The 10 Most Disastrous Data Breaches of All Time

We are living in the age of the data breach. As of March 29th, 2016, there have been over 202 data breach incidents in 2016, with a total of 6,184,526 records compromised according to a report from the Identity Theft Resource Center. That puts  the US on track to eclipse 2014’s record high 783 data breaches (2015 was a close second with 781).

The average cost of those breaches? $3.79 million, according to research from the Ponemon institute. And, beyond the immediate financial cost, data breaches can cause an unquantifiable loss in customer confidence.

Security breaches continue to shed light on just how easily hackers can access complex systems and steal important information from organizations and their customers. While this is scary for customers, it is equally devastating to the organizations and those affected.

We all know that robust information security is critical to enterprise organizations, but if you needed a reminder, here are the top 10 most disastrous data breaches of all time.

10. Korean Credit Bureau, 2014, 20 million records compromised.

One of the most impactful breach in recent years occurred in 2014 when an employee of the South Korean Credit Bureau pulled off one of the largest cases of identity theft in world history.

The worker secretly copied data from multiple databases over the course of a year and a half and eventually walked away with over 20 million identities— that’s 40% of South Korea’s population. The thief made off with social security numbers, phone numbers, credit card numbers, names, and physical addresses.

9. Office of Personnel Management, 2015, 22 million employee records breached.

In 2015, it was discovered that the Federal Office of Personnel Management or OPM’s network had been hacked,  resulting in the breach of the personnel records of 22 million current and former federal employees.

Hackers gained access to the federal network by using a contractor’s stolen credentials, then escalating their privileges and planting a malware backdoor in the network. The breach then went undetected for 343 days until anomalous SSL traffic and a decryption tool were observed within the network, leading to a forensic investigation.

The OPM breach appears to have been data mining operation seeking data on individuals for intelligence purposes. The stolen personnel records include those for classified employees holding sensitive jobs in law enforcement and intelligence, and also includes their fingerprints and information as detailed as eye color, financial history, address, medical details, and contact information for victim’s friends and relatives.

Many leading experts believe that the OPM breach was carried about by hackers connected to the Chinese government.

8. Ashley Madison, 2015, 37 million customer records compromised.

Perhaps the sensational item on the list, in 2015, AshleyMadison.com, a dating site for extramarital affairs, announced that 37 million customer records including millions of account passwords, as well as company financial records, had been hacked.

The attack went undiscovered until July 12^th, 2015, when the attackers, a hacking group called The Impact Team, announced the breach themselves by pushing an announcement screen to Ashley Madison employee’s computers, demanding the shutdown of Ashley Madison and related sites.

The attackers posted personal information of customers seeking extramarital affairs with other married persons, which led to embarrassment, and in two cases, possible suicides.

7. Home Depot, 2014, 56 million credit and debit cards compromised.

In September 2014, Home Depot admitted what had been suspected for weeks.. Hackers had infected its point-of-sale systems at stores in the U.S. and Canada with malware posing as anti-virus software that siphoned the payment card details of over 56 million customers. 53 million customer email addresses were also compromised in the attack.

According to Home Depot, criminals used a third-party vendor’s username and password to enter the perimeter of Home Depot’s network, and then acquired elevated rights that allowed them to navigate portions of Home Depot’s network deploy malware.

Many experts believe that the attack was carried out by the same group of Russian and Ukrainian hackers responsible for data breaches at Target and PF Changs.

6. Anthem/Premera Healthcare, 2015, 80 million records breached.

In February 2015, Anthem, the second-largest health insurer in the U.S., revealed that its customer database had been breached. Stolen data included names, addresses, dates of birth, Social Security numbers and employment histories and as many as 80 million current and former customers’ records were thought to be compromised.

Investigators believe hackers gained access to Anthem’s network via a watering-hole attack that obtained an administrator’s login credentials. The breach went undetected for nine months after the hackers first gained access to the network, until a systems administrator that an account had been querying internal databases without the account holder’s knowledge.

Many experts believe the hack was the work of Deep Panda, a group known for breaking into technology, aerospace and energy firms as well as another health insurer, Premera, whose data breach was discovered on the same day as Anthem’s.

5. TJX Companies Inc., 2006-2007, 45-94 million records compromised.

At the time of its discovery in 2007, the TJX data breach was the biggest breach of consumer data in the history of the US.  Over an 18-month period, at least 46 million credit and debit card numbers were stolen from the parent company of Marshals, TJ Maxx, and HomeGoods, with some estimates aiming as high as 94 million records breached.

The TJX hackers included Albert Gonzalez, who would later be convicted to 20 years in federal prison for his part in the Heartland Payment Systems hack.

4. PlayStation Network Hack, 2011, 102 million records compromised. 

In April of 2011, hackers targeted the PlayStation Network, which links the entertainment company’s video game consoles, as well as Sony’s Qriocity video and music streaming service, resulting in the breach of over 77 million user accounts. Breached info included personally identifiable information such as login credentials, names, addresses, phone numbers, and email addresses. Credit card information for 23,400 Sony Online Entertainment users in Europe was also lost in the breach, whose perpetrators are unknown to this day.

Breached info included personally identifiable information such as login credentials, names, addresses, phone numbers, and email addresses. Credit card information for 23,400 Sony Online Entertainment users in Europe was also lost in the breach, whose perpetrators are unknown to this day.

The attack forced Sony to take their network down for a total of 20 days, and the company estimates the total financial costs of the attack at $171 million.

Sony’s hacking woes didn’t end there. In November 2014, Sony Pictures Entertainment, the movie and TV division of Sony, had its corporate network hijacked by a group calling themselves “the Guardians of Peace” who released gigabytes of embarrassing and damaging data, including unfinished scripts, personal emails, social security numbers, and more.

3. Target Stores, 2013, 110 million records compromised.

In December of 2013, Target announced that hackers had made off with approximately 40 million credit and debit card numbers that had been used at Target retail locations during the 2013 holiday shopping season.

One month later, in January 2014, Target announced that the contact information of an additional 70 million customers had also been breached. Information stolen included full names, addresses, email addresses, and phone numbers.

Investigators believe that the data was obtained by hackers via software installed on credit card reader machines at Target stores.

2. Heartland Payment Systems, 2008-2009, 130 million credit and debit cards exposed.

In early 2009, NJ-based payment processing company Heartland Payment Systems announced the largest theft of credit-card information in the history of the United States.

Hackers planted malware on Heartlands network, which recorded credit card data as it arrived from the over 250,000 businesses across the nation that used Heartland. In the end, over 130 million credit and debit card numbers were stolen. Heartland eventually paid over $110 million to credit card associations to settle claims related to the hacking.

In 2010, Albert Gonzalez, the mastermind behind the attack, was sentenced to 20 years in prison—one of the lengthiest sentences for cyber crimes in US history.

1. Ebay, 2014, 145 million customer records breached.

The early 2014 breach of Ebay’s security system compromised over 145 million customers’ personal information. Login credentials, names, physical addresses, dates of birth, and phone numbers were all potentially compromised in the attack, which lasted from late February to early March of 2015.