, including name, date of birth, home address, national insurance number | public broadcasting | hacked | [18] [19] | |
United Kingdom | British Library | 2023 | unknown | government | ransomware | [20] | |
United Kingdom | 2008 | 12,000 | Records | Politics | [21] | ||
United Kingdom | City and Hackney Teaching Primary Care Trust | 2007 | 160,000 | healthcare | lost / stolen media | [22] | |
United Kingdom / Scotland | NHS Dumfries and Galloway | 2024 | still unknown | healthcare | cyber attack | [23] [24] | |
Bulgaria | Bulgarian National Revenue Agency | 2019 | data-sort-value=5000000 | over 5,000,000 | government | hacked | [25] [26] |
California | California Department of Child Support Services | 2012 | 800,000 | government | lost / stolen media | [27] [28] | |
United States | Central Intelligence Agency | 2017 | 91 | malware tools | internal job | [29] [30] [31] [32] [33] | |
Colorado, US | Colorado Department of Health Care Policy & Financing | 2010 | 105,470 | healthcare | lost / stolen computer | [34] | |
Philippines | Commission on Elections | 2016 | 55,000,000 | government | hacked | ||
United States | Consumer Financial Protection Bureau | 2023 | 256,000 | bureau | poor security | [35] | |
United States | Centers for Medicare & Medicaid Services | 2018 | 75,000 | healthcare | hacked | [36] | |
South Korea | Defense Integrated Data Center (South Korea) | 2017 | 235 GB | government, military | hacked | [37] | |
United States | Democratic National Committee | 2016 | 19,252 | political | hacked | [38] | |
United States | Department of Homeland Security | 2016 | 30,000 | government | poor security | [39] [40] | |
Indonesia | Directorate General of Immigration of Indonesia | 2023 | 34,900,867 | Government | hacked and published | [41] | |
Indonesia | Directorate General of Population and Civil Registration (Dukcapil) | 2023 | 337.225.463 | Government | leaked and published | [42] | |
United Kingdom | Driving Standards Agency | 2007 | 3,000,000 | government | lost / stolen media | [43] | |
Ecuador | ? | 2019 | 17 million | 20,800,000 records, including names, family members, financial and work data, civil registration data, car ownership data | government | poor security / misconfigured server | [44] |
? | Embassy Cables | 2010 | 251,000 | government | inside job | [45] | |
England/Wales | England and Wales Cricket Board | 2024 | 43,299 | government | unknown | [46] | |
European Union | European Central Bank | 2014 | unknown | financial | hacked | [47] [48] | |
United States | 2016 | 20,000 | Records | law enforcement | hacked | [49] [50] [51] | |
United States | Federal Reserve Bank of Cleveland | 2010 | 400,000 | financial | hacked | [52] | |
Florida | Florida Department of Juvenile Justice | 2013 | 100,000 | government | lost / stolen computer | ||
Unknown | Unknown | 2020 | 201,000,000 | personal and demographic data about residents and their properties of US | Poor security | [53] | |
Greece | ? | 2012 | 9,000,000 | government | hacked | [54] | |
Singapore | Health Sciences Authority | 2019 | 808,000 | healthcare | poor security | [55] | |
Ireland | Health Service Executive | 2021 | unknown | healthcare | unknown | [56] | |
London, UK | Heathrow Airport | 2017 | 2.5GB | transport | lost / stolen media | [57] [58] [59] | |
United States | Internal Revenue Service | 2015 | 720,000 | financial | hacked | [60] [61] | |
Japan | Japan Pension Service | 2015 | 1,250,000 | special public corporation | hacked | [62] | |
Jefferson County, West Virginia | ? | 2008 | 1,600,000 | government | accidentally published | [63] | |
Cedar Rapids, Iowa | Kirkwood Community College | 2013 | 125,000 | academic | hacked | [64] | |
Massachusetts, US | Massachusetts Executive Office of Labor and Workforce Development | 2011 | 210,000, including names, Social Security numbers, employer identification numbers, emails, home addresses | government | hacked with a trojan | [65] | |
United States | Medicaid | 2012 | 780,000 | government, healthcare | hacked | ||
Chile | Ministry of Education | 2008 | 6,000,000, including ID card numbers, addresses, telephone numbers academic records | government | hacked | [66] [67] | |
Chile | Servicio Electoral de Chile (Servel) | 2019 | 14,308,151, including names, addresses, tax ID numbers | government | misconfigured server | [68] | |
Shanghai, China | Shanghai National Police Database | 2022 | 1,000,000,000, including name, address, birthplace, national ID number, mobile number, all crime/case details | government | unsecured database | [69] [70] | |
Singapore | Ministry of Health | 2019 | 14,200 | healthcare | poor security/inside job | [71] [72] | |
Slovakia | National Health Information Center (NCZI) of Slovakia | 2020 | 391,250 | healthcare | poor security | [73] | |
Norway | Norwegian Tax Administration | 2008 | 3,950,000 | government | accidentally published | [74] | |
United States | Office of Personnel Management | 2015 | 21,500,000 | government | hacked | [75] [76] [77] | |
Texas, US | Office of the Texas Attorney General | 2012 | 6,500,000 | government | accidentally published | [78] | |
