A list of the biggest data leaks

News of data breaches exposing the personal information of customers at big companies such as Facebook, Under Armour and Equifax seem like a monthly occurrence nowadays – because it virtually is.

Last month, Marriott International was the latest big corporate victim to disclose a massive breach.

The hotel brand said the guest reservation database at its Starwood Hotel brand was exposed and it could affect at least 500 million guests.

However, over the last two years, there has been a massive data breach involving big outlets almost every single month.

Here are some of the biggest data breaches over the last two years. 

November 2018

Marriott

November 30--Marriott International disclosed a data breach involving its guest reservation database at its Starwood Hotel brand that could affect at least 500 million guests. However, so far, it only found that the personal information of at least 327 million guests, including names, mailing addresses, phone numbers, email addresses, passport numbers, and birthdays, may have been accessed by an unauthorized party, the company said in a news release.

September 2018

Facebook

September 28- In yet another privacy issue for the social media giant, Facebook announced that about 90 million user accounts have been compromised by hackers. The security breach occurred due to a coding weakness in Facebook’s “View As” feature. Users can click “View As” to see what their profile looks like to the public or other users of the social network.

July 2018

Macy’s

July 10—The retailer announced that a third party accessed their accounts between April 26 and June 12 of the year, gaining access to names, phone numbers, email addresses and credit and debit card numbers of shoppers.

June 2018

Sacramento Bee

June 7—The newspaper disclosed on June 7 that in February an anonymous attacker seized two databases owned and operated by The Sacramento Bee, exposing 19.4 million records. One of those assets, however, contained California voter registration data provided by California’s secretary of state, while the other stored contact information for subscribers to the newspaper.

The Sacramento Bee said the hack exposed 53,000 subscriber’s information along with the personal data of 19.4 million California voters.

Ticketfly

June 7—The social ticketing platform disclosed that it suffered an attack in May that exposed more than 27 million records of users’ information, including names, addresses, email addresses and phone numbers.

MyHeritage

June 4—The genealogy platform was notified by a security researcher that they had found a file labeled “myheritage” on a private server outside the company. Officials at MyHeritage later determined that the asset contained the email addresses of all users who had signed up with them prior to Oct. 27, 2017. Over 92 million records were breached.

April 2018

Delta

April 4—The airline released a statement alerting customers that hackers may have accessed names, addresses and credit card numbers from “several hundred thousands” of its users through an online support service from Sept. 26 to Oct., 12, 2017.

“At this point, even though only a small subset of our customers would have been exposed, we cannot say definitively whether any of our customers’ information was actually accessed or subsequently compromised,” Delta said. The company, however, added that other information, such as passports, government IDs, security and SkyMiles data, was not accessed.

Sears Holdings

April 4—The Sears and Kmart owner released a similar statement to Delta, saying the same online support service may have exposed information of its customers as well.

“We believe this incident involved unauthorized access to less than 100,000 of our customers’ credit card information,” Sears said. “As soon as [24]7.ai informed us in mid-March 2018, we immediately notified the credit card companies to prevent potential fraud, and launched a thorough investigation with federal law enforcement authorities, our banking partners, and IT security firms.”

Panera Bread

April 2—The website of bakery-cafe chain Panera Bread leaked customer records for at least eight months, according to cybersecurity blog KrebsonSecurity. A blog post said the data leak included names, email and postal addresses and the last four digits of credit card numbers of millions of customers who order food online. Panera, however, said the issue has been resolved and “there is no evidence of payment card information nor a large number of records being accessed or retrieved.”

Saks, Lord & Taylor

April 1—Hudson’s Bay Company, which owns Saks and Lord & Taylor stores, confirmed that hackers stole the credit and debit card information of more than 5 million shoppers. The company said in a press release that it has "identified the issue and has taken steps to contain it.”

It added: “Once the Company has more clarity around the facts, it will notify customers quickly and will offer those impacted free identity protection services, including credit and web monitoring."

March 2018

Under Armour

March 29 — Under Armour announced its health and fitness app, MyFitness Pal, suffered a data security breach that exposed the personal data of roughly 150 million users. The company said the breach occurred in February, exposing usernames, hashed passion and email addresses related to user accounts.

Facebook

March 17 and March 18 — Both The New York Times and Observer broke the news that 50 million profiles of Facebook users were “harvested” without their consent to a consulting firm, Cambridge Analytica, that was hired by Donald Trump’s 2016 campaign. Days later, Facebook CEO and co-founder Mark Zuckerberg admitted to the leak and said that the company failed its users.

December 2017

eBay

Dec. 10 — Ebay announced that due to a customer privacy leak, the personal information of many eBay customers, including usernames, first and last names, and purchase history, were made available via a Google’s Shopping platform. The company said the breach was due to “an improper feed signal” between the two companies and the purchased histories that were leaked “revealed very sensitive products, such as HIV home test kits, pregnancy test, and drug testing kits.” However, within a couple days, the users’ real names were masked with dashes.

Alteryx

Dec. 19 — Forbes first reported the news that California-based data analytics firm Alteryx was found culpable of not protecting the personal information of more than 120 million American households and openly harvested it on an Amazon Web Services cloud storage bucket. According to the report, the company had purchased the data from Experian, a giant credit reporting agency similar to Equifax. After the news broke, the company said it took action and secured the database from public view.

November 2017

Uber

Nov. 21 — Ride-sharing service Uber revealed that in late 2016 it became aware of a data breach that could potentially expose the personal information of more than 57 million Uber users and drivers but admitted that it chose to keep the leak a secret and pay the hackers off instead. The company said the hackers did not gain access to its internal systems, but rather got access to GitHub, a service that Uber’s engineers use to collaborate on software code.

Forever 21

Nov. 14 — LA-based retailer Forever 21 announced that some of its customers may have been affected by a data breach. After launching an investigation, it found certain point-of-sale devices were compromised — likely between March and October of 2017. The company said it encourages customers to keep an eye on their payment accounts and look for fraudulent charges.

September 2017

Whole Foods Markets

Sept. 28 — Whole Foods Market — who at the time was just recently acquired by Amazon — announced that it discovered a breach in its payment systems but individuals who shopped in the company’s grocery stores were likely not affected. The company said it believes the unauthorized access occurred in Whole Foods Market locations with taprooms and full table-service restaurants.

Sonic

Sept. 26 — KrebsOnSecurity reported that it found a breach at fast-food chain Sonic after discovering a “fire sale” of millions of stolen credit and debit card numbers on the internet. Sonic said it later learned of the breach when its credit card processor notified them of unusual activity on customer payment cards.

Equifax

Sept. 7 — Credit reporting firm Equifax suffered one of the worst security breaches in history when it announced that sensitive data — including Social Security numbers and driver’s license numbers of more than 147 million consumers were exposed to hackers from mid-May to July. The company is still reeling from the after-effects of the breach after many high-ranking executives have since left. State and federal investigations into the matter have been launched, and numerous class-action lawsuits have been filed against the company.