databreach-467674456

40 Biggest Data Breaches of All Time

The internet has become a pervasive entity in the lives of businesses everywhere, making communication, marketing, and doing business easier than ever. However, the rising number of data breaches has begun to paint a darker picture of the internet and what it has in store for companies in the coming years.

Data breaches explained

A data breach occurs when any sensitive, internal information is exposed, regardless of whether it’s for malicious reasons or not. This data includes business, employee, and even customer information—often personally identifiable information (PII), such as names, social security numbers, payment card numbers, and more. Cyber criminals can sell this information they steal from your servers, or use it to make fraudulent purchases and steal identities.

Hacking, ineffective counter-measures to malware and inadequate network security/encryption all have the potential to lead to a data breach.

Price of becoming compromised

It’s difficult to put a price on data breaches. Aside from money lost to lawsuits, there’s the cost of IT to repair the damage or hardware, loss of reputation, future revenue with the loss of clients and customers. It’s difficult to quantify just how much money these data breaches cost companies because of the non-material things, such as reputation, that can also be lost as a result. In 2015, it was estimated that the average, per-record cost of a data breach had reached $154.

The integrity of your internal network and the skill level of your IT team is paramount in protecting your business’s data. No one is immune to data breaches, however; but it can help to have a preparedness plan in place should one occur.

The companies with inadequate post-breach plans, or that lack one altogether, are typically the ones who suffer the largest setbacks. They may not become aware of malicious attacks until hours, days, or weeks after they’ve occurred, in which time the hackers may have already caused irreparable harm with the stolen data.

Between 2005 and 2015, there were over 5.5k data breaches in the United States alone—and these were only the ones publically announced. We’ve outlined 40 of the largest data breaches of all time to illustrate the lasting damage these malicious cyber-attacks can have on businesses large and small.

1. Epsilon
Year of breach: 2015
Number of records affected: 60-250 million

Handled communications for more than 2,500 clients worldwide—including seven Fortune 10 companies. Hackers stole records of 50 Epsilon clients, exposing at least 60 million customer emails, but potentially as many as 250 million emails may have been obtained. Breach affected companies such as Best Buy, JPMorgan Chase, Capital One Bank, and Verizon.

Monetary cost of breach: The number could reach $4 billion depending on what happens to the data that was stolen.

 

2. Experian (owner of “Court Ventures”)
Year of breach: 2012
Number of records affected: 200 million

Credit bureau Experian purchased Court Ventures, a firm that aggregated, repackaged, and distributed public record data. They continued reselling data to a third party without Experian’s notice and awareness. A Vietnamese hacker was found to be responsible for the illicit use of the purchased personal information of 200 million individuals.

Monetary cost of breach: Unknown.

 

3. U.S. Voter Database
Year of breach: 2015
Number of records affected: 191 million

Breach exposed names, addresses, birth dates, party affiliations, phone numbers, and emails of voters in all 50 U.S. states and Washington.

Monetary cost of breach: None.

 

4. NASDAQ
Year of breach: Between 2005 and 2012
Number of records affected: More than 160 million

Foreign hackers stole more than 160 million credit and debit card numbers, targeting more than 800,000 bank accounts. NASDAQ servers were also compromised.

Monetary cost of breach: Unknown.

 

5. eBay
Year of breach: 2014
Number of records affected: 145 million

Hackers gained access to a database holding eBay customers’ names, home addresses, dates of birth, and encrypted passwords.

Monetary cost of breach: The company spent about $200 million to settle class-action suits and regulatory fines.

 

6. Saudi Aramco
Year of breach: 2012
Number of records affected: 145 million

This Petroleum and Gas Company responsible for suppling at least 10% of the world’s oil was hit by a virus, causing them to lose almost 35,000 of the company’s computers. They were forced offline completely and had to rely on fax and typewriters to continue business. Aramco lost its ability to process payments and temporarily ceased the sale of oil to gas trucks. After 17 days, they had to give oil away free to fulfill Saudi oil needs.

Monetary cost of breach: Unknown costs of massive IT and security overhaul, more than 50,000 new hard drives, software, and “giving away” oil.