United Kingdom | Ofcom | 2016 | unknown | telecom | inside job | [79] | |
Columbus, Ohio | Ohio State University | 2010 | 760,000, including names, Social Security numbers, dates of birth, addresses | academic | hacked | [80] | |
Oregon | Oregon Department of Transportation | 2011 | 1,000,000, including names, addresses, dates of birth | government | hacked | [81] | |
Various | 2021 | [82] | |||||
Various | 2017 | 14.3 million | records | ||||
Philippines | 2016 | records | hacked | [83] | |||
Philippines | Various law enforcement agencies (Philippine National Police, National Bureau of Investigation, Bureau of Internal Revenue) | 2023 | 1,279,437 | government | poor security | [84] | |
Puerto Rico | Puerto Rico Department of Health | 2010 | 515,000 | healthcare | hacked | ||
Argentina | RENAPER (Argentina) | 2018 | 45,000,000 | government | poor security | [85] [86] | |
Russia | 2022 | handwritten forms, PDFs, spreadsheets, descriptions of lunar missions. | aerospace | hacked by v0g3lsec | [87] | ||
Sakai City, Japan | ? | 2015 | 680,000 | government | inside job | [88] | |
San Francisco, California | San Francisco Public Utilities Commission | 2011 | 180,000 | government | hacked | [89] | |
New South Wales, AU | Service NSW | 2020 | 104,000 | government | hacked | ||
United Kingdom | Service Personnel and Veterans Agency (UK) | 2008 | 50,500 | government | lost / stolen media | [90] | |
South Africa | South Africa police | 2013 | 16,000 | government | hacked | [91] | |
South Carolina, US | South Carolina Department of Revenue | 2012 | 6,400,000 | healthcare | inside job | [92] [93] [94] | |
Stanford, California | Stanford University | 2008 | 72,000, including dates of birth, Social Security numbers, home addresses | academic | lost / stolen computer | [95] [96] | |
Texas, US | ? | 2011 | 3,500,000 | government | accidentally published | [97] | |
Syrian government (Syria Files) | Various | 2012 | 2,434,899 | government | hacked | [98] [99] | |
Texas | Texas Lottery | 2007 | 89,000+, including names, Social Security numbers, addresses, prize amounts | government | inside job | [100] | |
United States | Tricare | 2011 | 4,901,432, including Social Security numbers, addresses, phone numbers, clinical notes, laboratory tests, prescriptions | military, healthcare | lost / stolen computer | [101] | |
United Kingdom | UK Home Office | 2008 | 84,000 | government | lost / stolen media | [102] | |
United Kingdom | UK Ministry of Defence | 2008 | 1,700,000 | government | lost / stolen media | [103] | |
United Kingdom | 2009 | 1500 | Records | government | |||
United Kingdom | UK Revenue & Customs | 2007 | 25,000,000 | government | lost / stolen media | [104] | |
United Nations | ? | 2019 | unknown | international | hacked | [105] | |
United Nations | ? | 2021 | unknown | international | hacked | [106] | |
Berkeley, California | University of California, Berkeley | 2009 | 160,000 | academic | hacked | [107] | |
Berkeley, California | University of California, Berkeley | 2016 | 80,000 | academic | hacked | [108] | |
College Park, Maryland | University of Maryland, College Park | 2014 | 300,000 | academic | hacked | [109] | |
Orange County, Florida | University of Central Florida | 2016 | 63,000 | academic | hacked | [110] | |
Miami, Florida | University of Miami | 2008 | 2,100,000 | academic | lost / stolen computer | [111] [112] [113] | |
Salt Lake City, Utah | University of Utah Hospital & Clinics | 2008 | 2,200,000 | academic | lost / stolen media | [114] | |
Milwaukee, Wisconsin | University of Wisconsin–Milwaukee | 2011 | 73,000 | academic | hacked | ||
Shah Alam, Malaysia | Universiti Teknologi MARA | 2019 | 1,164,540 | academic | hacked | [115] | |
United States | United States Postal Service | 2018 | 60,000,000 | government | poor security | [116] | |
United States | U.S. Army | 2011 | 50,000 | military | accidentally published | ||
United States | U.S. Army | 2010 | 392,000 | government | inside job | [117] | |
United States | U.S. Department of Defense | 2009 | 72,000 | military | lost / stolen media | ||
United States | U.S. Department of Veteran Affairs | 2006 | 26,500,000 | government, military | lost / stolen computer | [118] [119] [120] | |
United States | 2013 | ||||||
United States | Various | 2020 | TBC | government, military | hacked | [121] [122] [123] [124] | |
United States | 70 different law enforcement agencies | 2011 | 123,461 | government | accidentally published | [125] | |
United States | National Archives and Records Administration (U.S. military veterans records) | 2009 | 76,000,000 | military | lost / stolen media | [126] | |
United States | U.S. State Department | 2010 | 260,000 | military | inside job | [127] | |
United States | National Guard of the United States | 2009 | 131,000, including names, Social Security Numbers, incentive payment amounts, payment dates | military | lost / stolen computer | [128] [129] | |
Virginia, US | Virginia Prescription Monitoring Program | 2009 | 8,257,378 | healthcare | hacked | [130] [131] | |
Washington, US | Washington State court system | 2013 | 160,000 | government | hacked | [132] [133] | |
