The 10 worst data breaches of all time

January 28, 2016 Risk & Fraud
Jeremy Milk
By Jeremy Milk, Head of Marketing
Jeremy Milk
By Jeremy Milk, Head of Marketing

One of the things we talk a lot about on this blog is payments fraud — what it is, how it works, and how we protect our platform partners from it.

But did you ever wonder how all those credit cards get stolen in the first place?

It used to be that credit fraud was a manual process, labor-intensive and somewhat personal. It was a waiter surreptitiously copying your card info when you paid so they could go on a shopping spree later, or phone caller claiming to be from your bank that somehow didn’t know your account number. If your card got stolen, chances were good you could pinpoint when and where it happened, looking back on it.

The Internet changed all that. Nowadays much of this info is lost due to security breaches at the companies you trust with your data, often inadvertently. This kind of theft is an entirely different beast than what came before. Not only can tens of millions of personal records be lost all at once, but it sometimes takes weeks or months before the breach is discovered, making the problem hard to contain.

Just how bad can a data breach get? It’s instructive to look at the largest breaches in history to get an idea of the scale of this problem.

So here’s a roundup of the largest data breaches in history, ranked by the number of personal records that were stolen. To be clear, not all of these resulted in bank data being lost. Yet because things like email addresses and passwords can be used for account takeover attacks where credit information is stored, each one of these breaches likely contributed to credit fraud.

No. 10 Cardsystems Inc.

Number of records: 40 million

Year: 2005

Fallout: Cardsystems lost its processor licenses with Visa and AmEx.

Details: Cardsystems solutions was a credit card processor. In 2005, it was discovered that it had lost more than 40 million credit cards to hackers who took advantage of its weak network security. Cardsystems, it turned out, was not in compliance with the card network security standards it had agreed to uphold with Visa and Mastercard, having failed to even adopt anti-virus software. To make matters worse, the card data it lost was data it shouldn’t have had stored anyway — it was contractually obligated to delete it once the transaction was processed, but was storing it in an unencrypted format on its servers instead. As a result of the breach, it lost its ability to process using Visa and Mastercard and was purchased by another processor in a fire sale the same year.

No. 9 Home Depot

Number of records: 56 million

Year: 2013

Fallout: Cost the company about $80 million in losses, U.S. credit unions more than $60 million in additional credit fraud.

Details: Hackers infected Home Depot POS systems with a variant of the same malware that had been used to compromise Target earlier in the same year. This allowed the hackers to copy data from credit cards that were run in store over a period of several months.


No. 8 JP Morgan Chase

Number of Records:76 million

Year: 2014

Fallout: The attackers used sensitive information to perpetrate fraud and stock manipulation schemes that netted them more than $100 million.

Details: Hackers managed to gain access to the bank’s systems by compromising the website for the JPMorgan Chase Corporate Challenge, an annual charitable race it sponsors in major cities. This allowed them to capture the login information for Chase employees, and then enter the bank’s network, thanks to a single server which had not been upgraded to the more secure dual password scheme used by most of the bank’s systems. Four men were arrested as a result of this scheme in 2015.


No. 7 Anthem

Number of Records: 69 million to 80 million

Year: 2015

Fallout: More than $100 million in losses for Anthem.

Details: This hack raised major concerns about data security in the medical industry when it was discovered that much of the sensitive data that was stolen was unencrypted, making it easy for the thieves to use. Although this was very sensitive data — including social security numbers and employment info — it wasn’t considered “medical data” and thus wasn’t subject to the same tough standards that the industry is normally legally bound to abide by.

No. 6 TJX

Number of Records: 94 million

Year: 2006

Fallout: More than $250 million in costs to TJX in the year following the breach

Details: TJX — the company that operates TJ Maxx, Marshall’s and Bob’s Stores — suffered what was at the time the largest data breach in history in 2006. Hackers were able to get into the retail giant’s systems through poorly protected wireless networks in two stores in Miami. From there, they broke into TJX’s payments system, where they were able to harvest personal data including bank card details over a period of about 18 months before being caught.

No. 5 Sony PSN

Number of Records: 102 million

Year: 2011

Fallout: Led to a 23 day outage of Sony’s PSN service, Sony paid $15 million to settle a class action lawsuit as a result of the breach

Details: In 2011, hackers were able to compromise the Playstation Network (PSN), a digital distribution and streaming platform for the company’s popular Playstation gaming console. This led to an outage lasting several weeks as Sony tried to contain the damage caused by the hack. Although the company initially insisted that no personal data was lost, it was later revealed that more than 102 million records were exposed, including 12 million credit card numbers.

No. 4 Target

Number of records: 110 million

Year: 2013

Fallout: More than $252 million in losses to Target according to public filings, including a $10 million class action settlement and $106 million in reimbursements to financial institutions for losses sustained due to the breach. Banks spent $350 million reissuing cards as a result, according to trade groups.

Details:  Hackers used login credentials stolen from an HVAC vendor that worked with Target to access its computer systems, which it then used that access to push a firmware update to Target’s POS terminals that allowed it to harvest nearly every card swiped over a period of several months. The same thieves also stole email addresses and other data.

No. 3 Heartland Payment Systems

Number of Records: 130 million

Year: 2008

Fallout: More than $100 million in reimbursements to Visa and Mastercard

Details: Heartland Payments systems, a large credit card processor, was targeted by the same hacking group responsible for the TJX breach, resulting in an even bigger trove of credit card data being stolen. The criminals, a part of a ring that spanned four countries, were subsequently caught and convicted. The ringleader, Albert Gonzales, was sentenced to 20 years after pleading guilty, but subsequently withdrew his plea, claiming he was working as an informant to the Secret Service at the time of the attack.

No. 2 eBay

Number of Records: 145 million

Year: 2014

Fallout: Prompted investigations of eBay in the US and UK.

Details: This breach didn’t expose any financial information, according to eBay, which makes it less serious than some of the others on the list. But the sheer size is noteworthy — hackers got access to data about 145 million active users and prompted a password reset for everyone who’s ever used the site.

No. 1 Court Ventures

Number of Records: 200 million

Year: 2013

Fallout: Personal records sold as a result of this breach led to $65 million in fraudulent income tax returns, according to the Justice Department.

Details: The Court Ventures breach is an interesting case, because it doesn’t solely involve traditional hacking activity like phishing and database penetration. In this instance, Vietnamese criminal named Hieu Minh Ngo was able to get access to sensitive information from a data broker called Court Ventures by posing as a U.S.-based private investigator. He then turned around and sold the information to identity thieves who used it to do things like file phony tax returns or open credit cards in the victims’ names. Ngo was sentenced to 13 years in prison after he was arrested in 2013.

About the author

Jeremy Milk

Jeremy Milk, Head of Marketing

Jeremy is WePay's head of marketing. Earlier, he held marketing and product leadership roles for Intuit QuickBooks, where he got hooked on fintech, and The Clorox Company. He's also a die-hard UNC basketball fan.

More blog posts by Jeremy Milk