largest databreaches 2019

With a history of almost 9,000 US data breaches over the last 12 years, it’s a safe bet that any electronic information relating to you is either at risk or has already been compromised at least once. As James Comey, the former director of the FBI puts it, “there are two kinds of companies. Those that have been hacked and those that don’t know yet that they’ve been hacked.”

The need for online privacy and anonymity grows with every breach that occurs, and there does not appear to be any end in sight. Every corporation is gathering intel on their customers, clients, and even random people. Large corporations invest billions of dollars every year on data gathering systems, database technologies to store it all, expensive servers with massive amounts of storage, and data analysts to make sense of it.

It’s not just a game for businesses. Intelligence agencies the world over gather and try to make sense of information as their primary agenda. The unfortunate irony here is that many companies seem to lack concern over keeping that information safe and out of the hands of others once they have it. If it does fall into the wrong hands, there are various potential repercussions for those involved, including increased risk of falling victim to crimes such as spear phishing schemes, ransomware attacks, and identity theft.

The list below shows an annual breakdown of the largest of these data breaches, with a minimum of 10 million records at risk of being exposed to unauthorized persons. Note that the total number of reported breaches cited refers to breaches involving US companies or that have affected US customers.

Data breaches by year

2019

data breaches 2019 facebook

2019 is proving to be a big year for data breaches, with several breaches already exposing hundreds of millions of victims worldwide. A large amount of attention this year appears to be directed at major dumps of collected and assembled personal data, sold in massive files on the dark web.

Capital One Bank

Breach size: 106M

On July 29, Capital One Bank announced that it experienced a massive data breach that occurred sometime between March and July. The breach exposed the 100 million customers in the US and 6 million customers in Canada. Although the breached data was mostly contained to names, addresses, phone numbers, and credit scores, some 140,000 customers in Canada had Social Insurance Numbers exposed, while 80,000 US customers had linked bank account numbers exposed.

By the time of its reporting, the culprit, 33-year-old software engineer Paige Adele Thompson, had been apprehended by the Federal Bureau of Investigations. Thompson reportedly posted about the breach on GitHub and bragged about it on  Twitter and the Slack chat app. Thompson appears to have stolen the data from a Capital One server hosted by Amazon Web Services.

Dropbox, LinkedIn, and others

Breach size: 2.2B

Hackers have collected, passed around, and dumped over 2.2 billion stolen records from a larger number of websites, including Dropbox and LinkedIn. It appears this data has been gathered and combined for several years and is now being dumped on the dark web for sale. The first of these dumps of stolen data, called Collection #1, includes usernames and passwords.

Evite, MindJolt, Wanelo, and More

Breach size: 1B

A hacker by the name “Gnosticplayers” has unloaded nearly 1 billion user records in the first few months of 2019. Information includes user names, email addresses, IP addresses, and passwords from several websites, including Evite, MindJolt, and Wanelo, among several others.

First American

Breach size: 900M

Insurance company First American left 900 million sensitive customer files exposed for over 2 years. The exposed information includes bank account numbers, bank account statements, Social Security numbers, driver’s license images, and more, amounting to more than enough information to successful steal identities and money from victims. It is unclear if any of the exposed data was illicitly accessed.

Dubsmash, MyFitnessPal, MyHeritage, and More

Breach size: 600M

A hacker successfully sold over 600 million records from multiple sites on the dark web for $20,000 in Bitcoin. Records came from multiple companies and websites, including Dubsmash (162 million), MyFitnessPal (151 million), MyHeritage (92 million), ShareThis (41 million), HauteLook (28 million), EyeEm (22 million), 8fit (20 million), Whitepages (18 million), and others.

Facebook

Breach size: 540M

Two misconfigured Amazon AWS servers exposed over 540 million Facebook user’s account information. One was owned by Mexican company Cultura Colectiva and left vulnerable Facebook IDs and comments. The second server, owned by the “At the Pool” Facebook game, exposed even more sensitive information, including some plain-text passwords, photos, check-ins, likes, and interests, among other data.

Mountberg Limited

Breach size: 100M

In January, an online gambling group exposed over 100 million user bets and other user details. An unsecured ElasticSearch instance on the company’s server revealed user details such as bet amounts and withdrawals.

Unknown Owner

Breach size: 80M

Researchers found an unsecured database containing personal information on over 80 million US households and families. The leaked information includes addresses, approximate geographic location via longitude and latitude, ages, birthdates, income, marital status, homeowner status, dwelling type, and more.

