The 12 Worst Data Breaches in the Last Decade
Cyber threats are unsettling to say the least — and unfortunately, there’s a long list of recent data breaches in the online world. In 2019, a hack at Capital One put millions of people’s identities at risk, and 2017’s Equifax data breach proved that even those trusted to safeguard the most sensitive personal information, like Social Security numbers, are vulnerable to such threats.
Explore some of the worst cyber attacks in the last decade — and determine if your money and privacy are as safe as you think.
Equifax revealed in September 2017 that about half of everyone in the country had their personal information compromised from mid-May through July 2017 in one of the worst data breaches of all time. To put that into perspective, 145.5 million customers’ Social Security numbers, birthdates and other sensitive data was at risk.
The hackers also stole credit card numbers for more than 200,000 people. Although Equifax offered free credit monitoring to those who were affected, it waited more than a month to announce the data breach, which didn’t go over well in the press.
In July 2019, Equifax announced a $675 million consumer settlement — with some reports estimating the amount to be closer to $700 million — arising from the data breach. The money would be used to pay for credit monitoring services for affected consumers, out-of-pocket losses related to the breach and identity restoration services. As part of the deal, individuals who were affected can choose to claim a $125 cash payment in lieu of credit monitoring services.
On July 29, 2019, Capital One announced that a hacker had obtained personal information from people who have Capital One credit cards — as well as those who merely applied for one of its credit cards. The financial company estimates that the breach affected 100 million people in the U.S. and an additional 6 million in Canada.
Fortunately, Capital One stated in a press release that “over 99% of Social Security numbers were not compromised,” and neither were credit card account numbers or log-in credentials. The personal data that was stolen included names, addresses, phone numbers, email addresses, birthdays and self-reported income. It also included credit scores and transaction data.
Capital One said that it would notify affected individuals, and offer free credit monitoring and identity protection to anyone whose personal information was compromised. By the time Capital One announced the breach, the FBI had already arrested the hacker responsible.
Yahoo tops the list for worst data breaches in recent memory, with a whopping 3 billion accounts compromised in a 2013 data leak — although news of the leak didn’t come out until September 2017. According to academic experts, Yahoo protected people’s information with outdated, easy-to-crack encryption. The cybersecurity breach forced the former internet giant to lower its selling price to Verizon by $350 million.
In April 2011, Sony had a cybersecurity breach. Hackers compromised 77 million PlayStation gaming console user accounts, gaining access to their names, addresses and other sensitive data.
This was a big blow for the gaming community, but it wouldn’t be the last blow to Sony. In 2014, hackers erased data from its systems and stole — and shared with the world — prerelease movies and celebrities’ private information.
In 2013, Target shoppers were targeted by hackers during the post-Thanksgiving holiday shopping spree, who compromised approximately 40 million credit and debit card numbers.
In addition to card numbers, the cyber theft included customer names, expiration dates and CVVs. With this information, hackers could make replica cards — and do plenty of other damage. Target announced in 2015 that it would pay $10 million to customers affected by the cybersecurity breach.
The name Alteryx, an online marketing and analytics firm, might not be familiar to you as Target or Sony, but you might have felt the consequences of its data breach. In December 2017 its database containing sensitive information on 123 million American households was unsecured and open to anyone.
According to the Huffington Post, the compromised data isn’t just Social Security numbers and other identifiers, but things like the number of children in one’s household. Experian provided one of the database’s main components, “ConsumerView,” which also experienced cyber hacking troubles.
The financial institution became the target of one of the largest cyber data breaches in history, affecting as many as 76 million households and 7 million small businesses. Three of the men charged with the hacking were indicted in November 2015.
The cyber attack at JPMorgan Chase involved men hacking personal information to develop a “pump and dump” stock scheme as part of a bigger plan. The criminal masterminds hacked other banks, ran an online casino, laundered money globally and set up a Bitcoin operation, making more than $100 million.
Before there was ever Facebook, there was Myspace. Although past its heyday, the social networking site confirmed a data breach of user names, email addresses and passwords for approximately 360 million accounts in May 2016.
Even if you didn’t post on Myspace anymore, there’s a good chance that you use your password for other accounts too — and it could potentially be up for sale online. Based on its reach as opposed to damage, this attack can certainly go down as one of the biggest in history.
Heartland Payment Systems
You might not recognize the name Heartland — a company that processes about 100 million credit and debit card transactions per month for 175,000 merchants — but its security breach had far reach. In 2008, hackers gained access into the credit card processor’s computer system. Heartland ultimately paid more than $110 million to credit card companies to settle claims related to the breach, according to CNN.
The online auction site and retailer that battled with Amazon reported a massive cybersecurity breach in May 2014 — although the database was compromised a few months earlier. Cyber thieves retrieved information for 145 million eBay customers, including their names, encrypted passwords, email, addresses, phone numbers and dates of birth. As a precautionary measure, the company asked its users to change their passwords.
You know you should change your password, but don’t forget to change these important numbers in the wake of identity theft.
In February 2015, health insurance provider Anthem had a high-profile data breach in which hackers stole sensitive information from approximately 79 million records in its database. Breached information included names, birthdays, Social Security numbers, addresses, email addresses, employment and income information. Last summer, Anthem announced it would pay $115 million to settle lawsuits over the data breach — the largest settlement of this nature to date.
Customers who chose self-checkout at the popular home improvement store between April and September 2014 unknowingly exposed themselves to credit card theft. The data breach affected more than 50 million Home Depot customers who used payment cards on its self-checkout terminals. In 2016, Home Depot agreed to pay at least $19.5 million to customers who were affected — and to improve data security over a two-year period.
This story was updated with information about the July 2019 settlement at Equifax and breach at Capital One. All other reporting was accurate when first published in February 2018.
More on Credit Cards and Money:
Gabrielle Olya contributed to the reporting for this article.