What Are The Biggest Data Breaches in History?
Some of the biggest data breaches in history have involved Fortune 500 companies including Microsoft, Home Depot, JPMorgan Chase, Facebook and Target. Virtually no large company has been immune to data breaches. Inadequate cyber security over the last ten years has cost businesses billions of dollars and left consumers vulnerable to financial crime.
Corporations across industries use data to build and leverage their products and services. In the absence of strict security and compliance, their massive amounts of data can be vulnerable to cyberattacks. Types of data breaches seeking access to sensitive data include ransomware, phishing and malware.
Hackers stole account and personal information impacting 3 billion user accounts in 2013, though hackers did not get credit card and bank account data. At the time, it was the largest-ever disclosed data breach.
Another attack took place in 2014, which was believed to be state-sponsored and led to charges against Russian government agents and a Canadian hacker. The second breach affected 500 million accounts, but wasn’t discovered until 2016. The company’s top lawyer resigned and then CEO Marissa Meyer lost millions in bonuses after a board investigation found the company failed to act on prior indications of the breach. These data breaches are still considered the largest discovered in the internet’s history.
Two separate data breaches took place in 2021. One of the attacks that year is considered one of the largest possible data leaks in recent history. The personal data of 38 million users was accidentally leaked because of a flaw in Microsoft’s Power Apps software.
The other attack is attributed to Chinese hackers. Around 30,000 customers and 60,000 companies globally were affected when hackers exploited holes in the Exchange, Microsoft’s popular mail and calendar server. Hackers stole emails and were then able to install malware to continue surveillance of their targets in attacks that occurred over several months or years.
Because of the massive amount of information stolen from small- and medium-sized American businesses, experts believe that the goal of Chinese hackers isn’t financial or espionage but to gather and aggregate as much data as possible. But the reason for this remains unknown.
First American Financial Corp.
Title insurance provider First American announced in 2019 a fix to a vulnerability in its website. The vulnerability exposed 885 million records related to mortgages over a 16-year period. Anyone could gain access to personal information, including bank account details, mortgage and tax records, social security numbers and driver’s licenses.
The company is party to the buyer and lender sides of real estate transactions across the country. It’s not known how much, if any, data was stolen. However, First American paid $490,000 in a settlement with the Securities and Exchange Commission for its lack of disclosure controls and procedures relating to cybersecurity, a breach of the disclosure provisions of the Exchange Act.
A user in a low-level hacking forum published the personal data of more than 530 million Facebook users from 106 countries in 2021. Although the data was a couple of years old because of a vulnerability patched in 2019, it was the type of data that criminals would use to perform social engineering or hacking attempts. Ireland’s Data Protection Commission imposed a fine of €265 million ($276 million) and corrective measures in relation to the breach.
Cambridge Analytica used information taken without authority from Facebook to build a system to profile individual U.S. voters in 2014 to target them with personalized political ads. Former President Donald Trump advisor Steve Bannon was vice president of Cambridge Analytica at the time.
Starwood Hotels group, which Marriott acquired in 2016, was attacked in 2014. Names, contact details, passport information and loyalty program numbers of guest records of customers in the U.K. were compromised. The attack continued until 2018, when Marriott first noticed the problem and acted quickly to improve its systems.
Marriott has experienced seven data breaches since 2010, including a 2015 credit card breach from malware on its point-of-sale systems. These attacks have resulted in millions of fines and a $100 million class action lawsuit.
The U.K. Information Commissioner’s Office fined the hotel chain €18.4 million for the 2014 data breach. At that time, the breach affected an estimated 500 million people. In 2022, in yet another breach, hackers tried to blackmail the hotel after obtaining 20GB of data from a hotel server, but the hotel refused to pay.
Florida-based marketing and data aggregation firm Exactis exposed a database with nearly 340 million records on a publicly accessible server in 2018. The entirely accessible and unsecured database contained personal information such as phone numbers and emails, as well as children’s ages, gender and interests. Financial information and security numbers were not shared. Experts note scammers can use this type of information to impersonate individuals.
Lawsuits were filed in response to Exactis’ massive data breach, which exposed 110 million business contacts and 200 million consumers. As of 2023, no decision or settlement has been reached regarding the breach.
Equifax, one of three major credit reporting agencies, discovered unauthorized access in 2017. Hackers gained access to the confidential information of 147 million consumers. The information included names, birthdates, social security numbers, drivers’ licenses and credit card numbers. Although experts began searching for the data, it never appeared, leading them to conclude that Chinese state-sponsored hackers carried out the breach for the purpose of espionage.