LinkedIn

Breach size: 60M

A security researcher found multiple databases appeared to leak over 60 million LinkedIn customers’ information. While LinkedIn reported it is not their database, it appears the leaked database may contain publicly-available profile data, scraped from the site by a third party.

Facebook

Breach size: 49M

Weak security in an Amazon Web Services server left millions of Instagram accounts exposed. Owned by India-based social media marketing company Chtrbox, the locations and private contact information of over 49 million Instagram “influencers” were readily available. The accounts also include how much each influencer account was worth based on several metrics, including the number of followers and engagement.

Instagram

Breach size: 14M

A cybersecurity researcher using the Shodan service found over 14 million Instagram account details, including profile names, links to profile pictures, and other information, on an unsecured server based in the UK. It was unclear who owns the server or is gathering the data.

Ladders 

Breach size: 13M

An unprotected AWS ElasticSearch database for the job site Ladders exposed 13 million user accounts and profiles. Job seeker information, such as names, email addresses, phone numbers, geolocation, current and desired salaries, employment history, and US H1-B visa status was exposed. Employers’ and recruiters’ personal information on the site was exposed as well.

Quest Diagnostics

Breach size: 11.9M

In June, the American Medical Collection Agency, a medical billing and coding service provider, reported its payment page for Quest Diagnostics was breached. Nearly 12 million customer medical and financial records were exposed. The breach lasted between August 22 and March 30. The payment portal was taken down and migrated to a third party in response.

US Customs Border Patrol

Breach size: Unknown (following)

In June, the US Customs Border Patrol reported that an undisclosed number of biometric data had been stolen from a federal subcontractor. The data included license plate images and ID photos of travelers passing into and out of the United States. CBP reported that the unnamed subcontractor transferred this data from government servers to its own servers without permission, where the data was then stolen following a hack.

2018

Marriott homepage.

In 2018, 700 reported breaches occurred, with 11 of them involving more than 10 million records.

Marriott International

Breach size: 500M

Up to 500 million Marriott International guests may have been involved in this massive breach that began in 2014. More than 320 million customers’ data was breached, including names, addresses, and passport numbers, prompting many angry guests to demand that Marriott pay for the issue of new passports.

Exactis

Breach size: 340M

In June 2018, marketing and data aggregation firm, Exactis, leaked almost 340 million records onto a server that could be accessed by the public. Information on individuals and businesses was involved, including phone numbers, home addresses, and email addresses.

Under Armour

Breach size: 150M

An estimated 150 millions users of Under Armour’s food and nutrition app, MyFitnessPal, may have had their information exposed. Data involved in the leak is thought to include email addresses, usernames, and hashed passwords.

MindBody – FitMetrix

Breach size: 113M

Fitness software FitMetrix — which was acquired by MindBody earlier in 2018 — was involved in a breach that affected more than 113 million records, though the number of users this correlates to is unknown. The breach was discovered by a security researcher who found that three of FitMetrix’s servers were unprotected and leaking data.

Facebook

Breach size: 50M

In September 2018, a data security breach was discovered in the form of a bug that allowed attackers to take over control of people’s Facebook accounts. 50 million accounts were known to have been affected, but up to 40 million more could have been involved.

Facebook (Cambridge Analytica)

Breach size: 50M

Prior to the above breach, the Cambridge Analytica scandal had come to light. The data analysis firm had accessed and stored the personal data of 50 million Facebook users via a third-party researcher. The acquisition of the data violated Facebook’s terms of service, and as such, represented a massive breach of user information.

Localblox

Breach size: 48M

Localblox is similar to Cambridge Analytica in that it scrapes information from publicly accessible sources to create profiles. It stored data on an unsecured container, a fact discovered by UpGuard, a cybersecurity research firm. As many as 48 million user profiles were being stored without a password, and although Localblox took immediate action, it’s unclear if anyone else accessed the 1.2 TB of data in the meantime.

Chegg

Breach size: 40M

40 million users of textbook rental and tutorial company, Chegg, and its family of brands were informed in September 2018 that their personal data may have been exposed to an unauthorized party which gained access to a company database. Leaked information included names, passwords, email addresses, and shipping addresses.

Ticketfly

Breach size: 27M

A malicious cyber attack led to the personal information of around 27 million Ticketfly account holders being accessed. Customers’ data that was breached included names, addresses, email addresses, and phone numbers.

