An overview of the most scandalous data breaches in the world

The countless number of data breaches occurrences reflects the fact that sensitive and confidential data is constantly at risk. Despite laws and regulations constraining organizations to admit to data breaches, the United States (U.S.) generates a strong perception of being particularly vulnerable to data breaches. Other countries such as the United Kingdom (U.K.) have not been spared as well, despite numerous laws and security levels imposed. Across the world, legislation aiming at curbing data breaches do exist in many countries. However, history has taught us that fraudsters do end up circumventing the most rigid security levels.

25 most notorious data breaches in the world

A data breach is not necessarily significant because of its scope. At times, the most impactful ones are measured by the nature of the attack and the level of sensitivity of the data that is compromised. Here are the 25 most compelling ones.

Pizza Hut

Pizza Hut publicly revealed in October that personal data of customers was jeopardized, compromising information like delivery addresses, email addresses, and payment card information with account numbers, expiration dates as well as CVV numbers. If the pizza chain did not disclose the number of victims and contacted the latter two weeks after discovering the breach, Slashdot hinted at a figure of 60,000 US customers.

Yahoo (redux, 2017, 2014, 2013)

It was only in 2016 that Yahoo disclosed to its 3 billion email users that their personal data was likely compromised in 2013. The breach was initially thought to have affected 500 million users. The company revealed that the hacker gained access by using forged cookies.

Deloitte (2017)

Deloitte, one of the biggest accountancy firms in the world, was revealed in September to have been a victim of a cyber attack which apparently was being carried out since months before being discovered. The fraudsters compromised the company’s global email server via an administrator’s account. They thus gained information about the blue-chip clients such as private plans and documents.

Equifax (2017)

The global information solutions company Equifax faced a major cybersecurity incident at the beginning of the year where 143 million U.S. consumers being affected. It is believed that the hackers got access to the Social Security numbers, birth dates, and addresses of almost half the U.S. population. Just before disclosing the breach, Equifax executives sold their shares.

CEX (2017)

The large British retail franchise CEX revealed that a data breach could have jeopardized personal data of about 2 million customers, despite a robust security. Since then, additional layers of security were implemented.

‘Onliner’ spambot (2017)

A Parisian security researcher disclosed an open web server containing 711 million usernames and passwords. The server was hosted in Netherlands. Even if it is believed that ‘real’ emails are far less than this figure, the number of potentially jeopardized accounts is titanic.

Bupa (2017)

About 500,000 customers on Bupa’s international health insurance plan were affected by a data breach in July 2017. It is believed that the fault is that of an employee who inappropriately copied and removed certain information. The British healthcare group, however, highlighted that no medical information was compromised. The employee was dismissed and appropriate legal action was initiated.

Zomato (2017)

The Indian firm Zomato, providing users with an online guide to restaurants, clubs, and cafes, disclosed that data has been stolen “recently” from 17 million users. The company stressed that those logging in using Facebook or Google (approximately 60% of Zomato customers) were safe.

‘Eddie’ disclosed 560 million stolen passwords (2017)

Kromtech Security Research Center’s security researchers uncovered a gigantic database of 560 million login credentials, mostly drawn from popular online services like LinkedIn and Dropbox during previous data breaches. The author of the database was named ‘Eddie’ after a user profile was discovered in the data. He is still unknown.

Wonga (2017)

Wonga, a payday loan company, was hit by a large data breach resulting in jeopardy of bank account numbers and sort codes of 245,000 customers. The company also stated that full names, email addresses, home addresses, phone numbers as well as the last four digits of debit cards were exposed.

Three (2017)

The network operator revealed that its customer upgrade database suffered from a much more impactful breach than it previously thought. In November 2016, the company first uncovered the hack that was carried out using an employee login.  Out of its 9 million customers, personal data of some 210,000 customers were jeopardized.

Sports Direct (2017)

The sportswear retailer first noticed that its systems were jeopardized in September 2016. It is in December that the data breach was uncovered where personal credentials of its entire workforce were stolen in an internal security breach. The fraudster gained access through an unsecured content management system running on the open source DNN platform. The company did not share details with the staff, though.

Tesco Bank (2016)

Tesco Bank was hit by a major security breach in 2016 after about 20,000 customers had their money stolen from their accounts. The consumer finance wing of the British supermarket giant agreed to cover the financial costs of the breach. Nonetheless, certain clients complained of not receiving any emergency funds from the bank which appeared to lose control of operational risk.

