The 8 Biggest Data Breaches of All Time



With the introduction of the new General Data Protection Regulation (GDPR) laws from the European Union on 25th May 2018, companies across the region and beyond are carefully studying their current working practices and tightening data security. This new legislation includes enormous fines and possible jail time for businesses and individuals who are complicit in the leaking of personal data. In fact, this new regulation allows governments to demand penalties of up to €20 million (US$24 million), or 4% of the offending company’s yearly global income, whichever is higher.


In anticipation of these changes, this week Global Mobility Insider takes a look back over the eight largest data breaches of all time, to see what happened and estimate what the maximum financial penalty would have been under the GDPR. It’s difficult to tell if any of these leaks would have resulted in fines without knowing the exact circumstances of each breach, but lessons should be learnt about private data security and the importance of using strong encryption techniques. Even if hackers breach your system, it’s important to do your due diligence when it comes to protecting your customers' information, even within your own business.


1 – Yahoo (2013/2014) – 3 billion records

In September 2016, Yahoo, the internet behemoth of the early 2000’s, and now just a shadow of its former self, was in negotiations to sell itself to Verizon. During this time, it announced that it had fallen victim to the largest data breach in history, with the real names, email addresses, telephone numbers, and dates of birth of around 500 million users stolen. Then, in December 2016, they revealed that they had also been subject to a hack in 2013 from a different group, which had compromised at least 1 billion accounts. To make matters worse, the 2013 hack also gained access to customers' security questions and answers, potentially causing extreme and far-reaching problems for all of these individuals.


Estimated maximum GDPR financial penalty: US$206.8 million


2 – River City Media (2016) – 1.37 billion records

Everyone knows that the illegal spambot operators out there must have massive databases to be sending out the vast quantity of emails they do every day, but what happens when the spammers get hacked? Unfortunately, as the business is illegal, there is no incentive for the company to release the details so those on the lists can protect themselves. This is what happened when notorious spam centre River City Media was hacked in 2016. The leaked database contained 1.37 billion email addresses, with names, real-life addresses and IP addresses linked to many of these.


Estimated maximum GDPR financial penalty: Unknown – Illegal operation


3 – FriendFinder Networks (2016) – 412 million records

The parent company of a variety of ‘adult’ websites, FriendFinder Networks, was the victim of a huge hack in 2016 which resulted in the leaking of usernames, email addresses and passwords for 412 million accounts across a variety of sites from the past 20 years of operation. The database included 300 million accounts for AdultFriendFinder the ‘World’s largest sex and swinger community’, 62 million accounts on, a live webcam ‘sex chat’ site, and more than 7 million accounts, among others. Although the passwords were said to be encrypted, they were protected by a weak hashing algorithm, and were able to crack 99% of them easily. Take this as your daily reminder to make all your passwords different!


Estimated maximum GDPR financial penalty: US$24 million


4 – eBay (2014) – 145 million records

In 2014 hackers managed to compromise the employee login details for three members of eBay staff, which then allowed them access to the entire network, which included all customer details, for a total of 229 days. This amount of time allowed them to scrape any information they desired, which ultimately included full customer names, passwords, email addresses, physical addresses, phone numbers and dates of birth. The company was widely criticised for their inadequate security and lack of communication to users when their details were compromised.


Estimated maximum GDPR financial penalty: US$716 million


5 – Equifax (2017) – 143 million records

The most recent hack on our list, the breach at Equifax in early-mid 2017 released extremely sensitive information for 143 million people. In its role as a consumer credit reporting agency, Equifax collects and aggregates information on over 800 million individuals and 88 million business across the globe. As such, many do not even know that the company holds their information. Although the breach did not access all of the information held by Equifax, the hackers stole social security numbers, birth dates, addresses, driver’s licence numbers, and in some cases credit card information and other personal identifying information for those affected. The majority of the customers who had information compromised were from the US, although a small amount of UK and Canadian residents were also at risk.


Estimated maximum GDPR financial penalty: US$126 million


6 – Heartland Payment Systems (2008) – 134 million records

At the time, this was the biggest data breach ever recorded, and Heartland Payment Systems were processing over 100 million card transactions a month for 175,000 retailers. Remarkably, the company didn’t realise the hack had taken place until January 2009 when Visa and MasterCard began finding unusual transactions occurring from accounts that had used the service previously. The hack on Heartland Payment Systems used an SQL injection technique to install spyware on the business’s data systems, an exploit which was ten years old at the time.


Estimated maximum GDPR financial penalty: US$62 million


7 – Target Stores (2013) – 110 million records

Over the 2013 Thanksgiving weekend, hackers managed to gain access to Target Stores’ point-of-sale payment card readers through a third-party vendor. This breach allowed them to collect around 40 million credit and debit card numbers across the network of shops. In January however it was revealed that not only had the card information been compromised, but that the personally identifiable information of around 110 million customers had been accessed and stolen, including full names, addresses, email addresses and telephone numbers. The CIO of Target resigned in the wake of the scandal, and it is thought to have cost the company around USD$162 million.


Estimated maximum GDPR financial penalty: US$2.9 billion


8 – TJX Companies Inc. (2006) – 94 million records

While working as a paid informant for the US Secret Service Albert Gonzalez and his team hacked TJX Companies, a global chain of retail stores with a variety of brands. By hacking in-store kiosks which were set up to allow customers to apply for jobs at the chain, the group were able to access the credit card details of 94 million customers, mainly from the United States. Banks had to reissue many thousands of credit cards, and the hack was estimated to have cost banks and insurers around US$200 million.


Estimated maximum GDPR financial penalty: US$570 million


Leave a Comment

* Fields marked with this asterisk are mandatory.