The Sacramento Bee

Breach size: 19M

After the company left more than 19 million voter records exposed online by failing to restore a protective firewall to its server, a ransomware attack was launched by malicious hackers. The newspaper refused to pay the ransom and notified voters of the breach.

SaverSpy

Breach size: 11M

In September 2018, the details of almost 11 million users were leaked from an e-marketing company database due to an unsecured server. Names, email addresses, gender details, and physical addresses were reportedly involved. The database was thought to have belonged to a company named SaverSpy.

2017

Deep Root Analytics

There were reportedly 853 breaches in 2017, with nine of them making the list.

River City Media

Breach size: 1.37B

A massive database of over 1.37 billion email addresses was exposed due to an improperly configured backup. Some of those records contained extra details like names, physical addresses, and IP addresses. The leak also exposed River City Media’s entire operation, including details like business plans, Hipchat logs, accounts, and more. River City Media is one of the largest providers of spam in the world, according to the news report.

Deep Root Analytics

Breach size: 198M

A database containing political information on over 198 million US voters was discovered on an Amazon cloud storage system without any form of password protection. The Republican National Committee hired Deep Root Analytics to compile and analyze the data consisting of names, dates of birth, home addresses, phone numbers, and voter registrations. Deep Root Analytics has since taken full responsibility for the breach and implemented improved data security measures.

Equifax

Breach size: 145M

More than 145 million records including social security numbers, credit card numbers, drivers license numbers, and names were breached at one of the three major US credit reporting agencies.

Name Tests

Breach size: 120M

It was revealed in 2018 that Nametests.com, the website responsible for a popular Facebook quiz app, had a flaw that publicly exposed details about its more than 120 million users.

MyHeritage

Breach size: 92M

This breach was announced in 2018 but actually occurred in October 2017 and involved the more than 92 million customers’ data. A security researcher discovered the information, which included email addresses and hashed passwords, on a private server that didn’t belong to MyHeritage.

T-Mobile

Breach size: 76M

A security hole in T-Mobile’s website enabled attackers to use a phone number to access account details, including email addresses and a phone’s IMSI network code. Up to 76 million users may have been affected.

Panera Bread

Breach size: 37M

The Panera Bread breach began in 2017 but apparently no action was taken until 2018. Names, email addresses, home addresses, and phone numbers of up to 37 million customers was leaked from the site in plain text. The last four digits of customers’ credit card numbers were also involved.

Dun & Bradstreet

Breach size: 33M

It was revealed that records from a commercial corporate database regarding more than 33 million people were leaked by Dun & Bradstreet. Of the people involved, more than 100,000 worked for the Ministry of Defence and over 70,000 for major financial institutions. While the information wouldn’t be considered sensitive data (it included things like email addresses, job title, and company address), in the wrong hands, it would make executing scams like spear phishing and whaling far simpler.

Zomato

Breach size: 17M

A hacker on the DarkNet is selling a database that includes emails and password hashes of 17 million registered Zomato users.

2016

Dailymotion homepage.

823 data breaches were reported to occur in 2016, with eight of them hitting above the 10 million mark.

FriendFinder network

Breach size: 412M

Over 412 million accounts representing 20 years of user personal data including email addresses, passwords, usernames, the database outline, sites in the network visited by users, site registration data, and much more.

MySpace

Breach size: 360M

Over 360 million usernames and passwords were stolen from MySpace. The passwords were stored as “unsalted SHA-1 hashes” and were broken using a cracking server capable of running millions of SHA-1 calculations per second.

LinkedIn

Breach size: 167M

Between 117 million and 167 million records are believed to have been stolen from the popular business social network, including user email address, hashed passwords, and LinkedIn ID numbers. The breach is said to have started in 2012 but in 2016, the data was up for sale online.

Dailymotion

Breach size: 85.2M

The email addresses and usernames of approximately 85.2 million users of one of the most popular video-sharing sites on the internet were accessed in 2016. About one-fifth of those accounts also had their hashed passwords copied, but the passwords were encrypted with fairly strong encryption making them difficult to crack or guess.

Uber

Breach size: 57M

57 million customers’ and drivers’ names, e-mail addresses, and phone numbers were hacked in 2016. Uber then tried to cover up the breach by paying off the attackers who “promised” to delete the data. News of the breach broke in November 2017.