New Haven, Connecticut | Yale University | 2010 | 43,000 | academic | accidentally published | ||
? | 2020 | 200,000,000 | financial | accidentally published | [134] | ||
Entity | Year | data-sort-type=number | Records ! | Organization type | Method | Sources |
---|---|---|---|---|---|---|
50 companies and government institutions | 2022 | 6,400,000 | various | poor security | [135] | |
21st Century Oncology | 2015 | 2,200,000 customer's data, including names, Social Security numbers, physicians, diagnoses, insurance information | healthcare | hacked | [136] [137] [138] | |
23andMe | 2023 | 6,900,000 | consumer genetics | credential stuffing | [139] | |
500px | 2020 | 14,870,304 | social network | hacked | [140] | |
Accendo Insurance Co. | 2020 | 175,350 | healthcare | poor security | [141] [142] | |
Accenture | 2007 | |||||
Adobe Systems Incorporated | 2013 | 152,000,000 | tech | hacked | [143] [144] | |
Adobe Inc. | 2019 | 7,500,000 | tech | poor security | [145] [146] | |
Advocate Medical Group | 2017 | 4,000,000 | healthcare | lost / stolen media | [147] [148] | |
AerServ (subsidiary of InMobi) | 2018 | 75,000 | advertising | hacked | [149] | |
Affinity Health Plan, Inc. | 2013 | 344,579 | healthcare | lost / stolen media | [150] [151] | |
Airtel | 2019 | 320,000,000 | telecommunications | poor security | [152] | |
Air Canada | 2018 | 20,000 | transport | hacked | [153] | |
Air India | 2021 | 4,500,000, including name, date of birth, contact information, passport information, frequent flyer data, credit card data, ticket information | transport | hacked | [154] [155] | |
Amazon Japan G.K. | 2019 | unknown | online | accidentally published | [156] [157] | |
TD Ameritrade | 2005 | 200,000 | financial | lost / stolen media | [158] | |
Ameriprise Financial | 2005 | 260,000 customer records | financial | stolen laptop | [159] | |
Ancestry.com | 2021 | 300,000 | genealogy | poor security | [160] | |
Animal Jam | 2020 | 46,000,000 | gaming | hacked | [161] [162] | |
Ankle & Foot Center of Tampa Bay, Inc. | 2021 | 156,000 | healthcare | hacked | [163] | |
Anthem Inc. | 2015 | 80,000,000 | healthcare | hacked | [164] [165] [166] | |
AOL | 2004 | 92,000,000 | web | inside job | [167] [168] | |
AOL | 2006 | 20,000,000 | web | accidentally published, (sometimes referred to as a "Data Valdez",[169] [170] [171] due to its size) | [172] | |
AOL | 2014 | 2,400,000 | web | hacked | [173] | |
2014 | data-sort-type=number | tech, cloud storage | [174] [175] | |||
Apple, Inc./BlueToad | 2021 | 12,367,232 | tech, retail | accidentally published | [176] | |
Apple | 2013 | 275,000 | tech | hacked | [177] | |
Apple Health Medicaid | 2021 | 91,000 | healthcare | poor security | [178] | |
Ashley Madison | 2015 | 32,000,000 | dating | hacked | [179] [180] | |
AT&T | 2008 | 113,000 | telecoms | lost / stolen computer | [181] | |
AT&T | 2010 | 114,000 | telecoms | hacked | [182] | |
AT&T | 2021 | 72,000,000 | telecoms | unknown | [183] | |
Atraf | 2021 | unknown | dating | hacked | [184] | |
Auction.co.kr | 2008 | 18,000,000 | web | hacked | [185] | |
Australian Red Cross Blood Service | 2016 | 550,000, including names, contact details, birthdates, medical details, information about "at-risk sexual behaviour" | non-profit | accidently published | [186] [187] | |
Automatic Data Processing | 2006 | 125,000 | financial | poor security | [188] | |
AvMed, Inc. | 2009 | 1,220,000 | healthcare | lost / stolen computer | [189] [190] | |
Bailey's Inc. | 2015 | 250,000 | retail | hacked | [191] | |
The Bank of New York Mellon | 2008 | 12,500,000, including names, addresses, birth dates, Social Security numbers | financial | lost box of data tapes | [192] [193] | |
Bank of America | 2005 | 1,200,000 | financial | lost / stolen media | [194] | |
Barnes & Noble | 2012 | 63 stores | retail | hacked | [195] [196] | |
Bell Canada | 2017 | 1,900,000 | telecoms | poor security | [197] | |
Bell Canada | 2018 | 100,000 | telecoms | hacked | [198] | |
Benesse | 2014 | 35,040,000 | educational services | hacked | [199] | |
Betfair | 2010 | 2,300,000 | gambling | hacked | ||
Bethesda Game Studios | 2011 | 200,000 | gaming | hacked | [200] | |
Bethesda Game Studios | 2018 | customer names, addresses, contact details, partial credit card numbers | gaming | accidentally published | [201] | |
Betsson Group | 2020 | unknown | gambling | unknown | [202] | |
Blank Media Games | 2018 | 7,633,234 | gaming | hacked | [203] [204] | |
Blizzard Entertainment | 2012 | 14,000,000 | gaming | hacked | [205] [206] | |
BlueCross BlueShield of Tennessee | 2009 | 1,023,209 | 1,023,039 | healthcare | lost / stolen media | [207] [208] |
BMO and Simplii | 2018 | 90,000 | financial | poor security | [209] | |
Boeing | 2006 | 382,000 employees (after similar losses of data on 3,600 employees in April and 161,000 employees in November, 2005) | transport | Lost/Stolen Device | ||
British Airways | 2018 | 500,000 | transport | hacked | [210] [211] [212] [213] [214] | |
British Airways | 2015 | data-sort-value=10000 | tens of thousands | transport | hacked | [215] |