Sage (2016)

The FTSE-100 firm revealed that an internal breach was carried out and employee data of about 280 UK customers could be at risk. An internal login was used to access to customer information.

Kiddicare (2016)

The online child products retailer had customer data exposed when testing a new website in 2015. Customers started receiving suspicious SMS messages prompting them to take an online survey. An investigation concluded a breach but the company tried playing down the fact that personal details of about 800,000 customers were in possession of fraudsters.

TalkTalk (2015)

TalkTalk is one of those companies which suffered multiple data breaches in a year. In October 2015, the company had trouble confirming the number of affected customers out of its 4 million customers. The firm’s website apparently had a weakness which hackers did not fail to take advantage of.

Moonpig (2015)

A researcher unveiled a software flaw in the firm’s Android app, making access to records of any Moonpig account holder available, and putting about 3 million people at risk. Receiving inadequate response from the firm, the researcher made the information public 18 months later.

Think W3 Limited (2014)

The online holiday firm Think W3 suffered a serious attack when a hacker managed to get hold of 1,163,996 credit and debit card records. The latter had recourse to an SQL injection attack, taking advantage of a weakness on the website of the firm. In the wake of this attack, Think W3 equally had to incur a fine of £150,000 imposed by the Information Commissioner (ICO).

Mumsnet (2014)

The extremely popular website Mumsnet collapsed after hackers accessed up to 1.5 million user accounts, using the widespread Heartbleed SSL software flaw to their advantage. Even though the accounts did not contain a high degree of sensitive data, the breach nevertheless unveiled the potency of undiscovered software issues that can affect multiple sites and big brands.

Staffordshire University (2014)

The Staffordshire University was in the limelight in 2014 when a computer was stolen from a car. The hackers got hold of information pertaining to 125,000 students and applicants of the university. The fact that the files were password-protected was not a big obstacle to the hackers who gained access to information such as name, address and email data.

Morrison’s supermarket (2014)

The Morrison’s supermarket case is an example of an insider attack where privileged access can lead to abuse. The hacker, getting hold of details of the firm’s entire workforce database, published them all online. The investigation led to the arrest of an employee. It is expected that he or she will reveal further details on the incident once in court.

Sony PlayStation Network (2011)

Sony’s disastrous breach is known to be the largest in that year. Hackers stole customer records of 77 million people related to the Sony’s PlayStation Network. They equally made off with a small number of revealing card numbers. The company’s systems crashed for 23 days as the breach crossed local frontiers. The ICO in Britain issued a fine of £250,000 for this breach known as the first big data breach.

Brighton and Sussex University Hospitals NHS Trust (2010)

This case was a flagrant case of carelessness. 232 de-commissioned drives were sold secondhand by a contractor who was responsible for deep cleaning and destroying them. Sensitive patient data of thousands of people were available on hard drives sold on eBay. The ICO imposed a fine of £325,000.


In 2009, T-Mobile housed a murky insider trade when sales staff started selling customer records to brokers. The latter used the information for marketing purposes. It remains unclear as to how many records were exactly involved in this case but it is believed that it is ranged from half million to millions. At that time, the ICO was adamant not to reveal the name of the firm but when rival firms did declare they were not involved, the one name left was clear enough to pinpoint T-Mobile. In this case, the two employees were fined £73,000 by courts.

HM Revenue & Customs (2007)

The HM Revenue & Customs is regarded as one of the most infamous data breaches in history in the U.K. Two CDs that contained records of 25 million child benefit claimants and that every child in the country vanished. The mystery is still persisting in this case as there has been no hint whatsoever whether the password-protected CDs had fallen into the hands of fraudsters or not. This incident highlighted the lacking in the system in place at that time whereby poorly trained junior employees were given the responsibility to handle valuable data.

Nationwide Building Society (2006)

The Nationwide incident was triggered by an unencrypted laptop, belonging to a company employee, being stolen. Personal data of 11 million savers were suddenly put at risk. The poor disclosure in the U.K. restrained information from outsiders but the Financial Services Authority (FSA) subsequently fined Nationwide £980,000. This is the biggest fine ever imposed for data loss in the U.K. It was supposedly meant to act as a deterrent to other similar breaches but apparently, it was not enough.   

Related articles published in Cardholders Data security :

Image : Shutterstock