News & Resources

The 10 Biggest Data Breaches Ever

  • Posted on

Data breaches happen every day, with the vast majority being simple cases of human error that only affect a small number of people (such as where someone emails sensitive data to the wrong person).

While the personal impact for the victim of even a small-scale data security breach can be huge, it is the cybersecurity breaches affecting thousands and even millions of people that tend to make the news.

With data breaches only likely to become more common, we decided to throw a spotlight on the 10 biggest data breaches worldwide that have occurred so far. This includes a mix of companies that have been hacked by cybercriminals and data leaks due to human error, both of which can be catastrophic for the organisations responsible for the breach and the people whose data becomes exposed as a result.

This list is based on the number of records exposed and gives a clear picture of various ways data breaches can occur and the types of information that is often exposed.

Clearview AI

Year: 2020
Type of breach: Hack of company client list
Number of records exposed: 3 billion+ photos (potentially)

Facial recognition software developer Clearview AI was hacked in early 2020. The hackers gained access to the company’s client list, which includes US law enforcement agencies, but Clearview AI stated that their servers were not breached.

The company has complied a database of more than three billion photos from sources such as Facebook, YouTube and Twitter. This would make the Clearview AI data breach have potentially the widest reaching impact of any data breach so far if the company’s photo database had been compromised.

Yahoo

Year: 2013
Type of breach: Hack of user accounts
Number of records exposed: 3 billion

Every Yahoo account was affected by this security breach in 2013, although the full extent only came to light in late 2017 follow Verizon Communications takeover of Yahoo.

Hackers broke into Yahoo’s systems and accessed names, birthdates, phone numbers and passwords of users, as well as answers to security questions and backup email addresses used for password resets.

Yahoo went public about the attack in 2016, at which point it claimed only 1 billion accounts had been compromised. However, following the Verizon takeover, it has been confirmed that every Yahoo account was affected.

First American Corporation

Year: 2019
Type of breach: Accidental data leak through company website
Number of records exposed: 885 million

Property title insurance giant First American Corporation were responsible for accidentally leaking 885 million documents related to mortgage deals going back to 2003.

The records, which included bank account numbers, bank statements, mortgage records, tax records, social security numbers and drivers licence images were available unencrypted through First American’s website.

The company had placed the records online and anyone could view them if they knew the right URL with no authentication required.

Facebook

Year: 2019
Type of breach: Accidental data leak by third party app developers
Number of records exposed: 540 million

In 2019, it came to light that more than 540 million records relating to Facebook users were accidentally leaked by two third-party Facebook app developers.

The apps in question posted the records in plain sight on Amazon’s cloud computing service. These records included Facebook users’ account names, IDs, friends, photos, location check ins and passwords.

Marriott International

Year: 2018
Type of breach: Hacking attack on guest reservation database
Number of records exposed: 500 million

In 2018, Marriot International revealed that hackers had broken into the guest reservation database of its subsidiary Starwood Hotels group. The hack affected as many as 500 million guest records, involving as many as 7 million former guests in the UK.

The hack took place from July 2014-September 2018 with the data exposed including guests’ names, home addresses, email addresses, telephone numbers, passport details and credit card details.

The hotel brands affected by the Marriot data hack include W Hotels, Sheraton Hotels & Resorts and Le Meridien Hotels & Resorts.

Yahoo (again)

Year: 2014
Type of breach: Security breach of user accounts
Number of records exposed: 500 million

Yahoo was hit by a second hack of its user accounts in late 2014, which the company reported in 2016. This hack affected around 500 million accounts with the data exposed including account names, email addresses, telephone numbers, dates of birth, passwords, and some users’ security questions and answers.

Friend Finder Networks

Year: 2016
Type of breach: Suspected hack of company databases
Number of records exposed: 412 million

Adult-orientated social networking company FriendFinder Networks Inc. is suspected to have been the victim of a hack targeting six of its databases prior to 20 October 2016.

Personal user details from the databases were discovered online in October 2016, with the exposed data including usernames, email addresses and passwords. The records related to various of the FriendFinder’s websites, including AdultFriendFinder.com, Cams.com and Penthouse.com.

Exactis

Year: 2018
Type of breach: Accidental data leak online
Number of records exposed: 340 million

Marketing and data aggregation company Exactis accidentally exposed a database it held containing nearly 340 million individual records. The company had placed the database on a publicly accessible server, meaning anyone who knew where to look could view the data.

The data exposed included names, phone numbers, home addresses, email addresses, and other highly personal characteristics for millions of US citizens. The information on the database was intended for highly targeted marketing purposes, so is much more detailed and personal that much of the information exposed in a typical data breach.

Airtel

Year: 2019
Type of breach: Data exposed due to security flaws in mobile app API 
Number of records exposed: 320 million

India’s third largest mobile network operator, Bharti Airtel, was responsible for a massive data breach affecting around 320 million users of its mobile app. Security flaws were discovered in the app’s API (application programming interface), which meant users’ data was accessible.

The data exposed included users’ names, email addresses, birthdays, home addresses and the IMEI number of devices onto which the app had been installed. While it is not known whether this data was accessed by anyone unauthorised to do so, the extent of the records involved make this potentially very serious for Bharti Airtel and its users.

Truecaller

Year: 2019
Type of breach: Unclear
Number of records exposed: 299 million

In May 2019, independent security researcher Rajshekhar Rajaharia claimed that personal data of nearly 300 million users of the Truecaller caller ID app were available for sale on the dark web.

However, the app’s developer, Stockholm-based True Software Scandinavia AB, claims its database has not been breached. The allegedly exposed data includes users’ mobile phone number, as well as some users’ email addresses, photos, company names, job titles and more.

Truecaller stated: "It has been recently brought to our attention that some users have been abusing their accounts. In light of this event, we would like to strongly confirm at this stage that there has been no sensitive user information being accessed or extracted, especially our users' financial or payment details."

At this time, the reason for the data being exposed remains unclear.

How Hayes Connor can help with data breach claims

At Hayes Connor, we specialise in helping people to claim compensation when their data has been exposed in a breach of data protection regulations. This could be due to a cyberattack, human error or any other reason.

We are one of the largest teams of data breach claims specialists in the country, with decades of combined experience in securing compensation for victims of data breaches. We can advise you on whether you are likely to have grounds for a claim, the level of compensation you may be entitled to and what you need to do to start a claim.

Our goal is to ensure that anyone who is affected by a data breach is able to get the compensation they deserve, while making the claims process as simple and stress-free as possible.

You can find out more about our expertise and how we handle data breach claims here.

To start a claim, you can use our online claim form and we will get back to your shortly to let you know if we believe you have grounds for compensation.

If you would like to speak to a member of our team, please do not hesitate to give us a call on 0151 363 5895.

Find out how our experts can help you with your claim

Make a claim