Callaway Golf Company | 2023 | 1,114,954, including full names, shipping addresses, email addresses, phone numbers, order histories, account passwords, answers to security questions | sports | hacked | [216] [217] | |
Canva | 2019 | 140,000,000 | web | hacked | [218] [219] [220] [221] [222] | |
Capcom | 2020 | 350,000 | gaming | hacked | [223] | |
Capital One | 2019 | 106,000,000 | financial | unsecured S3 bucket | [224] [225] [226] | |
CardSystems Solutions Inc.(MasterCard, Visa, Discover Financial Services and American Express) | 2005 | 40,000,000 | financial | hacked | [227] [228] | |
Cathay Pacific Airways | 2018 | 9,400,000 | transport | hacked | [229] | |
CareFirst BlueCross Blue Shield - Maryland | 2015 | 1,100,000 | healthcare | hacked | [230] | |
Central Coast Credit Union | 2016 | 60,000 | financial | hacked | [231] | |
Central Hudson Gas & Electric | 2013 | 110,000 | energy | hacked | [232] | |
CheckFree Corporation | 2009 | 5,000,000 | financial | hacked | [233] | |
CGI Group | 2007 | 283,000 | ||||
CheckPeople | 2020 | 56,000,000 | background check | unknown | [234] | |
Chess.com | 2023 | 800,000 | gaming | web scraping | [235] [236] | |
China Software Developer Network | 2011 | 6,000,000 | web | hacked | [237] | |
Chinese gaming websites (three: Duowan, 7K7K, 178.com) | 2011 | 10,000,000 | gaming | hacked | [238] | |
ChoicePoint | 2005 | 163,000 consumer records | data aggregator | intentionally selling data | [239] | |
Citigroup | 2005 | 3,900,000 | financial | lost / stolen media | [240] | |
Citigroup | 2011 | 360,083 | financial | hacked | [241] [242] | |
Citigroup | 2013 | 150,000 | financial | poor security | [243] | |
Clearview AI | 2020 | unknown (client list) | information technology | hacked | [244] [245] [246] | |
Collection No. 1 | 2019 | 773,000,000 | various | compilation of multiple data breaches | [247] | |
Community Health Systems | 2014 | 4,500,000 | healthcare | hacked | [248] | |
Compass Bank | 2007 | 1,000,000 | financial | inside job | [249] | |
Countrywide Financial Corp | 2008 | 2.5 million | 2,500,000 | financial | insider theft | [250] [251] [252] [253] |
Cox Communications | 2016 | 40,000 | telecoms | hacked | [254] | |
Crescent Health Inc., Walgreens | 2013 | 100,000 | healthcare, pharmacy | lost / stolen computer | [255] | |
Cutout.Pro | 2024 | 19,972,829 | web | hacked | [256] | |
CVS | 2015 | data-sort-value=1000000 | millions | pharmacy | hacked | [257] |
CyberServe | 2021 | 1107034 | 1,107,034 | hosting provider | hacked | [258] [259] |
D. A. Davidson & Co. | 2007 | 192,000 clients' names, customer account and social security numbers, addresses and dates of birth | broker/dealer | hacked by Latvian hackers | [260] | |
Dai Nippon Printing | 2007 | 8,637,405, including names, addresses, credit card numbers | printing | inside job | [261] [262] | |
Data Processors International (MasterCard, Visa, Discover Financial Services and American Express) | 2008 | 8,000,000 | financial | hacked | [263] | |
DC Health Link | 2023 | 56,000 | healthcare | misconfigured website | [264] | |
Dedalus Biologie (a division of Dedalus Global) | 2021 | 500,000 | healthcare | poor security | [265] [266] | |
Dell | 2024 | 49,000,000, including customer's names, addresses, order and hardware information | electronics | brute force attack by a "Dell partner" | [267] [268] [269] | |
Deloitte | 2017 | 350 clients emails | consulting, accounting | poor security | [270] [271] | |
Desjardins | 2019 | 9,700,000 | financial | inside job | [272] | |
Disney | 2024 | 1.2 TB of internal Slack data | entertainment | hacked with a trojan | [273] [274] [275] | |
Domino's Pizza (France) | 2014 | 600,000 | restaurant | hacked | [276] | |
DonorView | 2023 | 948,029 | charity | poor security | [277] | |
2019 | 4,900,000 | web | hacked | [278] | ||
Dropbox | 2012 | 68,648,009 | web | hacked | [279] | |
Drupal | 2013 | 1,000,000 | web | hacked | [280] | |
DSW Inc. | 2005 | 1,400,000 | retail | hacked | [281] | |
Dubsmash | 2018 | 162,000,000 | social network | hacked | [282] | |
Dun & Bradstreet | 2013 | 1,000,000 | tech | hacked | [283] [284] | |
Duolingo | 2023 | 2,676,696 | educational services | web scraping | [285] | |
Earl Enterprises (Buca di Beppo, Earl of Sandwich, Planet Hollywood, Chicken Guy, Mixology, Tequila Taqueria) | 2018 | 2,000,000 | restaurant | hacked | [286] | |
EasyJet | 2019 | 9,000,000 (approx) - basic booking, 2208 (credit card details) | transport | hacked | [287] [288] | |
eBay | 2014 | 145,000,000 | e-commerce | hacked | [289] | |
Educational Credit Management Corporation | 2010 | 3,300,000 | nonprofit, financial | lost / stolen media | [290] | |
Eisenhower Medical Center | 2011 | 514,330 | healthcare | lost / stolen computer | [291] | |
ElasticSearch | 2019 | 108,000,000 | tech | poor security | [292] | |
Emergency Healthcare Physicians, Ltd. | 2010 | 180,111 | healthcare | lost / stolen media | [293] [294] | |
Emory Healthcare | 2012 | 315,000 | healthcare | poor security | ||
2018 | user accounts | gaming | vulnerability | [295] [296] [297] | ||
2021 | 15,000,000 | web | hacked | |||