Weebly

Breach size: 43.4M

43.4 million records were stolen, but the means by which this theft was committed is not yet known. It is known that the compromised data contained email addresses, usernames, passwords, and logged IP addresses of users computers.

Twitter

Breach size: 32M

32 million login credentials, including plain text passwords, ended up for sale online. The data appeared to have been stolen directly from users rather than from a hack of Twitter’s servers.

FourSquare

Breach size: 22.5M

More than 22.5 million records were apparently taken from publicly available sources. The records contained FourSquare usernames, email addresses, and Twitter and Facebook IDs.

2015

Anthem homepage.

547 data breaches were reported to occur in 2015, but seven of them were fairly large losses.

Voter Database

Breach size: 191M

A publicly available database full of information on 191 million US voters was found on the internet. The database contained names, home addresses, voter IDs, phone numbers, dates of birth, political affiliations, and detailed voting histories since 2000.

Anthem

Breach size: 80M

Over 80 million records were stolen, consisting of names, birthdays, medical IDs, social security numbers, street addresses, email addresses, and employment and income information, with the breach starting as early as 2014. On June 27th, 2017, Anthem agreed to a $115 million settlement for damages caused by this breach.

Ashley Madison

Breach size: 37M

The company’s user databases, financial records, and other confidential information were leaked to the public. 37 million user records were stolen and dumped to the DarkNet. The hackers attempted to blackmail Ashley Madison into shutting down the website or the stolen database would be released to the public, exposing all of its users. Ashley Madison refused to comply and the data was released, along with several copycat databases containing bogus information.

Office of Personnel Management in Washington, DC

Breach size: 21.5M

This involved 21.5 million entries in a database of government workers and more specifically, anyone who had applied for a security clearance going back to 2000. SSNs and information related to what officials ask during interviews for security clearance were leaked.

Experian’s T-Mobile customers

Breach size: 15M

15 million records of potential T-Mobile customers that had credit checks done by Experian were breached. The records consisted of names, addresses, social security numbers, dates of birth, and various identification numbers, including passports, driver’s licenses, and military identification numbers.

Premera Blue Cross

Breach size: 11M

This involved 11 million records of medical files and personal and financial information, including bank account numbers, social security numbers, birth dates, names, addresses, and “other personal information.”

Excellus BlueCross Blue Shield

Breach size: 10M

It appears this was the year for healthcare industry breaches as yet another huge attack hit health insurer, Excellus BlueCross Blue Shield. The information of more than 10 million individuals was leaked.

2014

Yahoo homepage.

869 breaches were reported with five over the 10 million record threshold.

Yahoo

Breach size: 500M

This breach actually occurred in 2014 but was not announced or acknowledged by Yahoo until two years after the fact. The database that was accessed contained records of over 500 million of Yahoo’s users, including names, phone numbers, email addresses, hashed passwords, birth dates, and “encrypted or unencrypted security questions and answers.”

Russian hacking discovered by Hold Security

Breach size: 500M

An impressive database of over a billion usernames and passwords along with more than 500 million email addresses was discovered on the DarkNet by a security firm. It was apparently the work of a Russian gang of hackers collecting information from hundreds of thousands of websites.

eBay

Breach size: 145M

This breach involved a data loss of over 145 million records. Hackers gained access to eBay’s user database using employee login credentials. The data copied consisted of email addresses, encrypted passwords, birth dates, and mailing addresses.

JP Morgan Chase

Breach size: 76M

76 million bank accounts were accessed by Russian hackers, some of which were only modified while others were completely wiped out.

The Home Depot

Breach size: 56M

The Home Depot got hit twice in 2014. In February, three employees were suspected of stealing 30,000 records. Then in September, it was hit again for the details of 56 million credit and debit cards due to a hack of the point-of-sales systems in over 2,200 stores in the U.S.

2013

Evernote homepage.

890 data breaches were reported in 2013, five of which hit above the 10 million mark.

Yahoo

Breach size: 1B

More than 1 billion accounts were compromised in 2013, but this breach was not made public until 2016, and was most likely unrelated to the 500 million records stolen in 2014. Yahoo blamed the largest breach in history on hackers working on behalf of a government. The intruders used forged cookies to access user accounts without their passwords.

Target Corp.

Breach size: 110M

Up to 110 million payment card records were stolen during the Thanksgiving and Christmas holidays of 2013. This incident was used as a precedent for passing legislation in the U.S. implementing chip card technology.