Multiple lawsuits were filed in relation to the breach. In 2019, Equifax settled with the Federal Trade Commission, the Consumer Financial Protection Bureau and all U.S. states and territories. As part of the settlement, affected consumers had the option to sign up for free credit monitoring with all three of the major credit reporting firms or receive $125.00.
Other Notable Data Breaches
Since the 2013 data breach of Target, many other companies have experienced similar breaches. Companies often continue to blame employees or third parties for corporate security failures, and some fail to disclose breaches publicly.
In 2022, hackers phished an employee at games giant Activision, gaining access to internal employee and corporate data. However, management did not disclose the breach to employees because no sensitive data had been accessed, according to the company. GoDaddy revealed a multi-year breach that redirected customers’ website URLs to malicious domains. The breach was only made public in 2022 via a corporate filing with the U.S. Securities and Exchange Commission.
Governments are warning of Chinese state-sponsored actors targeting Europe and the U.S. One high-profile example is the scrutiny of social media giant TikTok and its parent, Byte Dance, which has been accused of aggressive data harvesting.
In 2021, the data of more than 700 million LinkedIn users was posted for sale on the dark web, including emails, usernames, phone numbers, social media accounts and other work-related details. LinkedIn denies that the actions constituted a breach, arguing it is merely a result of too much publicly available information.
Since then, hackers have put other collections of information from LinkedIn databases on sale on the dark web. Experts warn threat actors may target LinkedIn users via phishing attacks, spamming and “brute forcing” attacks, which involves trying different variations of passwords until they guess the correct one.
Capital One bank determined someone gained unauthorized access and stole files in 2019. The files contained more than 100,000 social security numbers, 80,000 bank account numbers and the personally identifiable information of customers and credit card applicants.
The FBI successfully identified the individual responsible. Paige Thompson, a former Amazon employee, was convicted and sentenced to time served and five years of probation in 2022. Because of the data breach, which related to server firewall vulnerabilities, the U.S. Treasury Department fined Capital One $80 million. The company also settled lawsuits with customers for $190 million.
A Latvian computer programmer was sentenced to 14 years in prison for designing a program used in the 2013 Target breach, in which the personal and financial data of 110 million Target customers was stolen. The program helped hackers improve malware against antivirus programs.
The scale of Target’s negligence in failing to respond to multiple warnings from its security software and the magnitude of the data loss was so significant, businesses, organizations and governments re-evaluated their security practices and regulatory frameworks. Since then, many companies have adopted best practices regarding cybersecurity, including staff training.
A cyberattack on JPMorgan Chase in 2014 breached the accounts of 7 million small businesses and 76 million households, making it one of the largest attacks of its time. The attack began in June but wasn’t discovered until July.
Overseas hackers’ successful attack on JPMorgan spotlighted the vulnerability of banks. JPMorgan, however, said there was no evidence that social security numbers or passwords had been stolen, nor was there fraud involving customer information.
Criminals using a vendor’s stolen login credentials hacked Home Depot, the world’s largest home improvement retailer, in 2014. Once on Home Depot’s network, the hackers installed malware on self-checkout registers that stole customer payment card data and email addresses.
The breach went undetected for several months and cost $62 million. It allowed criminals to obtain data from more than 50 million credit and debit cards and 70 million customer emails.
The adult FriendFinder Network dating and entertainment site was hacked in 2015 and 2016, exposing information about 412 million accounts. Unprotected user passwords and other security failures also led to hacks of the company’s network of other sites.
The data stretched over 20 years and included email usernames and visit dates. The FriendFinder network breach was the largest industry hack, including the Ashley Madison hack that impacted 36 million users.
Anthem, one of the nation’s largest health insurers, was the subject of a cyberattack in 2015. As many as 80 million records of customers and employees were breached. Names, birthdays, addresses and social security numbers were accessed. It remains the largest breach of healthcare information to date, though the company claimed no medical or credit card information was stolen.
According to experts, Anthem didn’t take basic security steps, such as protecting its data via encryption. Class action lawsuits relating to the breach were filed. In 2015 Anthem paid class members in the form of credit monitoring or cash equivalent and reimbursement for costs.
Data Breaches Settlement Amounts
Some of the biggest and most notable settlements have been agreements reached with states and federal agencies. The government has levied fines against a number of companies over the years for their security failures that led to data breaches. Some companies have also faced fines and penalties from other governments.
- Anthem: Agreed to pay $16 million to the U.S. Department of Health and Human Services and take corrective actions. The company also paid a multi-state coalition $39.5 million in penalties and fees.