Ernst & Young | 2006 | 234,000 customers of Hotels.com (after a similar loss of data on 38,000 employees of Ernst & Young clients in February) | ||||
Equifax | 2017 | 143,000,000, including names, date of birth, social security numbers, addresses, credit cards, driver's licenses | financial, credit reporting | poor security | [298] [299] [300] [301] | |
EssilorLuxottica | 2021 | 77,093,812 | healthcare, retail | hacked | [302] [303] | |
Evernote | 2013 | 50,000,000 | web | hacked | [304] [305] | |
Evide data breach | 2023 | 1,000 | computer services for charities | ransomware hacked | [306] [307] [308] [309] [310] | |
Exactis | 2018 | 340,000,000 | data broker | poor security | [311] | |
Excellus BlueCross BlueShield | 2015 | 10,000,000 | healthcare | hacked | [312] | |
Experian - T-Mobile US | 2015 | 15,000,000 | telecoms | hacked | [313] [314] | |
EyeWire | 2016 | unknown | tech | lost / stolen computer | [315] | |
2013 | 6,000,000 | social network | accidentally published | [316] | ||
2018 | 50,000,000 | social network | poor security | [317] [318] [319] [320] | ||
2010 | 87,000,000 | social network | data misuse | [321] [322] [323] | ||
2019 | 540,000,000 | social network | poor security | [324] [325] | ||
2019 | 1,500,000 | social network | accidentally uploaded | [326] | ||
2019 | 267,000,000 | social network | poor security | [327] [328] | ||
Facebook Marketplace | 2023 | 200,000 | social network | unknown | [329] | |
Fast Retailing | 2019 | 461,091 | retail | hacked | [330] | |
Fidelity National Information Services | 2007 | 8,500,000 | financial | inside job | [331] | |
Fidelity National Financial | 2023 | 1,300,000 | financial | hacked by ALPHV | [332] [333] | |
First American Corporation | 2019 | 885,000,000 | financial | poor security | [334] | |
FireEye | 2020 | Unknown | information security | hacked | [335] [336] [337] | |
Friend Finder Network | 2016 | 412,214,295 | web | poor security / hacked | [338] [339] | |
Funimation | 2016 | 2,500,000 | web | hacked | [340] [341] | |
Formspring | 2012 | 420,000 | web | accidentally published | [342] | |
Gamigo | 2012 | 8,000,000 | web | hacked | [343] | |
Gap Inc. | 2007 | 800,000 | retail | lost / stolen computer | [344] [345] | |
Gawker | 2010 | 1,500,000 | web | hacked | [346] [347] | |
2008 | 650,000 | 650,000 customer's data, including 150,000 social security numbers and in-store credit card information from retail customers | financial | magnetic tape missing from an Iron Mountain Incorporated storage facility | [348] | |
Global Payments | 2012 | 7,000,000 | financial | hacked | [349] | |
Gmail | 2014 | 5,000,000 | web | hacked | [350] | |
Golfzon | 2023 | 2,210,000, including names, phone numbers, email addresses, dates of birth | sports | ransomware/hacked | [351] | |
Google Plus | 2018 | 500,000 | social network | poor security | [352] [353] [354] [355] | |
goregrish.com | 2021 | 300,000 | web | hacked | [356] | |
Grozio Chirurgija | 2017 | 25,000 | healthcare | hacked | [357] [358] [359] | |
GS Caltex | 2008 | 11,100,000, including names, social security numbers, addresses, cell phone numbers, email addresses and workplaces of customers | energy | discs found in trash | [360] [361] [362] | |
Gyft | 2016 | unknown | web | hacked | [363] [364] | |
Hannaford Brothers Supermarket Chain | 2008 | 4,200,000, including credit card numbers and expiration dates | retail | hacked | [365] | |
HauteLook | 2018 | 28,517,244 | e-commerce | hacked | [366] [367] [368] | |
HCA Healthcare | 2023 | 11,270,000 | healthcare | hacked | [369] | |
Health Net | 2009 | 1,500,000, including names, medical records, addresses, Social Security numbers | healthcare | lost / stolen media | [370] [371] | |
Health Net — IBM | 2011 | 1,900,000 | healthcare | lost / stolen media | [372] | |
Heartland Payment Systems | 2009 | 130,000,000 | financial | hacked | [373] [374] [375] [376] | |
Hewlett Packard | 2006 | 200,000 | tech, retail | lost / stolen media | [377] | |
Hilton Hotels | 2014 | 363,000 | hotel/casino | hacked | [378] [379] | |
Home Depot | 2014 | 56,000,000 | retail | hacked | [380] [381] | |
Honda Canada | 2011 | 283,000, including names, addresses, VIN numbers, Honda Financial Services Account numbers, phone numbers, e-mail addresses | automotives | "unusual traffic" | [382] [383] | |
Hyatt Hotels | 2015 | 250 locations | hotel/casino | hacked | [384] [385] | |
Iberdrola | 2022 | 1,300,000 | energy | poor security | [386] | |
IKEA | 2022 | 95,000 | retail | accidentally published | [387] | |
Infosys McCamish Systems | 2023 | 57,028 Bank of America customers, including names and social security numbers28,268 Fidelity Investments customers, including names, dates of birth, social security numbers, bank account and routing numbers, credit card numbers, passwords, PINs | tech | hacked | [388] [389] [390] [391] [392] | |
2023 | 1.7 terabytes | 1.67 TB, 1.3 million files of passports, I-9 forms, termination documents, Slack messages, Wolverine game data | gaming | hacked by Rhysida | [393] | |
2020 | 200,000,000 | social network | poor security | [394] | ||
Ititan Hosting Solutions | 2024 | unknown | hosting provider | hacked / poor security | [395] | |
