History of Major Data Breaches in The U.S. (Updated May 2019)

To sustain this free service, we receive affiliate commissions via some of our links. This doesn’t affect rankings. Our review process.

Person's hand with credit card: The Latest Data Breach NewsUnfortunately, the news is consistently full of headlines about security and data breaches. Major retailers, credit card companies and other organizations have all fallen victim to hackers, putting millions of consumers at risk.

Trying to keep up with all the latest security breach news and which companies have been affected can be overwhelming. We’ve put together this comprehensive guide to help you stay on top of what’s happening with the latest security breaches.

Recent Security Breaches

These recent credit card and data breaches are listed in chronological order, but feel free to skip to the company by clicking the link below or view them all in an infographic:

2019: Facebook|FEMA | Earl Enterprises
2018: Quora
|Marriott |HSBC |Facebook | Macy’s Adidas |Chili’s|Panera Bread| Saks and Lord & Taylor | MyFitnessPal
2017: Uber | Verizon | Equifax
2016: Democratic National Committee 
Yahoo
2015:
Scottrade | Experian | Ashley Madison | OPM | Anthem
2014: JPMorgan Chase |Home Depot
2013:
Neiman-Marcus | Target | Adobe

2019 Security Breaches

Earl Enterprises

When It Happened: Between May 2018 and March 2019.
Who It Affected: 100 locations of their restaurants including Buca di Beppo, Planet Hollywood, Earl of Sandwich, Chicken Guy!, Mixology, and Tequila Taqueria. Online orders were not impacted.
What Was Compromised: It’s reported that more than 2 million credit cards were compromised and being sold on the dark web.
Resolution: The company has since launched a website for customers to check if the location they visited was impacted.

FEMA

When It Happened: On March 22, 2019, the Federal Emergency Management Agency (FEMA) acknowledged that they improperly handled Personal Identifiable Information (PII) with an outside contractor who manages their Transitional Sheltering Assistance Program.
Who It Affected: 2.5 million natural disaster survivors.
What Was Compromised: 1.8 million victims’ banking information and personal addresses revealed and about 725,000 people had just their addresses shared.
Resolution: The Inspector General report told FEMA it needed to take measures to ensure data won’t be shared again with contractors and that the shared data is promptly destroyed.

Facebook

When It Happened: Already exposed 50 million accounts in 2018. Then, in March 2019, Facebook admitted yet another security incident.
Who It Affected: Estimated 200 to 600 million users.
What Was Compromised: Passwords (that Facebook improperly stored on its servers).
Resolution: Facebook notified affected users. We suggest all users update their password and add two-factor authentication to be safe.

2018 Security Breaches

Quora

When It Happened: The company announcement came on December 4, 2018. Quora discovered the breach on November 30, 2018.
Who It Affected: Approximately 100 million of its 300 million users.
What Was Compromised: Names, email addresses, encrypted passwords and public content (questions, answers and comments). No sensitive data (credit card, SSN) is collected on the site.
Resolution: Quora is alerting affected users to update their passwords, working rapidly to investigate the situation and taking appropriate steps to prevent future incidents.

Marriott / Starwood Guest Reservation Database

When It Happened: On or before September 10, 2018. Announcement did not happen until November 30, 2018.
Who It Affected: As many as 500 million guests from Marriott International hotel properties (Sheraton, Westin, W Hotels, St. Regis, Four Points, Aloft, Meridien, Tribute, Design Hotels, Elements and the Luxury Collection). Breached data may go back to 2014.
What Was Compromised: Names, addresses, dates of birth, passport numbers, email addresses, phone numbers, encrypted credit-cards.
Resolution: Marriott has a dedicated website and call center to deal with questions and has notified legal and regulatory authorities. The company is also attempting to reach out to affected customers and offer them one year of free web watcher service that monitors sites where hackers swap and sell stolen personal information.

HSBC

When It Happened: Between October 4-14, 2018.
Who It Affected: Fewer than 1% of the firms’ U.S. clients.
What Was Compromised: Full name, mailing address, phone number, email address, date of birth, account numbers, account types, account balances, transaction history, payee account information, and statement history.
Resolution: HSBC sent notifications to those who were compromised and offered them one year of free credit monitoring and identity theft protection.