- Equifax: Agreed to a global settlement with the U.S. Federal Tax Commission, the Consumer Financial Protection Bureau and 50 U.S. states and territories for an amount up to $425 million.
- Facebook: Agreed to pay a £500,000 ($643,000) fine under the Data Protection Act 1998 to the U.K.’s Information Commissioner’s Office for its role in the Cambridge Analytica scandal, though it admitted no liability.
- First American Financial Corporation: A civil penalty of $487,616 was paid to the U.S. Securities and Exchange Commission for violation of the Exchange Act.
- Marriott International, Inc.: The U.K.’s Information Commissioner’s Office fined the company £18.4 million ($23.9 million) for a data breach that began in 2014.
- Target: Paid $18.5 million to 47 states over its 2013 cyberattack
Companies and individuals have also filed many data breach class action lawsuits. For example, in addition to Marriott’s government fine, Marriott lawsuits stemming from stolen data are ongoing. Settlement and verdicts from data breach lawsuits include:
- Capital One: The company has paid $190 million into a settlement fund to compensate plaintiffs.
- Equifax: The company settled and plaintiffs are eligible for payments for out-of-pocket losses, time spent and other cash benefits from the $425 million restitution fund.
- Facebook: Meta Platforms paid $725 million to settle a class action lawsuit seeking damages for allowing third parties, including Cambridge Analytica, to access user data.
- Home Depot: The retailer settled a multi state lawsuit for $17.5 million, which included injunctive terms to tighten information security program.
- Target: Ending a class action lawsuit, a $13 million settlement fund was established with $10,000 to individual consumers with documented losses from the data breach.
Individuals receiving settlements in data breach lawsuits may be customers, employees or others the breach may have impacted. Data breaches continue to make headlines and impact companies and individuals globally. An experienced lawyer can help people navigate the complexities of filing a case, successfully settling or taking the case to trial.
50 Cited Research Articles
Consumernotice.org adheres to the highest ethical standards for content production and references only credible sources of information, including government reports, interviews with experts, highly regarded nonprofit organizations, peer-reviewed journals, court records and academic organizations. You can learn more about our dedication to relevance, accuracy and transparency by reading our editorial policy.
- Segal, A. (2023, February 24). Cyber Week in Review: February 24, 2023. Retrieved from https://www.cfr.org/blog/cyber-week-review-february-24-2023
- Franceschi-Bicchierai, L. (2023, February 21). Activision did not notify employees of data breach for months. Retrieved from https://techcrunch.com/2023/02/21/activision-did-not-notify-employees-of-data-breach-for-months/
- Goodin, D. (2023, February 17). GoDaddy says a multi-year breach hijacked customer websites and accounts. Retrieved from https://arstechnica.com/information-technology/2023/02/godaddy-says-a-multi-year-breach-hijacked-customer-websites-and-accounts/
- O’Brien, S. (2022, December 28). Consumers are getting payments from Equifax data breach settlement. Here’s what to expect if you filed a claim. Retrieved from https://www.cnbc.com/2022/12/28/payments-from-equifax-settlement-over-2017-data-breach-are-going-out.html
- Federal Trade Commission. (2022, December). Equifax Data Breach Settlement. Retrieved from https://www.ftc.gov/enforcement/refunds/equifax-data-breach-settlement
- Schechner, S. (2022, November 28). Facebook Parent Meta Fined $276 Million in Europe for Data-Scraping Leak. Retrieved from https://www.wsj.com/articles/facebook-parent-meta-fined-276-million-in-europe-for-data-scraping-leak-11669640402
- Data Protection Commission. (2022, November 28). Data Protection Commission announces decision in Facebook “Data Scraping” Inquiry. Retrieved from https://www.dataprotection.ie/en/news-media/press-releases/data-protection-commission-announces-decision-in-facebook-data-scraping-inquiry
- Garfinkle, M. (2022, July 7). Marriott Just Got Hit By Another Data Breach—For At Least the 7th Time Since 2010. Retrieved from https://www.entrepreneur.com/business-news/marriotts-been-hacked-7-times-see-data-breach-details/430988