International Committee of the Red Cross | 2022 | 515,000 | humanitarian | unknown | [396] [397] [398] | |
Inuvik hospital | 2016 | 6,700 | healthcare | inside job | [399] | |
Iranian banks (three: Saderat, Eghtesad Novin, and Saman) | 2012 | 3,000,000 | financial | hacked | [400] | |
Japanet Takata | 2004 | 510,000 | shopping | inside job | [401] | |
JP Morgan Chase | 2007 | 2,600,000 | financial | lost / stolen media | [402] | |
JP Morgan Chase | 2014 | 76,000,000 | financial | hacked | [403] | |
Justdial | 2019 | 100,000,000 | local search | unprotected api | [404] | |
Kadokawa Corporation | 2024 | 1.5TB of corporate, and personal information of users and employees of Niconico | web | ransomware hacking | [405] | |
KDDI | 2006 | 4,000,000 | telecoms | hacked | [406] | |
KitchenPal (iCuisto) | 2023 | 100,000 | web | hacked | [407] | |
KM.RU | 2016 | 1,500,000 | web | hacked | [408] | |
Koodo Mobile | 2020 | unknown | mobile carrier | hacked | [409] | |
Korea Credit Bureau | 2014 | 20,000,000 | financial, credit bureau | inside job | [410] | |
Kroll Background America | 2013 | 1,000,000 | tech | hacked | ||
KT Corporation | 2012 | 8,700,000 | telecoms | hacked | [411] [412] | |
LexisNexis | 2014 | 1,000,000 | tech | hacked | ||
Landry's, Inc. | 2015 | 500 locations | restaurant | hacked | [413] [414] | |
LastPass | 2015 | password reminders, e-mail addresses | tech | hacked | [415] | |
LastPass | 2022 | Password vault backup | tech | poor security/hacked | [416] | |
Les Éditions Protégez-vous | 2020 | 380,000 | publisher (magazine) | unknown | [417] | |
LifeLabs | 2019 | 15,000,000 | healthcare | hacked | [418] | |
Lincoln Medical & Mental Health Center | 2010 | 130,495 | healthcare | lost / stolen media | [419] | |
LinkedIn, eHarmony, Last.fm | 2012 | 8,000,000 | web | accidentally published | [420] [421] | |
Living Social | 2013 | 50,000,000 | web | hacked | [422] [423] | |
Lyca Mobile | 2023 | 16,000,000 | telecommunications | hacked | [424] [425] | |
MacRumors.com | 2014 | 860,000 | web | hacked | [426] | |
Mandarin Oriental Hotels | 2014 | 10 locations | hotel/casino | hacked | [427] [428] | |
Manipulated Caiman | 2023 | 40,000,000 | financial | hacked | [429] | |
Marriott International | 2018 | 500,000,000 | hotel/casino | hacked | [430] | |
Marriott International | 2020 | 5,200,000 | hotel/casino | poor security/inside job | [431] | |
MediaWorks New Zealand | 2023 | 162,710 | media | hacked | [432] | |
Massive American business hack | 2012 | 160,000,000 | financial | hacked | [433] | |
Medibank & AHM | 2022 | 9,700,000 | healthcare | hacked | ||
Medical Informatics Engineering | 2015 | 3,900,000 | healthcare | hacked | [434] | |
Memorial Healthcare System | 2011 | 102,153 | healthcare | lost / stolen media | [435] [436] | |
MGM Resorts | 2019 | 10,600,000 | hotel/casino | hacked | [437] | |
Michaels | 2014 | 3,000,000 | retail | hacked | [438] | |
Microsoft | 2019 | 250,000,000 | tech | data exposed by misconfiguration | [439] | |
Microsoft Exchange servers | 2021 | unknown | software | zero-day vulnerabilities | [440] [441] | |
Militarysingles.com | 2012 | 163,792 | dating | accidentally published | [442] | |
Mitsubishi Tokyo UFJ Bank | 2006 | 960,000 | financial | intentionally lost | ||
MongoDB | 2019 | 202,000,000 | tech | poor security | [443] | |
MongoDB | 2019 | 275,000,000 | tech | poor security | [444] | |
2016 | [445] [446] [447] [448] | |||||
Mobile TeleSystems (MTS) | 2019 | 100,000,000 | telecommunications | misconfiguration/poor security | [449] | |
Monster.com | 2007 | 1,600,000 | web | hacked | [450] | |
Morgan Stanley Smith Barney | 2011 | 34,000 | financial | lost / stolen media | ||
Morinaga Confectionery | 2022 | 1,648,922 | food | ransomware hacked | [451] | |
Mozilla | 2014 | 76,000 | web | poor security | [452] | |
MyHeritage | 2018 | 92,283,889 | genealogy | unknown | [453] | |
Myspace | 2016 | 360,000,000+, including usernames, passwords email addresses | social network | poor security/account recovery | [454] [455] [456] | |
NASDAQ | 2014 | unknown | financial | hacked | [457] | |
National Public Data | 2024 | 2,700,000,000+ (claimed) | data broker | [458] | ||
Natural Grocers | 2015 | 93 stores | retail | hacked | [459] | |
NEC Networks, LLC | 2021 | 1,600,000 | healthcare | hacked | [460] | |
Neiman Marcus | 2014 | 1,100,000 | retail | hacked | [461] [462] | |
Nemours Foundation | 2011 | 1,055,489 | healthcare | lost / stolen media | [463] | |
Network Solutions | 2009 | 573,000 | tech | hacked | [464] [465] | |
Newegg | 2018 | credit card information | e-commerce | maliciously injected Javascript | [466] [467] | |
New York City Health & Hospitals Corp. | 2010 | 1,700,000 | healthcare | lost / stolen media | ||
New York State Electric & Gas | 2012 | 1,800,000 | energy | inside job | ||
New York Taxis | 2014 | 52,000 | transport | poor security | [468] | |
Nexon Korea Corp | 2011 | 13,200,000 | gaming | hacked | [469] | |
NHS | 2011 | 8,630,000 | healthcare | lost / stolen media | [470] | |
Nintendo (Club Nintendo) | 2013 | 240,000 | gaming | hacked | [471] | |