Facebook

When It Happened: September 28, 2018, Facebook announced it learned of an attack on its computer network.
Who It Affected: First updated that 50 million of its users were impacted but later reduced the number to 30 million.
What Was Compromised: Hackers took over users accounts gaining access to their names, email addresses and phone numbers.
Resolution: Facebook fixed the vulnerability and notified law enforcement officials. They also logged 90 million users out of their accounts, forcing them to log back in, a solid safety measure for compromised accounts.

We also recommend that you are proactive and change your passwords (make sure they are secure!) for Facebook, Instagram and WhatsApp (all owned by Facebook).

Macy’s

When It Happened: In the Summer of 2018, Macy’s informed customers of a two-month data breach that happened between April 26th and June 12th.
Who It Affected: Online customers of Macys.com and Bloomingdales.com (they didn’t specify how many but said it was a “small number of customers.”)
What Was Compromised: Login details, including usernames and passwords which could mean full names, addresses, birthday, phone numbers, email address and credit card numbers and expiration (no security codes were stored).
Resolution: Macy’s has contacted and is providing consumer protection services for customers who were potentially impacted.

Adidas

When It Happened: On June 28, 2018, Adidas says it became aware of a potential security breach that happened on June 26th.
Who It Affected: A “few million” consumers.
What Was Compromised: Names, usernames and encrypted password (no credit card or fitness information).
Resolution: Began taking steps to alert relevant consumers and is working with data firms and law enforcement to investigate the issue.

Chili’s

When It Happened: On May 11, 2018, Chili’s parent company Brinker learned about a data breach which happened between March and April 2018.
Who It Affected: Customers who dined in certain restaurants (as of May they haven’t identified which of their 1,600 locations or how many people it affected).
What Was Compromised: Credit card information and names from payment systems.
Resolution: They are working with law enforcement officials to investigate the issue. The company also said they are working to provide credit monitoring services for customers who may have had their data stolen.

Panera Bread

When It Happened: On April 3, 2018, it was reported that customer information may have been compromised on Panera Bread’s website for eight months.
Who It Affected: 37 million customers who signed up to order food via PaneraBread.com.
What Was Compromised: Names, email addresses, phone numbers, physical addresses, birthdays, ordering habits, food preferences, last four digits of payment card numbers.
Resolution: The data has been removed from Panera’s website. The investigation is still ongoing and Panera has yet to release a formal statement on the matter.

Saks And Lord & Taylor

When It Happened: Saks Fifth Avenue became aware of a security issue on April 1, 2018
Who It Affected: More than 5 million Saks Fifth Avenue and Lord & Taylor customers in North America
What Was Compromised: Hackers staged an attack to steal debit and credit card information but it is not confirmed if such a breach took place.
Resolution: The company has looked into and taken steps to contain the issue and believes there is no risk to shoppers.

MyFitnessPal App By Under Armour

When It Happened: Under Armor was notified on March 25, 2018, that the breach took place during February of 2018
Who It Affected: Approximately 150 million user accounts
What Was Compromised: Usernames, email addresses, and passwords with the hashtag function called bcrypt used to secure passwords.
Resolution: Under Armour is requiring all MyFitnessPal users to change their password and update any accounts which use similar passwords to the app. They are also encouraging users to monitor suspicious activity and are working with law enforcement officials and a data security firm to investigate the breach.

2017 Security Breaches

Verizon Data Breach

When It Happened: July 2017
Who It Affected: 6 million confirmed, but could be as many as 14 million Verizon subscribers.
What Was Compromised: Log files that were generated when Verizon customers called customer support. Each file includes the customer’s name, email address, phone number and PIN associated with their account. With this information, some experts say that online accounts could be logged into, allowing access to phones and social media accounts.
Resolution: Verizon customers were encouraged to change their passwords immediately and be aware of any phishing emails or scammy phone calls requesting personal information to verify identity (like zip code).

Equifax Data Breach

When It Happened: Mid-May to July 2017, caught by Equifax July 29, 2017, and announced to public September 7, 2017.
Who It Affected: Around 143 million people. (March 1, 2018, they announced that an additional 2.4 million Americans were impacted).
What Was Compromised: Social Security numbers, birth dates, addresses, email addresses and some driver’s license and credit card numbers
Resolution: They set up a website for users to check if they were impacted and are working with a independent cybersecurity firm to conduct an assessment and provide recommendations on prevention from future hackings. Read more about Equifax.

