A Brief History of Data Breaches

A woman in dark room surrounded by computers, worriedly looking at a computer screen - illustrating the dangers of a data breach

Data breaches now make regular news headlines. It wasn’t always so. Looking back, you could divide data breach history into three somewhat distinct periods: The Primordial Years, the Big Boom, and the Golden Age. That’s what we’ll call them, anyway.

What is a data breach?

You’re living in the Golden Age—and that’s not good. It means that at least some of your personal information may have been exposed in at least one breach and, possibly, more. Exposure of your personal information can lead to identity theft. And that’s why data breaches should concern you, particularly if you’ve shared your information with a business, and that business then suffers a data breach.

If your identity is exposed on a dark web website as a result of a data leak, you have good reason to be angry. The problem is, there’s generally no good place to direct that anger. With so many breaches, it’s unlikely you could pinpoint one specific breach as the root cause.

When did data breaches start?

When did data breaches become a thing? The truth is, information doesn’t have to be digitized to be breached, but digital files certainly made breaches a lot more efficient. Before then, a thief would have to make off with paper documents—a briefcase-full at a time, perhaps. But once government and businesses moved from the Primordial Years of paper records to digital—boom!—things changed.

We’ll say the Big Boom age started in 2005. That’s when the Privacy Rights Clearinghouse begins its chronology of data breaches. And it’s a significant year in other ways.

What was the first data breach?

2005 is the year of the first data breach to compromise more than 1 million records (DSW Shoe Warehouse; March 2005; 1.4 million credit card numbers and names on those accounts). It was also the year of the first data breach affecting a college (George Mason University; January 2005; names, pictures and Social Security numbers of 32,000 students and staff). The “boom” got louder in June 2005 when hackers exposed some 40 million credit card accounts from payment card processor CardSystems Solutions.  

So, in putting together our list of data breaches below, we went back as far as 2005. Our list won’t be exhaustive, as there are now hundreds of breaches every year. It is the Golden Age, after all. In our list, we focus on U.S. breaches that—due to number and type of records exposed—have had noteworthy impact.

Are data breaches getting bigger?

Not surprisingly, most of the largest breaches have happened more recently than 2005—as hackers became more sophisticated, businesses put more data on servers or the cloud, and criminals better recognized the value of the data. After a bit of research, we’ve come up with this list of 10 very noteworthy data breaches. We don’t claim it to be a perfect list, but we think it makes sense.

Will our list change over time? You can bet on it.

10 Very Noteworthy Data Breaches

  1. Yahoo, 2013
    Exposure: 3 billion user accounts
    Significance: The sheer number of accounts affected makes this, by far, the largest breach to date. The kind of information that can be exposed in user email accounts—for example, old healthcare or financial statements—adds to this breach’s noteworthiness.
  2. Equifax, 2017
    Exposure: 145.5 million accounts
    Significance: The data breach at one of the three major U.S. credit reporting agencies. , exposed names, Social Security numbers, dates of birth, addresses, and, in some cases, driver’s license numbers of American consumers.
  3. Anthem, 2015
    Exposure: 78.8 million customers
    Significance: The breach exposed names, addresses, Social Security numbers, and even employment information of current and former customers.
  4. U.S. Office of Personnel Management, 2015
    Exposure: 21.5 million current, former, and prospective federal employees’ personal information
    Significance: Sensitive information—including Social Security numbers and, in some cases, fingerprints—was exposed in the second of two OPM breaches in 2015. The first breach exposed the personal information of another 4.2 million individuals.
  5. Friend Finder Networks, 2016
    Exposure: 412 million accounts, including email addresses and passwords
    Significance: Noteworthy not only because of the sheer number of accounts affected, but also due to the adult nature of the affected dating and pornography sites.
  6. Heartland Payment Systems, 2009
    Exposure: 130 million credit cards
    Significance: Heartland was processing tens of millions of payment card transactions every month at the time of the breach. Intruders planted malicious software to steal card data.
  7. Target Stores, 2013
    Exposure: 110 million people’s payment card info and/or contact info
    Significance: Target initially confirmed that debit and credit card information for about 40 million customers had been stolen. Weeks later, the company said email and mailing addresses for another 70 million people had also been exposed.
  8. TJX Companies Inc., 2005
    Exposure: 94 million credit cards
    Significance: TJX said that more than 45 million customer payment card numbers were stolen, but court filings by banks suing the retailer claimed the number was closer to 94 million. The brand’s stores affected include T.J. Maxx and Marshalls.
  9. JP Morgan Chase, 2014
    Exposure: 76 million households; 7 million small businesses
    Significance: Exposed customer names, addresses, phone numbers, and email addresses, but the bank said there was no evidence customer financial information was stolen.
  10. eBay, 2014
    Exposure: Unknown
    Significance: At the time of the breach, eBay said it wasn’t sure how many accounts were compromised, but it asked all 145 million active users to change their passwords. Data exposed included names, addresses, phone numbers, dates of birth, email addresses, and encrypted passwords.

Honorable mention

Myspace, 2016

Exposure: 360 million Myspace accounts
Significance: 360 million is a big number, for sure. But Myspace invalidated the passwords of affected accounts, so the biggest risk is for those account holders who used the same login credentials on other accounts—something that identity thieves often check. 

Editor’s note: Our articles provide educational information. LifeLock offerings may not cover or protect against every type of crime, fraud, or threat we write about.

This article contains

    Start your protection,
    enroll in minutes.

    Get discounts, info, protection tips, and more.

    Sign up for promotional emails.