Nintendo (Nintendo Account) | 2020 | 160,000 | gaming | hacked | [472] | |
Nippon Television | 2016 | 430,000 | media | hacked | ||
Nival Networks | 2016 | 1,500,000 | gaming | hacked | [473] | |
Now:Pensions | 2020 | 30,000 | financial | rogue contractor | [474] | |
NTT Business Solutions | 2023 | 9,000,000 | telecoms | hacked | [475] | |
NTT Docomo | 2023 | 5,960,000 | telecoms | hacked | [476] | |
OGUsers | 2022 | 529,000 | web | hacked | [477] | |
Optus | 2022 | 9,800,000 | telecommunications | hacked | ||
Orbitz | 2018 | 880,000 | web | hacked | [478] | |
OVH | 2013 | undisclosed | web | hacked | [479] | |
2021 | [480] | |||||
2017 | 14.3 million | records | ||||
Patreon | 2015 | 2,300,000 | web | hacked | [481] | |
PayPay | 2020 | 20,076,016 | QR code payment | improper setting, hacked | [482] | |
Popsugar | 2018 | 123,857 | media | hacked | [483] | |
Premera | 2015 | 11,000,000 | healthcare | hacked | [484] | |
Quest Diagnostics | 2019 | 11,900,000 | clinical laboratory | poor security | [485] | |
Quora | 2018 | 100,000,000 | question & answer | hacked | [486] [487] | |
Rakuten | 2020 | 1,381,735 | e-commerce | improper setting, hacked | ||
Rambler.ru | 2012 | 98,167,935 | web | hacked | [488] [489] | |
Razer | 2020 | 100,000, including email and mailing addresses, product orders, and phone numbers. | tech | misconfigured server | [490] | |
RBS Worldpay | 2008 | 1,500,000 | financial | hacked | [491] | |
2018 | usernames, emails, 2007 database backup | social network | employee account compromise | [492] | ||
2021 | unknown | social network | hacked | [493] | ||
Restaurant Depot | 2011 | 200,000 credit card | 200,000 | retail | hacked by Russian hackers | [494] [495] |
Roblox | 2016 | 52,458, including account balances, email addresses, IP addresses, purchases, usernames | gaming | exposed test server | [496] | |
Roblox | 2023 | 3,943, including names, usernames, dates of birth, physical addresses, email addresses, IP addresses, phone numbers, and T-shirt sizes. | gaming | unknown | [497] [498] | |
RockYou! | 2009 | 32,000,000 | web, gaming | hacked | [499] | |
Roku | 2024 | 15,363 accounts | tech | credential stuffing attack | [500] | |
Roll20 | 2018 | 4,000,000, including email addresses, IP addresses, names, the last four digits of credit cards | web, gaming | hacked | [501] [502] | |
Roll20 | 2024 | full names, email addresses, IP addresses, the last four digits of credit cards | web, gaming | compromised administrative account | [503] [504] | |
Rosen Hotels | 2016 | unknown | hotel/casino | hacked | [505] | |
2018 | five million | credit card records | retail | hacked | [506] | |
Scottrade | 2015 | 4,600,000 | financial | hacked | [507] | |
Scribd | 2013 | 500,000 | web | hacked | [508] [509] | |
Seacoast Radiology, PA | 2010 | 231,400 | healthcare | hacked | [510] | |
Sega | 2011 | 1,290,755 | gaming | hacked | [511] | |
ShopBack | 2020 | unknown | e-commerce | hacked | [512] | |
SingHealth | 2018 | 1,500,000 | healthcare | hacked | [513] [514] [515] | |
Slack | 2015 | 500,000 | tech | poor security | [516] | |
SlickWraps | 2020 | 377,428 | phone accessories | poor security | [517] | |
Snapchat | 2013 | 4,700,000 | social network | hacked | [518] | |
Snowflake | 2024 | 5 companies, including data from Ticketmaster, Advanced Auto Parts, Lending Tree, Cylance, Santander Bank | tech, data storage | compromised credentials | [519] [520] [521] [522] | |
SolarWinds | 2020 | Source Code Compromised | network monitoring | hacked | [523] | |
Sony Online Entertainment | 2011 | 24,600,000 | gaming | hacked | [524] [525] | |
Sony Pictures | 2011 | 1,000,000, including passwords, email addresses, phone numbers, home addresses, dates of birth | web | hacked by LulzSec | [526] | |
Sony Pictures | 2014 | 100 terabytes | media | hacked | [527] [528] | |
Sony PlayStation Network | 2011 | 77,000,000 | gaming | hacked | [529] | |
South Shore Hospital, Massachusetts | 2010 | 800,000 | healthcare | lost / stolen media | ||
Southern California Medical-Legal Consultants | 2011 | 300,000 | healthcare | hacked | [530] [531] | |
Spartanburg Regional Healthcare System | 2011 | 400,000, including names, Social Security numbers, addresses, dates of birth and medical billing codes | healthcare | lost / stolen computer | [532] [533] | |
Spoutible | 2024 | 207,114 | social network | misconfigured API | [534] | |
2014 | 1.16 million | customer payment cards | retail | hacked | [535] | |
Starbucks | 2008 | 97,000, including names, addresses, and social security numbers | restaurant | lost / stolen computer | [536] [537] [538] | |
Starwood including Westin Hotels & Resorts and Sheraton Hotels and Resorts | 2015 | 54 locations | hotel/casino | hacked | [539] [540] | |
Steam | 2011 | 35,000,000 | gaming | hacked | [541] | |
StockX | 2019 | 6,800,000 | e-commerce | hacked | [542] | |
Stratfor | 2011 | ? | military | hacked | [543] | |
Supervalu | 2014 | 200 stores | retail | hacked | [544] | |
Sutter Medical Center | 2011 | 4,243,434 | healthcare | lost / stolen computer | [545] | |
Taobao | 2016 | 20,000,000 | e-commerce | hacked | [546] | |