 

7. Heartland payment Systems
Year of breach: 2008-2009
Number of records affected: 130 million

More than 250,000 businesses across the country were affected after the 130 million credit and debit card records of major credit card companies were stolen by hackers.

Monetary cost of breach: Eventually payed more than $110 million to Visa, MasterCard, American Express, and other card associations to settle claims related to the breach.

 

8. Target Stores
Year of breach: 2013 & 2014
Number of records affected: 30 million & 70-110 million

The credit and debit card numbers of 30 million customers were stolen during the 2013 post-Thanksgiving shopping surge. In 2014, 70-110 million customers were compromised when full names, addresses, email addresses, and telephone numbers were hacked, many of whom had previously lost their credit and debit card information in the 2013 data breach.

Monetary cost of breach: Incurred total net expenses of $148-162 million for both 2013 and 2014 data breaches.

 

9. Sony Online Entertainment Services
Year of breach: 2011
Number of records affected: 102 million

Hackers obtained the login credentials, names, addresses, phone numbers, and email addresses for users on the PlayStation Network, Sony Online Entertainment, and Qriocity video- and music-streaming services. 23,400 Sony Online Entertainment users in Europe had their credit-card data stolen.

Monetary cost of breach: Resulted in 65 class-action lawsuits totaling $171 million to $1.5 billion.

 

10. Anthem
Year of breach: 2015
Number of records affected: 69-80 million

The second-largest health insurer in the U.S., Anthem, lost names, addresses, dates of birth, social security numbers, and employment histories of its customers in a data breach that affected upwards of 80 million individuals.

Monetary cost of breach: Nearly $100 million spent to address the breach, but the final cost may well exceed that number.

 

11. National Archive and Records Administration
Year of breach: 2008
Number of records affected: 76 million

Malfunctioning hard drive containing the names, contact information, and social security numbers of 76 million U.S. military veterans was sent for repair. When the contractor determined the drive could not be fixed, it was designated as ‘scrap’ but no confirmation was made as to whether the drive was actually destroyed. NARA launched an investigation and determined that no breach of personally identifying information (PII) had occurred, however they were forced to change their policies for the destruction of malfunctioning storage media containing PII.

Monetary cost of breach: None.

 

12. Securus Technologies
Year of breach: 2015
Number of records affected: 70 million

As a leading provider of phone services inside the nation’s prisons and jails, Securus Technologies lost 70 million records of phone calls and links to downloadable recordings of the calls—many including conversations between attorneys and their clients. This not only exposed individuals to fraud and phishing scams, but brought to light potential breaches of attorney-client privilege on behalf of Securus.

Monetary cost of breach: Unknown.

 

13. The Home Depot
Year of breach: 2014
Number of records affected: 56 million

Handled communications for more than 2,500 clients worldwide—including seven Fortune 10 companies. Hackers stole records of 50 Epsilon clients, exposing at least 60 million customer emails, but potentially as many as 250 million emails may have been obtained. Breach affected companies such as Best Buy, JPMorgan Chase, Capital One Bank, and Verizon.

Monetary cost of breach: Between $40-80 million was spent between both breaches.

 

14. Evernote
Year of breach: 2013
Number of records affected: More than 50 million

Note-taking and archiving service lost email addresses, usernames, and encrypted passwords to data breach. Left users vulnerable to spam emails and phishing campaigns, and further attempts at obtaining user passwords through phishing.

Monetary cost of breach: Experts estimate that Evernote spent “many millions of dollars” in expenses following the breach.

 

15. Living Social
Year of breach: 2013
Number of records affected: More than 50 million

Daily-deals site lost the names, email addresses, birth dates, and encrypted passwords of more than 50 million customers worldwide.

Monetary cost of breach: Unknown.

 

16. TJX Companies Inc.
Year of breach: 2006-2007
Number of records affected: Around 46 million

Parent company of major retail brands such as Marshalls, T.J. Maxx, and HomeGoods. At least 45.6 million credit and debit card numbers were stolen over an 18-month period, but estimates put number closer to 90 million. About 450,000 TJX customers affected, loss of PII, including driver’s license numbers.

Monetary cost of breach: Costs have ballooned to $256 million.

 

17. RSA Security
Year of breach: 2011
Number of records affected: 40 million

Breach allowed hackers to steal information on the company’s SecurID authentication tokens.