Tumblr

Breach size: 65M

In 2013, hackers accessed more than 65 million passwords of Tumblr users, although the breach was not reported until 2016.

Evernote

Breach size: 50M

The biggest loss of data in 2014 with 50 million records exposed. Users were told to reset their passwords after the attack was detected.

LivingSocial

Breach size: 50M

Up to 50 million member accounts were at risk of being copied, consisting of names, email addresses, dates of birth, and encrypted passwords. At the time, an estimated 29 million people used LivingSocial, many with multiple accounts.

Adobe

Breach size: 38M

User accounts of up to 38 million Adobe users were stolen. Adobe sent out a notice to all affected users warning them to change their passwords and watch for suspicious activity on their accounts.

2012

Dropbox homepage.

886 data breaches were reported for the year, with two of them making the list.

Dropbox

Breach size: 68M

68 million Dropbox users had their email addresses and hashed passwords copied. They then received spam messages in which the sender posed as Dropbox.

Zappos.com

Breach size: 24M

24 million user accounts were detected as accessed including names, email addresses, billing and shipping addresses, phone numbers, final four digits of credit card numbers, and possibly encrypted passwords.

2011

Epsilon homepage.

793 data breaches were reported for 2011 with four of them over 10 million records lost or put at risk.

Epsilon

Breach size: 50-250M

This data breach of anywhere between 50-250 million records took place. Epsilon reported that only email addresses and names were stolen. Customers were warned to expect phishing emails.

Sony, PlayStation Network

Breach size: 77M

77 million PlayStation Network (PSN) users and more than 24 million Sony Online Entertainment customers were affected during this 2011 hack. Leaked details included names, addresses, email addresses, dates of birth, login credentials for PSN and Qriocity, and PSN IDs and handles. It is suspected that hackers may also have accessed purchase histories, billing addresses and security questions.

Steam

Breach size: 35M

Hackers defaced a forum on Steam which prompted an investigation that revealed unauthorized access to a database containing user names, hashed and salted passwords, game purchases, email addresses, billing addresses and encrypted credit card information on over 35 million users.

WordPress

Breach size: 18M

Hackers accessed data on several of WP’s servers exposing source code, API security keys and social media passwords of 18 million WordPress users.

2010

deviantart homepage.

801 data breaches were reported for 2010, but only one of them made the list.

DeviantART, Silverpop Systems Inc.

Breach size: 13M

The largest data breach in 2010 was also the only one above 10 million at 13 million records stolen. Hackers were able to penetrate deviantART through the marketing company Silverpop Systems Inc. The exposed database consisted of user names, email addresses and birth dates of all deviantART users.

2009

Heartland Payment Systems.

270 data breaches were reported for 2009, with three of them making our list.

Heartland Payment Systems

Breach size: 130M

130 million credit cards were stolen through a hack of this credit card processor. The problem was exacerbated by the processor’s delays and inaccurate disclosures regarding the breach. One of the perpetrators was a Secret Service informant and suspect in the previous year’s TJ Stores hack.

U.S. Military Veterans

Breach size: 76M

76 million detailed records were reported at risk of being exposed when a defective hard drive was sent off for repair without first having its data destroyed. The drive was part of a RAID array of six drives that held an Oracle database filled with veterans’ information. The drive was deemed irreparable and was then sent to another entity for recycling, again, without being erased.

RockYou

Breach size: 32M

An SQL injection flaw in RockYou’s database exposed their entire list of usernames, email addresses, and passwords–around 32 million records. The passwords were stored in plain text and the database included login credentials for various social networks like Facebook and MySpace.

2008

BNY Mellon.

355 data breaches were reported for 2008 with two of them going over the 10 million mark.

Countrywide Financial Corp.

Breach size: 17M

A former employee reportedly stole and sold sensitive data on 17 million account holders’ profiles. It should be noted that Countrywide was the “poster boy” of the subprime lending crisis.

Bank of New York Mellon

Breach size: 12.5M

12.5 million records containing names, social security numbers, and possibly bank account numbers were “lost” when a box of backup tapes arrived at a storage facility with one tape missing.

2007

TJX stores.

456 data breaches were reported to have occurred in 2007, with one of them involving more than 10 million records.

