In terms of people affected, the biggest data breach of all time was the Yahoo breach of 2013: all told, 3 billion accounts were compromised. If we’re talking monetary cost, however, the Epsilon breach of 2011 comes in at #1, costing the company $4 billion in total.
In this article, we’ll profile the 10 biggest data breaches of all time, looking at both people affected and total cost.
The Biggest Data Breaches, by Number of People Affected
1. Yahoo Breach, 2013: 3 Billion Accounts Compromised
The most extensive data breach on record occurred in August 2013, when 3 billion Yahoo accounts were compromised. Essentially, every Yahoo account holder was hit.
New of the breach didn’t emerge until approximately three years after the event and around four months after Verizon acquired many of Yahoo’s internet assets, a move that cost the telecom giant nearly $4.5 billion. After sharing word of the breach, Yahoo altered impact accounts and required password changes. Unencrypted security question answers were also invalidated as a precaution, requiring users to create new ones.
Along with names and email addresses, passwords were compromised in the breach, leaving user accounts susceptible. Plus, if users relied on the same passwords for other accounts, it left them vulnerable to further incidents by hackers. After the incident, Yahoo reached a settlement with those impacted, ultimately agreeing to pay $117.5 million after an earlier amount was rejected.
While news of this breach emerged in 2016, it actually preceded the 2014 data breach perpetrated by four individuals, including two foreign spies and two hackers. During that incident, around 500 million users were affected.
2. Marriott Breach: 500 Million Customers Impacted
In November 2018, Marriott International publicly announced that hackers gained access to data relating to 500 million Starwood hotel customers. The data was reportedly initially accessed in 2014, and the vulnerability existed until Marriott’s acquisition of Starwood in 2016. However, Marriott wasn’t aware that a breach occurred until 2018.
Names, contact details, passport numbers, guest numbers, travel information, and other data were broadly acquired by the hackers. For more than 100 million impacted customers, payment card numbers and expiration dates were also stolen, though it isn’t clear whether attackers managed to decrypt the data.
A Chinese intelligence group was reportedly responsible for the hack, making the incident the largest breach performed by a nation-state. The cost to Marriott was typically viewed as far lower than most would expect, coming in at just $72 million within the first six months, much of which was covered by insurance.
3. FriendFinder Breach, 2016: 412 Million Accounts Exposed
Another one of the biggest incidents of all time, the FriendFinder Network – home to many adult-oriented sites – was hacked in 2016. In total, more than 412 million accounts were exposed, covering 20 years of historical customer data.
User names, passwords, and email addresses were all part of the breach. Additionally, the passwords were only protected with an SHA-1 hashing algorithm, making them incredibly easy to decipher. Some of the email addresses were also linked to non-personal accounts, with thousands ending in .mil or .gov.
The company did update its code to address a vulnerability that allowed hackers to access the data. Beyond that, it isn’t entirely clear what steps the company took. Additionally, the cost of the incident isn’t immediately apparent.
4. Myspace Breach, 2013: 360 Million Accounts Compromised
Another massive breach by any standard, 360 million Myspace accounts were compromised. A Russian hacker was reportedly responsible, though specific details regarding the attacker – or the total cost of the incident – aren’t available.
User name, email address, and password data were involved. While it was limited to a legacy database created before Myspace shored up its security, the breach represented a significant risk for anyone who uses the same email address or user name and password combinations.
While the hack initially occurred in 2013, news of the incident didn’t emerge until May 2016. Myspace required impacted users to create new passwords and implemented automated tools to identify and block suspicious activity.
5. Court Ventures Breach, 2012: 200 Million Records Stolen
An Experian subsidiary, Court Ventures sold 200 million sensitive personal records that ultimately made their way into the hands of an identity theft operation. Word of the data breach broke in October 2013, though the incident reportedly occurred before Experian’s acquisition of Court Ventures in March 2012.
The fraudsters gained access to U.S. Info Search data through Court Ventures – giving sensitive details like full names, Social Security numbers, birthdates, and other similar data – by posing as a private investigator. Experian was made aware of the sales activity, which was ongoing at the time of acquisition, by the U.S. Secret Service.
Once made aware of the issue, Experian ceased all related data reselling activity and worked with law enforcement to capture the perpetrator, Hieu Minh Ngo, a Vietnamese national who ultimately pleaded guilty to the crime. Since the data involved wasn’t original Experian’s and there wasn’t a straightforward way to denote who was impacted, no further actions were taken in regards to harmed individuals.