- Waldman, A. (2022, June 20). Paige Thompson found guilty in 2019 Capital One data breach. Retrieved from https://www.techtarget.com/searchsecurity/news/252521775/Paige-Thompson-found-guilty-in-2019-Capital-One-data-breach
- Anthem. (2022, May 24). Member Notice. Retrieved from https://www.anthem.com/ca/substitutenotice/
- Capital One. (2022, April 22). Information on the Capital One cyber incident. Retrieved from https://www.capitalone.com/digital/facts2019/
- Hartzgog, W. & Solove, D. (2022, April 13). We Still Haven’t Learned the Major Lesson of the 2013 Target Hack. Retrieved from https://slate.com/technology/2022/04/breached-excerpt-hartzog-solove-target.html
- Seattle Times Staff & News Services. (2021. December 23). Capital One to pay $190 Million settlement in data breach linked to Seattle woman. Retrieved from https://www.seattletimes.com/business/capital-one-to-pay-190m-settlement-in-data-breach-linked-to-seattle-woman/
- Conger, K. & Frenkel, S. (2021, October 6). Thousands of Microsoft Customers May Have Been Victims of Hack Tied to China. Retrieved from https://www.nytimes.com/2021/03/06/technology/microsoft-hack-china.html
- Nasdaq RTT News. (2021, August 25). Microsoft Data Breach Exposed 38 Million User Information. Retrieved from https://www.nasdaq.com/articles/microsoft-data-breach-exposed-38-million-user-information-2021-08-25
- Mehrotra, K. & Bloomberg. (2021, August 4). Microsoft Exchange was used to hack diplomats long before 2021 cyber attack. Retrieved from https://fortune.com/2021/08/04/microsoft-exchange-cyber-attack-diplomats-china/
- Morris, C. (2021, June 30). Massive data leak exposes 700 million LinkedIn users’ information. Retrieved from https://fortune.com/2021/06/30/linkedin-data-theft-700-million-users-personal-information-cybersecurity/
- Brockner, E. (2021, June 30). LinkedIn’s June 2021 ‘Breach.’ Retrieved from https://www.linkedin.com/pulse/linkedins-june-2021-breach-edwin-brockner-cipm
- Frankel, A. (2021, June 18). SEC’s First American settlement signals new corporate cyber disclosure risk. Retrieved from https://www.reuters.com/legal/litigation/secs-first-american-settlement-signals-new-corporate-cyber-disclosure-risk-2021-06-18/
- Securities and Exchange Commission. (2021, June 14). In the Matter of First American Financial Corporation. Retrieved from https://www.sec.gov/litigation/admin/2021/34-92176.pdf
- Bowman, E. (2021, April 9). After Data Breach Exposes 530 Million, Facebook Says It Will Not Notify Users. Retrieved from https://www.npr.org/2021/04/09/986005820/after-data-breach-exposes-530-million-facebook-says-it-will-not-notify-users
- Holland, J. (2021, April 9). Home Depot Says Insurers Owe Tens of Millions Following Breach. Retrieved from https://news.bloomberglaw.com/privacy-and-data-security/home-depot-says-insurers-owe-tens-of-millions-following-breach
- Holmes, A. (2021, April 3). 533 million Facebook users’ phone nmbers and personal data have been leaked online. Retrieved from https://www.businessinsider.com/stolen-data-of-533-million-facebook-users-leaked-online-2021-4
- State of California Department of Justice. (2020, November 24). Attorney General Becerra Announces $17.5 Million Settlement Against Home Depot Over Credit Card Data Breach. Retrieved from https://oag.ca.gov/news/press-releases/attorney-general-becerra-announces-175-million-settlement-against-home-depot
- Tidy, J. (2020, October 30). Marriott Hotels fined €18.4m for data breach that hit millions. Retrieved from https://www.bbc.com/news/technology-54748843
- U.S. Department of Health & Human Services. (2020, August 6). Anthem Pays OCR $16 Million in Record HIPAA Settlement Following Largest U.S. Health Data Breach in History. Retrieved from https://www.hhs.gov/guidance/document/anthem-pays-ocr-16-million-record-hipaa-settlement-following-largest-us-health-data-breach
- New York State Department of Financial Services. (2020, July 22). Department Of Financial Services Announces Cybersecurity Charges Against A Leading Title Insurance Provider For Exposing Millions Of Documents With Consumers' Personal Information. Retrieved from https://www.dfs.ny.gov/reports_and_publications/press_releases/pr202007221
- Zialcita, P. (2019, October 30). Facebook Pays $643,000 Fine For Role In Cambridge Analytica Scandal. Retrieved from https://www.npr.org/2019/10/30/774749376/facebook-pays-643-000-fine-for-role-in-cambridge-analytica-scandal