Monetary cost of breach: $66 million on remediation.

 

18. Sony Pictures Entertainment
Year of breach: 2014
Number of records affected: Everything

Movie and television production division of Sony was held ransom when hackers threatened to release everything the company had on file. The cyber criminals exposed the social security numbers and scanned passports of actors and executives, unpublished scripts, marketing plans, internal passwords, legal and financial information, and four entire unreleased Sony films. 6,800 employees and an estimated 40,000 more faced potential identity theft. Rival Hollywood studios received detailed blueprints of Sony Pictures’ accounts, future plans, and internal workings.

Monetary cost of breach: Upwards of $35 million.

 

19. CardSystems Solutions
Year of breach: 2005
Number of records affected: 40 million

An attack on the company’s database exposed names, account numbers, and verification codes of more than 40 million card holders for Visa, MasterCard, and American Express. The hackers exploited the weakness of the system’s encryption.

Monetary cost of breach: Unknown, but company was forced into acquisition following the breach.

 

20. Adobe
Year of breach: 2013
Number of records affected: 38 million

In addition to nearly 3 million encrypted customer credit card records, approximately 38 million encrypted passwords and Adobe IDs of active Adobe users were taken by cyber criminals.

Monetary cost of breach: $1.1 million in attorney fees and an undisclosed sum to victims of the breach.

 

21. Zappos
Year of breach: 2012
Number of records affected: 38 million

Customer names, home and email addresses, phone numbers, the last four digits of credit card numbers, and encrypted passwords were taken by hackers.

Monetary cost of breach: $106,000.

 

22. AshleyMadison.com
Year of breach: 2015
Number of records affected: 37 million

The company’s user databases, financial records, and other proprietary information was compromised by hackers.

Monetary cost of breach: Unknown, but costs incurred in the UK alone could go up to 1.2 billion depending on filed suits.

 

23. Valve Corporation
Year of breach: 2011
Number of records affected: 35 million

Hackers gained access to user names, hashed and salted passwords, game purchases, email addresses, billing addresses, and encrypted credit card information. Valve was uncertain whether breach affected all active accounts or just a portion.

Monetary cost of breach: Unknown.

 

24. ESTsoft
Year of breach: 2011
Number of records affected: 35 million

Malware uploaded to company server resulted in the loss of names, user IDs, hashed passwords, birthdates, genders, telephone numbers, and home and email addresses. Considered South Korea’s biggest theft of information in history.

Monetary cost of breach: Unknown.

 

25. Department of Veterans Affairs
Year of breach: 2006
Number of records affected: 26.5 million

Unencrypted national database with names, social security numbers, dates of births, and disability ratings for veterans, active-duty military personnel, and their spouses were obtained through a data breach.

Monetary cost of breach: Cost is anywhere from $100-$500 million for prevention and coverage of possible losses from the theft.

 

26. Office of Personnel Management
Year of breach: 2015
Number of records affected: Over 25 million

Over the course of two separate breaches, the records of 21.5 million federal works and 4.2 million individuals fell into the hands of hackers. Personal information, background checks, names and addresses, and fingerprints were among the data obtained by Chinese hackers during the breaches.

Monetary cost of breach: Full dollar cost unknown, estimated to be within the range of $900 million.

 

27. Korea Credit Bureau
Year of breach: 2014
Number of records affected: 20 million

An employee was found responsible for the theft of at least 20 million bank and credit cards from three different credit card firms in South Korea. The stolen data included customer names, social security numbers, phone numbers, credit card numbers, and expiration dates.

Monetary cost of breach: Unknown.

 

28. Experian / T-Mobile
Year of breach: 2015
Number of records affected: 15 million

Breached data included names, addresses, birth dates, Social Security numbers, driver’s license numbers, and passport numbers of T-Mobile applicants.

Monetary cost of breach: Unknown.

 

29. Premera BlueCross BlueShield
Year of breach: 2015
Number of records affected: 11.2 million

The breach exposed subscriber data, which included names, birth dates, social security numbers, bank account information, addresses, and other information.

Monetary cost of breach: Unknown.

 

30. Data Processors International
Year of breach: 2003
Number of records affected: Up to 8 million

A hacker obtained access to information on as many as 8 million credit card accounts across Visa, MasterCard, Amex, and Discover.