2015 | 4 million | records | telecom | hacked | [547] | |
Tangerine Telecom | 2024 | 243,462 | telecom | compromised credentials | [548] | |
Taringa! | 2017 | 28,722,877 | web | hacked | [549] | |
Target Corporation | 2013 | 110,000,000 | retail | hacked | [550] [551] [552] | |
TaxSlayer.com | 2016 | 8,800 | web | hacked | [553] [554] [555] | |
TD Ameritrade | 2007 | 6,300,000 | financial | hacked | [556] | |
TD Bank | 2012 | 260,000 | financial | hacked | [557] [558] | |
TerraCom & YourTel | 2013 | 170,000 | telecoms | accidentally published | [559] [560] | |
Tesla | 2023 | 75,000 | transport | inside job | [561] | |
Tetrad | 2020 | 120,000,000 | market analysis | poor security | [562] | |
Ticketfly (subsidiary of Eventbrite) | 2018 | 26,151,608 | ticket distribution | hacked | [563] | |
Ticketmaster | 2018 | 40,000, including login information, payment data, addresses, names, phone numbers | ticket distribution | maliciously modified Javascript | [564] [565] | |
Ticketmaster | 2024 | 560,000,000 | ticket distribution | hacked third party service | [566] [567] | |
Tic Hosting Solutions (known as Torchbyte) | 2023 | 46 | hosting provider | misconfigured web server | [568] [569] | |
Tianya Club | 2011 | 28,000,000 | web | hacked | [570] | |
TikTok | 2020 | 42,000,000 | social network | poor security | ||
TK / TJ Maxx | 2007 | 94,000,000 | retail | hacked | [571] [572] | |
T-Mobile, Deutsche Telekom | 2006 | 17,000,000, including phone numbers, addresses, dates of birth, email addresses | telecoms | lost / stolen media | [573] [574] | |
T-Mobile | 2021 | 45,000,000 | telecom | hacked | [575] | |
T-Mobile | 2023 | 37,000,000 | telecom | hacked | [576] | |
Tokopedia | 2020 | 91,000,000 | e-commerce | hacked | [577] | |
Trello | 2024 | 15,111,945 | tech | misconfigured API | [578] | |
Triple-S Salud, Inc. | 2010 | 398,000 | healthcare | lost / stolen media | [579] | |
Truecaller | 2019 | 299,055,000 | telephone directory | unknown | [580] [581] | |
Trump Hotels | 2014 | 8 locations | hotel/casino | hacked | [582] [583] | |
Tumblr | 2013 | 65,469,298 | web | hacked | [584] | |
Twilio | 2022 | 125 | tech | phishing attack | [585] [586] | |
Twilio | 2024 | 33,000,000, including phone numbers, | tech | credential stuffing attack | [587] [588] | |
Twitch | 2015 | unknown | tech | hacked | [589] | |
Twitch | 2021 | unknown | tech | hacked/misconfiguration | [590] | |
2013 | 250,000 | social network | hacked | [591] | ||
Typeform | 2018 | unknown | tech | poor security | ||
Uber | 2014 | 50,000 | transport | poor security | [592] | |
Uber | 2017 | 57,000,000 | transport | hacked | [593] | |
Ubisoft | 2013 | unknown | gaming | hacked | [594] | |
Ubuntu | 2013 | 2,000,000 | tech | hacked | [595] | |
UCLA Medical Center, Santa Monica | 2015 | 4,500,000 | healthcare | hacked | [596] | |
U-Haul | 2023 | 67,000, including full names, dates of birth, driver license numbers | transport | stolen credentials | [597] [598] | |
MyFitnessPal (Under Armour subsidiary) | 2018 | 150,000,000 | consumer goods | hacked | [599] [600] | |
UPS | 2014 | 51 locations | logistics | hacked | [601] | |
Vastaamo | 2020 | 130,000 | healthcare | hacked | [602] | |
Verifications.io (first leak) | 2019 | 809,000,000 | online marketing | poor security | [603] | |
Verifications.io (total leaks) | 2019 | 2,000,000,000 | online marketing | poor security | [604] | |
Verizon Communications | 2016 | 1,500,000 | telecoms | hacked | [605] | |
View Media | 2020 | 38,000,000 | online marketing | publicly accessible Amazon Web Services (AWS) server | [606] | |
Virgin Media | 2020 | 900,000 | telecoms | accidentally exposed | [607] [608] | |
Vodafone | 2013 | 2,000,000 | telecoms | inside job | [609] | |
VTech | 2015 | 5,000,000 | retail | hacked | [610] | |
Walmart | 2015 | 1,300,000 | retail | hacked | ||
Washington Post | 2011 | 1,270,000 | media | hacked | [611] | |
Wattpad | 2020 | 270,000,000 | web | hacked | [612] | |
Wawa (company) | 2020 | 30,000,000 | retail | hacked | [613] | |
Weebly | 2016 | 43,430,316 | web | hacked | [614] [615] | |
Wellnow Urgent Care | 2023 | patients’ names, dates of birth, health information | healthcare | ransomware hacked | [616] | |
Wendy's | 2015 | unknown | restaurant | hacked | [617] [618] | |
Westpac | 2019 | 98,000 | financial | hacked | [619] | |
Woodruff Arts Center | 2019 | unknown | arts group | poor security | [620] | |
WordPress | 2018 | thousands of websites | web services | vulnerabilities in plugins | [621] | |
Writerspace.com | 2011 | 62,000 | web | hacked | [622] | |
Xat.com | 2015 | 6,054,459 | web | social engineering | [623] | |
Yahoo | 2013 | 3,000,000,000 | web | hacked | [624] [625] | |
Yahoo | 2014 | 500,000,000 | web | hacked | [626] [627] [628] [629] [630] | |
Yahoo Japan | 2013 | 22,000,000 | tech, web | hacked | [631] | |
Yahoo! Voices | 2012 | 450,000 | web | hacked | [632] [633] | |
YouTube | 2020 | 4,000,000 | social network | poor security | ||
Zappos | 2012 | 24,000,000 | e-commerce | hacked | [634] | |
Zynga | 2019 | 173,000,000 | social network | hacked | [635] [636] | |
Experian | 2020 | 23,000,000 | finance | social engineering | [637] | |