The Biggest Data Breaches, by Total Cost
1. Epsilon Breach, 2011: $4 Billion
In 2011, Epsilon – an email marketing services company – was involved in the costliest data breach on record. Projections brought the total up as high as $4 billion due to the number of email addresses and companies involved.
Attackers managed to steal customer names and email data from 75 Epsilon clients, including giants like JP Morgan Chase, Best Buy, and Target. Email addresses on 2% of the associated customers were compromised, and while that seems minute, the sheer scale of available data meant millions were ultimately impacted.
After becoming aware of the breach, Epsilon posted notices on its website, admitting to an “unauthorized entry.” As clients were made aware of the incident, they reached out to their customers to let them know their data may have been stolen.
2. Equifax Breach, 2017: $2 Billion
In September 2017, Equifax announced a data breach that ultimately impacted 147 million Americans. It would quickly become one of the largest and one of the most expensive data breaches in history.
Attackers managed to get personal information on customers, including names, Social Security numbers, birth dates, and more. That put millions at risk of identity theft, a situation that drew a significant amount of ire considering the expectations most had in regards to credit bureaus and the inability to avoid having personal data managed by them.
Equifax responded in a number of ways. Along with credit monitoring services, free credit freezes became a standard, as well as more regular access to credit reports to look for possible fraudulent activity. In 2019, Equifax agreed to a $700 million settlement, though that only scratches the surface of the total costs. By 2020, the total cost hit nearly $2 billion. It’s still possible that the total will grow.
3. U.S. Office of Personnel Management, 2015: $500+ Million
In 2015, the U.S. Office of Personnel Management (OPM) didn’t just experience one data breach; there were two. In one incident, sensitive data on 21.5 million individuals was stolen when background investigation records were accessed by an unauthorized party. Along with 19.7 million who explicitly applied for background checks, another 1.8 million non-applicants were impacted based on association with an applicant, such as being a spouse or co-habitant.
Within that breach, sensitive personal information was compromised, including names, addresses, and Social Security numbers. In approximately 5.6 million applications, there was also fingerprint data. In some cases, applicant login credentials were also compromised.
Earlier in the year, 4.2 million personnel records were stolen. These contained personally identifiable information, including names, birth dates, addresses, and Social Security numbers.
Once the breaches were discovered, OPM offered services to those affected, such as identity theft insurance and credit monitoring. The full cost of the incidents isn’t known, though estimates suggest it falls in the $500 million to $1 billion range.
4. Veteran’s Affairs Breach, 2006: $500 Million
A somewhat unique– but nonetheless costly – incident occurred in 2006. A Veteran’s Affairs employee took an external hard drive home that contained unencrypted internal data. During a burglary, the external hard drive was stolen, an incident that was disclosed in May of that year.
On the hard drive was sensitive personal information on approximately 26.5 million veterans and their spouses. Along with names, birth dates, and Social Security numbers, some records also contained disability ratings.
While this was technically a data breach, the data itself likely wasn’t a target. Additionally, it isn’t clear whether the burglar ultimately did anything with the data they acquired.
In 2009, a $20 million settlement was announced. However, the total cost estimate in 2006 was much higher, coming in at up to $500 million to prevent or cover any losses relating to the stolen data.
5. Target Breach, 2013: $300 Million
In November 2013, hackers managed to access Target customer payment card data using network credentials stolen from an HVAC service provider. Approximately 40 million card accounts were exposed, creating opportunities for hackers to make fraudulent charges.
Reportedly, Eastern European and Russian hackers were to blame. Initially, it was challenging to determine as the impacted data hit several drop locations, many of which could have been compromised systems designed to effectively hide the data unknown to the system owner. Two examples were a hacked server in Miami and a second compromised server in Brazil.
Through a multi-state settlement in mid-2017, Target was set to pay $18.5 million. However, that’s only part of the total cost. A class-action lawsuit resulted in a multi-million-dollar payment. There were separate settlements with Mastercard and Visa, as well as various banks and credit unions. Couple that with legal fees and other expenses, and the total came out to around $300 million, according to a Target financial report.
For more info, check out our guide to the biggest data breaches of 2022. Or try our catalogue of the most recent data breaches.