Data breaches have become common, ubiquitous almost. When we went to compile a list of the worst data breaches of the last year, we found some bogglingly high numbers of people affected – it seems like the chances of you becoming involved in a data breach became when and not if a long time ago.
It says something about this list that the top five are all in the multi-millions or billions of people affected. It’s become even more important to make sure that you have one of the best antivirus software suites set up on your PC (including a VPN of course), that you’re aware you can sign up for one of the best identity theft protection programs and that you know how to protect yourself against phishing and using multi-factor authentication.
Below are the five worst data breaches we saw in 2024:
1. The Mother of all Data Breaches
It’s called the Mother of all Data Breaches for a reason – 2.6 billion records exposed online making it the biggest data leak ever, 12 terabytes of information in total.
Though the compiled data wasn’t new, but mostly taken from past breaches, the companies with the exposed data included MySpace, Twitter, LinkedIn, Evite, Adobe, Canva, MyFitnessPal, and records from government organizations from countries in the U.S., Germany, Brazil and several others.
The stolen data could be used for identity theft, phishing attacks, unauthorized access to users accounts or password reuse which helps them gain credentials to multiple accounts. You can check if your data was leaked here.
2. National Public Data
An April data breach led to a proposed class action lawsuit when a background check company exposed the personal information of nearly almost 3 billion people.
A cybercriminal group called USDoD posted a database called “National Public Data” on a dark web forum for sale for $3.5 million dollars, according to the complaint filled in the U.S. District Count for the Southern District of Florida.
The complaint states that the personal data includes full names, former and complete addresses, Social Security numbers, information about relatives and more going back 30 years, was released.
The other big issue was that National Public Data acquired that data through scraping, a technique wherein companies collect data from web sites and sources online – meaning the people involved didn’t provide it to them willingly. The hacker was arrested in Brazil in October, while the lawsuit is still currently under dispute.
3. Ticketmaster
Everyone’s favorite ticket selling punching bag took another round of blows in May when it was reported that they suffered a breach of customer data for nearly 560 million users.
The ShinyHunters hacking group claimed to have stolen 1.3 terabytes of data, and offered it up for sale for $500,000 on a popular hacking forum. This exposed Ticketmaster customers’ personal and possibly financial information, including names, addresses, phone numbers, purchase history, and partial payment data.
4. AT&T
Nearly all of AT&T’s mobile subscribers were affected by the massive data breach of customer data that stole call and text records of 109 million customers in April of this year.
The breach, which affected Cricket, Boost Mobile and Consumer Cellular customers as well, included both mobile and landline telephone numbers, the number of calls and text messages sent over the network, aggregate call duration for a day or month, and a subset of records containing cell site identification numbers.
AT&T was one of several businesses affected by a breach of the Snowflake cloud platform, caused by stolen credentials from info-stealing malware. Snowflake then made multi-factor authentication mandatory for all customers going forward to prevent further data breaches. You can check your myAT&T account here to see if it was part of the breach.
5. UnitedHealth care
Another attack to affect over 100 million people – or to put it in other terms, a third of the population of the entire United States – was the UnitedHealth ransomware attack, which was the largest healthcare data breach in the country.
In February, the ransomware hacking group ALPHV, or “BlackCat”, caused months of outages and disruptions during a cyberattack against UnitedHealth subsidiary Change Healthcare which is a payment processing company. This led to the theft of data from over 100 million people, including billing, claims, payments, medical diagnoses, test results, medical record numbers, health insurance details, Social Security numbers, and driver’s license or state ID numbers.
Again, the attack appears to have been caused by stolen login credentials that breached a remote access service; the company’s Citrix profile did not have multi-factor authentication turned on though since they have said it has since been deployed.