- McLean, R. (2019, July 30). A hacker gained access to 100 million Capital One credit card applications and accounts. Retrieved from https://www.cnn.com/2019/07/29/business/capital-one-data-breach/index.html
- Newman, L.H. (2019, May 24). Hack Brief: 885 Million Sensitive Financial Records Exposed Online. Retrieved from https://www.wired.com/story/first-american-data-exposed/
- Al-Heeti, A. (2018, June 28). Exactis said to have exposed 340 million records, more than Equifax breach. Retrieved from https://www.cnet.com/news/privacy/exactis-340-million-people-may-have-been-exposed-in-bigger-breach-than-equifax/
- Bloomberg Law. (2018, June 29). Data Company Hit with Class Claims for Security Breach. Retrieved from https://news.bloomberglaw.com/class-action/data-company-hit-with-class-claims-for-security-breach
- Greenberg, A. (2018, June 27). Marketing Firm Exactis Leaked a Personal Info Database with 340 Million Records. Retrieved from https://www.wired.com/story/exactis-database-leak-340-million-records/
- Confessore, N. (2018, April 4). Cambridge Analytica and Facebook: The Scandal and Fallout So Far. Retrieved from https://www.nytimes.com/2018/04/04/us/politics/cambridge-analytica-scandal-fallout.html
- Cadwalladr, C. & Graham-Harrison, E. (2018, March 17). Revealed: 50 million Facebook profiles harvested for Cambridge Analytica in major data breach. Retrieved from https://www.theguardian.com/news/2018/mar/17/cambridge-analytica-facebook-influence-us-election
- Massachusetts Office of Consumer Affairs and Business Regulation. (2018, March 12). Marriott’s Starwood Hotels Have Suffered a Major Data Breach. Retrieved from https://www.mass.gov/news/marriotts-starwood-hotels-have-suffered-a-major-data-breach
- National Cyber Security Centre. (2017, October 3). Yahoo data breach: NCSC response. Retrieved from https://www.ncsc.gov.uk/news/yahoo-data-breach-ncsc-response
- Perlroth, N. (2017, October 3). All 3 Billion Yahoo Accounts Were Affected by 2013 Attack. Retrieved from https://www.nytimes.com/2017/10/03/technology/yahoo-hack-3-billion-users.html
- Selyuckh, A. (2017, October 3). Every Yahoo Account That Existed In Mid-2013 Was Likely Hacked. Retrieved from https://www.npr.org/sections/thetwo-way/2017/10/03/555016024/every-yahoo-account-that-existed-in-mid-2013-was-likely-hacked
- McCoy, K. (2017, May 23). Target to pay $18.5 M for 2013 data breach that affected 41 million consumers. Retrieved from https://www.usatoday.com/story/money/2017/05/23/target-pay-185m-2013-data-breach-affected-consumers/102063932/
- BBC. (2016, November 14). Up to 400 million accounts in Adult Friend Finder breach. Retrieved from https://www.bbc.com/news/technology-37974266
- Dickey, M.R. (2016, November 13). FriendFinder Networks hack reportedly exposed over 412 million accounts. Retrieved from https://techcrunch.com/2016/11/13/friendfinder-hack-412-million-accounts-breached/
- Manworren, N., Oetwat, J. & Daily, O. (2016, May-June). Why you should care about the Target data breach. Retrieved from https://www.sciencedirect.com/science/article/abs/pii/S0007681316000033
- Abelson, R. & Goldstein, M. (2015, May 2). Millions of Anthem Customers Targeted in Cyberattack. Retrieved from https://www.nytimes.com/2015/02/05/business/hackers-breached-data-of-millions-insurer-says.html
- Reuters Staff. (2014, December 22). JPMorgan data breach entry point identified: NYT. Retrieved from https://www.reuters.com/article/us-jpmorgan-cybersecurity/jpmorgan-data-breach-entry-point-identified-nyt-idUSKBN0K105R20141223
- Home Depot. (2014, November 6). The Home Depot Reports Findings in Payment Data Breach Investigation. Retrieved from https://ir.homedepot.com/news-releases/2014/11-06-2014-014517315
- Silver-Greenberg, J. Goldstein, M. & Perlroth, N. (2014, October 2). JPMorgan Chase Hacking Affects 76 Million Households. Retrieved from https://archive.nytimes.com/dealbook.nytimes.com/2014/10/02/jpmorgan-discovers-further-cyber-security-issues/
- CNBC & Reuters. (2014, September 9). Home Depot confirms data breach. Retrieved from https://www.cnbc.com/2014/09/08/home-depot-confirms-data-breach.html
- Consumer Financial Protection Bureau. (n.d.) Equifax data breach settlement. Retrieved from https://www.consumerfinance.gov/equifax-settlement/
- Li, A., Harvey, J. & Mathur, Y. (n.d.) Marriott Data Breach. Retrieved from https://www3.cs.stonybrook.edu/~ise331/Slides/Marriott%20Data%20Breach.pdf