The 15 Most Massive Data Breaches in History


Cybersecurity software is crucial for business and data protection. If you're an organ donor, a welfare recipient, a student, an employee, a patient, or if you do business or have an account virtually anywhere, your personal data is entrusted in the hands of strangers. These strangers have an obligation to keep information such as your date of birth, full name, address, Social Security number, phone numbers, medical records, employee records, and banking information safe and confidential. However, through weak security on computer networks, theft and loss of laptops, and employee negligence, much of your information can be exposed or fall into the hands of identity thieves through data breaches.

Here are 15 of the largest data breaches in history in chronological order. If you have never been affected by a data breach, congratulations, you have been lucky so far as more than 340,102,273 records containing sensitive personal information have been breached just in the U.S. since January 2005.

Citigroup Loses Data of 3.9 Million Customers


On June 6, 2005, Citigroup announced that tapes containing personal data of 3.9 million consumer lending customers of its CitiFinancial subsidiary had been lost by UPS. Approximately 50,000 of the records belonged to customers who had closed their accounts, with the rest being active consumer accounts. The tapes were being shipped to a credit bureau in Texas when they were lost by UPS. The Social Security numbers, names, account history, and loan information of the former and current customers. UPS claimed there seemed to be no indication of theft or fraudulent activity and Citigroup informed customers that there was "little risk" of accounts being compromised. The data was never recovered.

40 Million Visa, Mastercard, and American Express Records Hacked


On June 19, 2005, CardSystems Solutions announced that 40 million debit and credit card numbers had been compromised in a successful hacking attempt using a malicious script. According to Visa, the network that was hacked had been certified secure based on an industry-standard developed by none other than Mastercard and Visa. An investigation following the massive data breach revealed that the network was not compliant with the self-developed industry standards of security. Visa spokesperson Rosetta Jones threw CardSystems Solutions under the bus by saying, "Had they been following the rules and requirements, they would not have been compromised."

26.5 Million Records Stolen From US Dept of Veteran Affairs


In May 2006, an employee of the US Department of Veteran Affairs took a laptop home without authorization from the department. The laptop and the sensitive personal data of 26.5 million people who were discharged from the US military since 1975 it contained, were stolen during a burglary at the employee's home. Included in the data were veterans' names, Social Security numbers, and dates of birth. In some cases, the same information was included for the veterans' wives. The department vowed to send a letter to every veteran affected in the breach "to the extent possible."

AOL Posts 20 Million User Searches


AOL inadvertently made public 20 million keyword searches made by hundreds of thousands of its users between March and May of 2006. On August 7, 2006, the company issued an apology, saying it was a mistake and no personally identifiable information had been made available. However, Michael Arrington, the editor of TechCrunch, reviewed the data and found that it contained credit card numbers, Social Security card numbers, names, and addresses. All of the exposed data was that of AOL users in the U.S.

Unauthorized Intrusion at TJX Companies Inc. Exposes Over 100 Million Records


TJX Companies Inc. owns and operates TJMaxx, Marshalls, Winners, HomeSense, AJWright, TKMAxx, and other off-retail outlets in the US, UK, Ireland, Canada, and Puerto Rico. On Jan 17, 2007, TJX announced it had experienced an "unauthorized intrusion" into its computer systems. Initially, the company claimed the security breach took place from May 2006 to January 2007. It later conceded that the system was also likely hacked multiple times beginning in July 2005. TJX had used an outdated wireless security encryption system and had failed to install firewalls and data encryption, so the thieves were easily able to access streaming personal data as it was scanned. A month before the breach was discovered, information stolen from TJX was used in an $8 million gift card scam. As the story of this historically huge data breach unfolded, the numbers continued to grow. All told, it is believed that more than 100 million records including private and sensitive data were stolen in the breach. The ringleader of the theft operation was sentenced to five years in prison and ordered to pay nearly $600,000 in restitution.

8.6 Million Records Stolen From Dai Nippon Printing Company


A former contractor of Dai Nippon Printing Company in Tokyo, Japan stole 8.6 million records containing the personal data of customers of 43 of the company's clients. The company announced this data breach on March 12, 2007. The stolen data included the names, addresses, and credit card numbers of people who were targeted for direct marketing. In the US, customers of American Home Assurance Co. and Toyota Motor were affected by the breach.