Why You Should Get Identity Theft Protection

Uber Data Breach

When It Happened: Late 2016, announced fall 2017 (Uber executives knew about the breach for over a year and paid $100,000 in ransom to keep it secret from the public)
Who It Affected: 57 million rider and driver accounts
What Was Compromised: The names and driver’s license numbers of around 600,000 drivers in the United States and other personal information including email addresses, names and mobile phone numbers of riders and drivers around the world. They do not believe that social security numbers, credit card or bank info or dates of birth were compromised.
Resolution: According to Uber’s website, they do not feel that further action is needed since there has been no fraud or misuse tied to the incident. They are continuing to monitor the situation and encourage users to change passwords and report any unusual activity. But in 2018 it was reported that they will pay $148 million to settle claims.

2016 Security Breaches

Democratic National Committee

In June 2016, the Democratic National Committee’s (DNC) entire database was hacked by the Russian government. The hackers gained access to the DNC’s computer network which gave them access to the research database for the Republican presidential candidate, Donald Trump. However, according to the DNC no financial, donor or personal information appears to have been stolen. The breach was purely for espionage and consumer data is at risk.

2015 Security Breaches

T-Mobile Data Breach

When It Happened: Between Sept. 1, 2013 and Sept. 16, 2015 and again in 2018
Who It Affected: Potentially exposed personal information of 15 million customers and potential customers (the 2018 breach was approximately 2.3 million customers)
What Was Compromised: Social Security numbers and birthdays of those who might have applied for T-Mobile cell service.
Resolution: Two years of free credit monitoring and identity protection

Which Is The Best Identity Theft Protection Provider?

Ashley Madison Data Breach

When It Happened: July 2015
Who It Affected: Users of a Ashley Madison, a commercial website that enables extramarital affairs
What Was Compromised: Hackers obtained 60 gigabytes of personal information and threatened to publicly share the names of users unless Ashley Madison agreed to shut down its site
Resolution: Those users whose details were exposed are filing a $567 million class-action lawsuit against the parent company of Ashley Madison

Office of Personnel Management Breach

When It Happened: April – June 2015
Who It Affected: 21.5 million federal employees
What Was Compromised: Social Security numbers, names, dates and places of birth, email addresses, mailing addresses as well as security clearance info.
Resolution: Employees and dependent minor children who were under the age of 18 as of July 1, 2015 were offered credit and identity monitoring, identity theft insurance, and identity restoration services for the next three years through ID Experts

Are you a federal employee? Get more info on OPM’s Cyber Security.

Anthem Health Insurance Breach

When It Happened: February 2015
Who It Affected: Originally reported that it was as many as 37.5 millions insurance customers but later raised the number to 78.8 million people.
What Was Compromised: Records including Social Security numbers, birthdays, email addresses and physical addresses.
Resolution: AllClear ID identity protection for two years at no cost to customers and in 2018 they reached an agreement with regulators to pay out $16 million to the Department of Health and Human Services.

2014 Security Breaches

Yahoo Data Breach

When It Happened: 2013 and again in late 2014 (both announced in 2016)
Who It Affected: 3 billion in 2013 and 500 million user accounts in 2014
What Was Compromised: Names, email addresses, telephone numbers, dates of birth, user names, hashed passwords and encrypted or unencrypted security questions and answers.
Resolution: Encouraged customers to update passwords and security questions and in 2018 it was reported they would pay $50 million in damages as part of the settlement.

JPMorgan Chase

When It Happened: September 2014
Who It Affected: 83 million accounts, 76 million households, 7 million small businesses
What Was Compromised: Email and postal addresses, names and phone numbers of account holders.
Resolution: JPMorgan says it spends $250 million a year on online security and intends to double that amount

Learn More About Identity Theft

Home Depot Credit Card Breach

When It Happened: April 2014 – September 2014
Who It Affected: 56 million customers
What Was Compromised: Credit card information and names.
Resolution: Offered the affected customers a free year of identity theft protection from AllClear ID. In 2017 the retailer agreed to pay $25 million for damages they incurred as a result of the breach.