TJ Stores

Breach size: 100M

Over 100 million records lost consisting of credit and debit card numbers; merchandise return records containing names and driver’s license numbers, as well as credit card account numbers. Special note: the primary hacker, Albert Gonzalez, appealed his conviction in 2011 on the grounds that he was acting with authorization from the Secret Service. The U.S. government acknowledged that Gonzalez was a key undercover informant for the Secret Service at the time. Mr. Gonzalez blamed his attorneys for not using this information as part of his defense.

2006

Veterans Affairs.

482 data breaches were reported this year. Two of those breaches surpassed the 10 million records mark.

U.S. Dept. of Veterans Affairs

Breach size: 26.5M

A laptop and computer storage device containing sensitive data on 26.5 million veterans were stolen from the home of an unidentified employee of the Department of Veterans Affairs. The information consisted of names, social security numbers, dates of birth, phone numbers, and addresses on all American veterans discharged since 1975. The laptop and storage device were recovered almost two months later. According to an FBI investigation, the data had not been copied. In spite of this, the VA was still held accountable for ineffectual data security policies and neglecting to take proper security precautions regarding such sensitive data.

iBill

Breach size: 17M

Over 17 million records were posted online containing names, phone numbers, addresses, email addresses, IP addresses, login credentials, credit card types, and purchase amounts. It is unclear as to whether the breach was the work of a dishonest insider or malicious software injected into iBill’s systems.

2005

136 data breaches reported for the year with only one of them over our minimum of 10 million.

CardSystems

Breach size: 40M

40 million credit card accounts were exposed due to a security breach that occurred at a third-party vendor. The information exposed included names, card numbers and card security codes. CardSystems filed for bankruptcy in May of 2006. In 2009 it was revealed that CardSystems stored unencrypted credit card information on its servers.

2004

Funny enough, the only data breach that we have information on in 2004 was also a rather major one.

AOL

Breach size: 92M

A former software engineer of AOL stole 92 million email addresses belonging to an estimated 30 million users. He then sold the list of addresses to a man in Las Vegas who began spamming the list with an advertisement for an offshore gambling website. Even the judge involved in the case admitted to canceling his AOL email account because of all the spam.

Largest non-US breaches

There have also been some pretty massive breaches in various other parts of the globe over the years. Here are some of the most prominent:

Verifications.io, India (2019)

Breach size: 800M

An unsecured marketing email database exposed over 800 million user records. The breached data contained social media logins, gender, birthdates, mortgage amounts, and interest rates.

Aadhaar, India (2018)

Breach size: 1.1B

A data breach could have potentially risked the data of all 1.1 billion citizens of India. In early January, anonymous sellers on WhatsApp were offering access to any Aadhaar number and its associated details, including name, address, phone number, photo, and email address. The information was being sold with the option of software for printing ID cards, presumably for use in identity theft and other related crimes.

Interpark, South Korea (2017)

Breach size: 10M

In 2017, South Korea accused North Korea of stealing the data of 10 million customers of the online mall, Interpark, in an attempt to obtain foreign currency.

Telegram, Iran (2017)

Breach size: 15M

In 2017, Iranian hackers are accused of breaking into an ultra secure instant messaging service by compromising a dozen accounts. The hack exposed 15 million users phone numbers to the hackers. This will allow the hackers to add new devices to user’s account and give those new devices access to chat histories as well as new messages.

Mossack Fonseca, Panama (2016)

Breach size: 11.5M

This Panamanian law firm specializes in setting up anonymous offshore companies. The leak is of 11.5 million encrypted documents like emails, PDF files, photos, and excerpts from an internal database. The main purpose of this collection appears to be hiding the true owners of several of the offshore companies sold by Mossack Fonseca. Given that a lot of the information stored in these files includes evidence of illegal activities, the wish for anonymity is rather obvious.

Turkish citizenship database, Turkey (2016)

Breach size: 49.6M

A database was discovered online containing 49.6 million entries–the entire Turkish citizenship–with names, national IDs, parents names, gender, city of birth, date of birth, ID registration city and district, and their full address.

Philippines’ Commission on Elections, Philippines (2016)

Breach size: 55M

A database containing every registered voter in the Philippines, some 55 million people, was leaked online. The leak came on the heels of a defacement of the Philippines’ Commission on Elections website.

Korea Credit Bureau, South Korea (2014)

Breach size: 20M

A temporary consultant was arrested and charged with stealing bank and credit card data on 20 million users of the credit bureau.