Monetary cost of breach: Unknown.

 

31. VTech
Year of breach: 2015
Number of records affected: 6.4 million

The company’s Learning Lodge app store database had been compromised, exposing the names, email and home addresses, and passwords of parents who had used or authorized use of the app store. This information makes it possible to link children to their parents, gaining access to their identities and personal information as well. The hacker responsible claimed they did not intend to do anything with the information.

Monetary cost of breach: Unknown.

 

32. Facebook
Year of breach: 2013
Number of records affected: 6 million

While using the social media site’s ‘download your information’ tool, users were able to inadvertently download phone numbers and email address of users they were friends with or had some connection to—information that was otherwise intended to remain private.

Monetary cost of breach: Unknown.

 

33. SnapChat
Year of breach: 2013
Number of records affected: 4.7 million

Hackers discovered an exploit in the smartphone photo and chat app that allowed them to access the user details, including phone numbers, of 4.7 million users.

Monetary cost of breach: Unknown.

 

34. Ubuntu
Year of breach: 2013
Number of records affected: 2 million

Hackers gained access to email addresses and password data of Ubuntu forum users due to a weak password algorithm encryption.

Monetary cost of breach: Unknown.

 

35. Staples
Year of breach: 2014
Number of records affected: 1.16 million

A breach that affected more than 100 stores belonging to the office-supply retailer may have had 1.16-million customer payment cards hacked. The incident was traced back to a malware infection of the chain’s point-of-sale systems.

Monetary cost of breach: Unknown.

 

36. Global Payments
Year of breach: 2012
Number of records affected: 1.5 million

The payments processing firm compromised credit and debit card information from major credit card brands Visa and MasterCard when they detected unauthorized access to their servers.

Monetary cost of breach: $84.4 million.

 

37. Gawker Media
Year of breach: 2010
Number of records affected: 1.3 million

Hacker group exploited weak password storage and compromised email addresses and passwords of commenters on blogs such as Lifehacker, Jezebel, and Gizmodo. The source code for Gawker’s custom content management system was also stolen.

Monetary cost of breach: Unknown.

 

38. CareFirst BlueCross BlueShield
Year of breach: 2015
Number of records affected: 1.1 million

Names, birth dates, email addresses, and subscriber information were stolen by hackers. Member password encryption prevented the perpetrators from gaining access to any other personally identifying information, such as social security numbers, medical claims, or financial data.

Monetary cost of breach: Unknown.

 

39. Utah Department of Technology Services
Year of breach: 2012
Number of records affected: 780,000

A European hacker exploited a weak password and broke into the Utah Department of Technology Services where the social security numbers for Medicaid claims were stored.

Monetary cost of breach: Potentially upwards of $406 million.

 

40. New York Taxis
Year of breach: 2014
Number of records affected: 52,000

Data on 173 million individual taxi journeys was released with a freedom of information request, unintentionally revealing Driver IDs, pickup and drop off times, and GPS routes. Poor anonymization was to blame for the info leak.

Monetary cost of breach: Unknown.

 

Preparation to secure a business and customers

Many companies simply don’t utilize the proper measures to maintain the confidentiality of business and client information. Paired with a poor response time, targeted businesses seldom succeed in alleviating the concerns of victims who are most often their customers.

Securing your data, having loss-prevention plans in place, and practicing safer network security practices—such as consulting IT security firms—can turn a devastating data breach into a manageable problem with minimal casualties. If the above 40 data breaches demonstrate anything, it’s that the cost of handling cyber-attacks can be incalculable.

From millions of dollars spent on litigation and IT fees, to a steep drop in revenue and resigning CEOs, a data breach has no definitive cost or solution. Only preparedness can mitigate the damage potential of an attack. Without a proactive strategy at your disposal, your company could become the next target for cyber criminals looking to make their payday.

In addition, ensuring that your business information is protected can mean updating visitor management and access with higher standards. In today’s environment, a simple visitor or access log isn’t enough to prevent the wrong people from getting sensitive information; Acuant solutions provide the opportunity to efficiently register and manage visitors, verify identification, and allow secure access by authorized individuals. Learn more about Acuant’s security solutions here.