Scottrade Data Breach

When It Happened: Late 2013 and early 2014, announced in October 2015 and again in 2017
Who It Affected: 4.6 million customers (and another 20,000 customers in 2017)
What Was Compromised: Names and street addresses (possibly Social Security numbers, email addresses and other sensitive data). The smaller breach in 2017 exposed credit profiles including SSN, names, addresses, phone numbers and more.
Resolution: Offered customers identity theft protection services

2013 Security Breaches

Target Credit Card Breach

When It Happened: November to December 2013
Who It Affected: About 40 million customer’s credit and debit card information and 70 million customer’s email and addresses.
What Was Compromised: Credit/debit card information, names, addresses, phone numbers and email addresses.
Resolution: Customers who shopped during that time were offered a free year of Protect My ID. In 2017 Target agreed to pay a bulk settlement of $18.5 million to be distributed among 47 state governments and Washington, D.C.

Adobe Systems Data Breach

When It Happened: Announced in October 2013
Who It Affected: At least 38 million Adobe users
What Was Compromised: Credit/debit card records stolen, users’ Adobe IDs and encrypted passwords.
Resolution: Notified users to change passwords and offered a year’s worth of credit monitoring to customers whose encrypted credit card data was stolen in the breach.

Neiman-Marcus Breach

When It Happened: Between July 16 and October 30, 2013 but the investigation is ongoing.
Who It Affected: Originally reported that 1.1 million Neiman-Marcus customers’ credit card info in 77 stores nationwide but the number has since been reduced to roughly 370,000 credit cards were used.
What Was Compromised: Credit/debit card information.
Resolution: Customers affected received one free year of credit monitoring. In January 2019 it was announced that Neiman Marcus will pay $1.5 million to 43 states in a settlement over the breach.

History of Major Data Breaches Infographic

That’s a lot of breaches in a short period of time. This graphic summarizes them in visual format so you can compare the breadth and depth of each.

History of Major Data Breaches Infographic

To share this infographic on your site, simply copy and paste the code below:

What Happens After A Data Breach?

So, the hackers have your data – now what do they do with it after they “pump and dump” your information from the servers? Find out more about the black market trading and selling of personal information that goes on behind the scenes in this two-minute video from Norton.

How To Protect Yourself From Data Breaches

Identity theft can happen even to the most cautious of us. As you can see from the list of security breaches above, millions of people have had their personal information stolen. And in most security breaches the company that was hacked offered affected customers identity theft protection services. But that’s not very helpful after your information has already been compromised.

Be proactive by signing up for Identity Theft Protection and reading our Basic Cyber Security Tips to stay ahead of the game. For a minimal monthly payment you’ll rest assured knowing that someone is keeping a close eye on your credit.

How have you been affected by a security breach?

Disclaimer: This website contains reviews, opinions and information regarding products and services manufactured or provided by third parties. We are not responsible in any way for such products and services, and nothing contained here should be construed as a guarantee of the functionality, utility, safety or reliability of any product or services reviewed or discussed. Please follow the directions provided by the manufacturer or service provider when using any product or service reviewed or discussed on this website.

Sadie has a bachelor’s in communications and minor in business from the University of Texas at Austin. She has been writing about, researching and a user of security and smart home technology since 2012. As an early adapter and avid user of gadgets, she’s not only well-versed in how to use them but also passionate about helping others integrate them into their lives and homes. Having lived in various urban neighborhoods in major cities like Dallas, Austin, Winston-Salem and currently Washington DC, Sadie has experienced her share of property crimes over the years; from car break-ins to stolen bikes. As a result, she’s extra cautious when it comes to protecting herself and her property. Sadie attends conferences, events and webinars to stay up-to-date on cybersecurity and technology. She loves traveling the world and is a self-proclaimed Apple junkie.

4
Leave a Reply

avatar
newest oldest most voted
Anonymous
I heard this week that Uber compromised user data…and knew about it for a year!
Denise W
Thanks for keeping these data breaches covered, very helpful! It’s nice to have a source that only covers the major stuff, not all the breaches, which can get overwhelming! You say that I’m able to check the Equifax site you link to to find out if my data has been exposed, but once I get to the site I can’t find where to get that information?
Alex Schenker (Admin)
Hi Denise, if you use the link we provide above (here it is again) vs. going to the homepage of the Equifax site, you’ll be taken straight to a page that gives you instructions on checking the potential impact on your data (you’ll be asked for your last name and the last 6 digits of your SSN). We recommend you sign up for an identity theft monitoring service (we review the top ID theft protection services here) to help monitor and protect against future breaches.
Don
This is useful, will bookmark it and reference often, hopefully there won’t be too many more updates to this though!