Yahoo Japan, Japan (2013)

Breach Size: 22M

22 million user accounts were put at risk when an attempt to access administrative portions of Yahoo Japan’s servers was detected. No personally identifiable information was stolen, according to Yahoo.

Court Ventures, Vietnam (2012)

Breach size: 200M

Court Ventures was in the business of selling off credit information to a Vietnamese identity theft service, resulting in over 200 million records sold over several years. These records included financial data, credit status, social security numbers, and bank information.

Blizzard, China (2012)

Breach size: 14M

Players of Diablo III, Starcraft II and World of Warcraft, some 14 million gamers, were informed of a data breach that put their user accounts on Blizzard.net at risk. Encrypted passwords, the answers to security questions and email addresses of users outside of China were stolen in the breach.

178.com, China (2011)

Breach size: 10M

Hackers stole 10 million user accounts from the Chinese gaming site, along with several other gaming sites in China.

Nexon Korea Corp, South Korea (2011)

Breach size: 13.2M

13.2 million subscribers of an online game in Korea were stolen through a hack of the site’s servers.

Tianya, China (2011)

Breach size: 28M

28 million clear text passwords and 40 million user accounts showed up on the DarkNet from China’s 12th most popular website at the time.

Auction.co.kr, South Korea (2008)

Breach size: 18M

The records of 18 million members of this South Korean auction site were stolen by a Chinese hacker. The records included user information and a large amount of financial data.

GS Caltex, South Korean (2008)

Breach size: 11.9M

Two compact discs containing this company’s customer list of 11.9 million customers were found on a street in Seoul.

HM Revenue and Customs, United Kingdom (2007)

Breach size: 25M

Computer disks containing confidential information on 25 million recipients of child benefits were lost in the UK. The disks were lost in transit from their headquarters in Newcastle to an insurer’s headquarters in Edinburgh.

T-Mobile, Deutsche Telecom, Germany (2006)

Breach size: 17M

Thieves made off with a storage device containing names, addresses, cell phone numbers, some birth dates, and some email addresses for some high profile German citizens. Luckily the stolen device did not contain any financial details like credit cards or bank accounts.

The big unknown

It should be noted that some reported breaches affect an unknown number of customers, so there may be other breaches that have topped the 10 million records mark. Plus, breaches may go undiscovered, entirely or for a period of time.

The new General Data Protection Regulation (GDPR) in the EU includes a requirement that companies report data breaches (that meet certain criteria) within 72 hours. While there is a California state law that pertains to data breach reporting, there is no federal legislation in place requiring mandatory reporting of data breach details. However, not reporting a breach can lead to lawsuits from affected users, so most companies do report when they discover they have been hacked or lose some information.

Although, the amount of information reported is entirely left up to the reporting company, even to the point of just admitting that there was a breach with no details as to what data or even how much data was at risk of being accessed by unauthorized individuals. According to Privacy Rights Clearinghouse, thousands of companies have opted not to report how much of the data entrusted to them has been leaked or even how many of their customers may be at risk.

Now factor in the knowledge that some of these companies are collecting information without first informing subjects of their data mining that their information is being loaded into a database. Any retail outlet that a person walks into collects information on what they look at, pick up, purchase, and leave their store with. Match that data to facial recognition from the security cameras, as well as the information received from the point-of-sale system, and they have an identity to attach to that data entry.

Just about every retail outlet now has some form of membership that customers are encouraged to voluntarily sign up for with offers of discounts on fuel, points toward in-store savings, customized digital coupons, and other similar incentives. All of these are not, in fact, free. You are selling your personally identifiable information to these companies in exchange for the perks attached to the store’s membership system.

What can you do?

There are some things that you can do to minimize the damage or even prevent your information getting into the wrong hands. Things like using an online anonymity tool (such as a VPN), installing anti-virus software, using strong passwords, and enabling two-factor authentication can help. In the case of the latter, if the platform you’re trying to secure doesn’t offer two-factor authentication, you may be able to use a third-party two-factor authentication app, such as DUO Mobile and Google Authenticator.

On the more extreme end, there is always the option of contacting any company you have entrusted your information with. You can ask them about what they have in place for not only preventing data breaches but what actions they take when they become aware of a leak.

If you want to check to see if your information has been involved in a data breach, a handy tool is the have I been pwned? website

Have you experienced any side effects, or even direct effects of a data breach? How did you recover? Leave your comments below along with any tips you might have for other readers.

Data Breach” by Blogtrepreneur CC BY 2.0

Contenidos