8.5 Million Records Stolen From Fidelity National Information Services


On July 3, 2007, an employee at Certegy Check Services, a subsidiary of Fidelity National Information Services, stole 8.5 million customer records, which included credit card and banking information and other personal information. A class-action lawsuit was filed against Fidelity and one of its subsidiaries, charging the companies with negligence in connection with the data breach. The employee, a former database analyst at Certegy Check Services Inc. agreed to plead guilty to federal fraud charges and was sentenced to four years and nine months in prison and ordered to pay a $3.2 million fine. On July 7, 2008, a class action settlement entitled each person whose financial information was stolen to up to $20,000 for unreimbursed identity theft losses.

6.3 Million Data Files Stolen From TD Ameritrade Holding Corp.


When one of TD Ameritrade's databases was hacked in 2007, the thief was able to gain access to more than 6.3 million customer data files. The company announced that the data stolen included names, e-mail addresses, phone numbers and home addresses but no Social Security numbers. Those affected by this data breach began receiving e-mail spam shortly after the theft and on September 14, 2007, Ameritrade sent a mass e-mail to customers conceding that Social Security numbers had been accessed in the breach. On October 27, 2009, TD Ameritrade seemed to be close to a settlement with those affected by the data theft. However, the federal judge overseeing the case rejected the proposed settlement, saying it provided "no discernible benefit to the victims," so it's back to the drawing board for Ameritrade to try to come up with a new offer that won't insult the victims or the court.

25 Million Child Benefit Records Missing From HM Revenue and Customs


In the UK, two password-protected CDs containing the names, birth dates and National Insurance numbers of 25 million children, parents, guardians and caregivers contained in the HM Revenue and Customs child benefit database were lost on October 18, 2007. However, the missing CDs were not reported to the senior management at HM Revenue and Customs until November 8, 2007. Chancellor of the Exchequer Alistair Darling was notified of the loss on November 10, 2007, and the public was notified on November 22, 2007. Darling said the reason for the delay in notifying those who may be affected was necessary to allow the banks time to locate any potentially affected accounts and monitor them for unusual activity.

40 Million Credit Card Records Stolen From Hannaford Brothers Supermarkets


In March 2008, Hannaford Brothers supermarket chain disclosed it had suffered a data breach involving credit and debit card transactions at its stores. The malware was loaded onto the Hannaford servers and allowed hackers to intercept the card data as customers swiped them at checkout counters. The 40 million stolen credit card numbers and expiration dates were transferred overseas and resulted in at least 2,000 cases of credit card fraud.

Data of 11 Million GS Caltex Customers Leaked


The personal data of 11.1 million GS Caltex customers was found on two discs that were discovered lying in the street in September 2008. GS Caltex is one of the country's largest oil refineries. The DVD and CD that were found were believed to have been thrown in the trash and contained the names, Social Security numbers, addresses, cell phone numbers, e-mail addresses, and workplaces of customers. GS Caltex announced there had been no trace of any hacking and the data stored on the discs could not be used to make any purchases. Identity theft is perhaps another story.

3 Billion Accounts Compromised at Yahoo

The days of Yahoo! Mail being the best mail service are long gone. During the height of its success in 2013, Yahoo! is found out to have leaked 3 billion users’ data which included information such as security questions and answers, plaintext passwords, and payment information. 

This data breach was kept under wraps with Yahoo! publicly admitting to a data breach in 2016. The information wasn’t shared with the public due to Yahoo’s pending acquisition by Verizon. New owner Verizon has to ensure their commitment to user information security as a result. 

Data of 530 Million Facebook Users Leaked

In April 2019, personal information about Facebook users were leaked to the dark web. Information such as phone numbers, email addresses, and Facebook IDs were leaked. 

Facebook is well known for collecting all sorts of data about their users and selling it to 3rd parties. Their assertion is that information obtained by third parties are under the security purview of such party after. Anyone using Facebook user data has to be extra cautious with their cyber security layers. 

1.1  Billion Pieces of User Data Being Scraped from Alibaba

Alibaba’s Chinese shopping website, Taobao was subject to a data breach caused by crawler software deployed by a developer working for an affiliate marketer on the platform trying to source user data for their own gain. Perpetrators were sentenced to time in prison and Taobao has cooperated with law enforcement to remedy the situation. 

LinkedIn Being Hacked

One of the latest data breaches that would’ve affected most of us is the cyber attack on LinkedIn in June 2021. A total of 700 million user data, which is about 90% of their user base, was compromised as a result of a hacking attack, and the information was published on the dark web. 

User information leaked included email addresses, phone numbers, location records, social media details, etc. the company tried to assure users that no sensitive information was lost and that they consider this a terms violation more than a cyber-attack.