To sustain this free service, we receive affiliate commissions via some of our links. This doesn’t affect rankings. Our review process.
From government organizations to major retailers, headlines about data breaches seem to be the new norm. Hackers continue to put millions of consumers at risk. If you’re reading this, you’ve most likely experienced an attack at some point.
- How To Protect Yourself
- Data Breaches By Year
- History Of Breaches (Infographic)
- What Happens After A Breach (Video)
Since 2012, we’ve monitored security breach breaking news and tracked those having the biggest impact on Americans. Remember the big Target breach from 2013? That seems like ages ago with 10,000+ violations in the U.S. since January 2018 alone, resulting in 10.7 billion exposed records1. That makes Target’s 40-70 million affected customers seem like peanuts in comparison.
Where Are Most Data Breaches Happening In The U.S.?
Ironically, California, home to Silicon Valley, suffers the worst magnitude and frequency of breaches (double the next hardest-hit states: New York, Texas and Florida). On the flip side, the Dakotas, Wyoming and West Virginia remain relatively in the clear with the fewest breaches (under 30 total).1
Identity theft can happen even to the most cautious of us. As you can see from the list of security breaches below, millions of people have had their personal information stolen. And in most security breaches, the hacked company offered affected customers an identity theft protection service. But that’s not as helpful when your information was already compromised.
We also recommend Dashlane to generate extra difficult to guess passwords. Dashlane also safely stores passwords, credit card info and other sensitive data.
Trying to keep up with all the latest security breach news and which companies have been affected can be overwhelming. We’ve put together this comprehensive guide to help you stay on top of what’s happening with the latest security breaches.
These recent credit card and data breaches are listed in chronological order of when the happened. Let us know in the comments if we missed any major events.
2020: T-Mobile | J.Crew | Carnival Cruise Lines | Walgreens | MGM
2019: Zynga | Wawa | Facebook | Verizon | Web.com | CenturyLink | DoorDash |State Farm| Poshmark | CafePress | Capital One | Quest Diagnostics | Earl Enterprises| FEMA | Facebook
2018: Quora |Marriott |HSBC |Facebook | Macy’s | Adidas |Chili’s|Panera Bread| Saks and Lord & Taylor | MyFitnessPal
2017: Uber | Verizon | Equifax
2016: Democratic National Committee | Yahoo
2015: Scottrade | Experian | Ashley Madison | OPM | Anthem
2014: JPMorgan Chase |Home Depot
2013: Neiman-Marcus | Target | Adobe
2020 Security Breaches
When It Happened: T-Mobile released a statement on March 5, 2020, but they did not say when the breach actually occurred.
Who It Affected: T-Mobile employees’ email accounts (and some of its customers).
What Was Compromised: Names, addresses, social security numbers, financial information, government identification numbers, phone numbers, billing and account information, rate plans and features.
Resolution: T-Mobile has notified impacted customers and is offering them free credit monitoring and identity theft detection services via TransUnion. They are also encouraging all customers to update their personal identification numbers (PINs) on their accounts by dialing 611 from their T-Mobile phone.
When It Happened: The hack took place in April 2019 and was made public March 4, 2020.
Who It Affected: Online shoppers of J.Crew, J.Crew Factory and Madewell.
What Was Compromised: Last four digits of credit card numbers stored in accounts, credit card expiration dates, card types, billing addresses, order numbers, shipping confirmation numbers and shipping status.
Resolution: A notice of the data breach was sent to affected customers. The company disabled impacted accounts and asked those users to contact J.Crew customer care to reset their passwords.
When It Happened: Between April 11 and July 23, 2019. Suspicious activity was detected in late May 2019, and the announcement occurred on March 4, 2020.
Who It Affected: Employees and guests of Carnival Cruise lines. We don’t know yet how many people were impacted, but the company employs around 100,000 people shipboard and has an estimated 325,000 daily passengers.
What Was Compromised: Depending on the guest, hackers accessed customer names, addresses, social security numbers, government identification numbers (passport number or driver’s license number), credit card/financial data and health-related information.
Resolution: Upon identifying the threat, Carnival Corporation engaged with cybersecurity forensic experts and initiated an investigation to determine what happened, who was impacted and what data was affected.
When It Happened: The error was first discovered in January 2020, and it was reported to the public in late February 2020.
Who It Affected: Users of Walgreens mobile app’s messaging feature. The exact number is unclear, but they believe it was a small percentage of customers.
What Was Compromised: Health-related data, including names, prescription numbers, shipping addresses and store numbers. No financial data was exposed.
Resolution: Upon discovery, Walgreens temporarily disabled message viewing to prevent further exposure. They also implemented a technical correction that resolved the issue.
When It Happened: The breach took place in the summer of 2019 and was made public on February 19, 2020.
Who It Affected: More than 10.6 million users who stayed at MGM Resort hotels, including celebrity, tech CEOs, reporters, government officials and other notable guests.
What Was Compromised: Full names, home addresses, phone numbers, emails and dates of birth. No financial/payment information or password data.
Resolution: The hotel chain notified all impacted guests and hired two cybersecurity firms to investigate.
2019 Security Breaches
When It Happened: September 2019 and announced in December 2019.
Who It Affected: 172-218 million users of the popular gaming developer (Words With Friends, Farmville, etc.).
What Was Compromised: Email addresses, usernames and passwords.
Resolution: None yet. But, if you have played one of Zynga’s games on your phone or via Facebook, we recommend to reset your user data with a unique and strong password.
When It Happened: Between March 4 and April 22, 2019. The breach was discovered December 10th and announced on December 19, 2019.
Who It Affected: The breach impacted 30 million customers and occurred at all of its 850+ locations.
What Was Compromised: Credit and debit card numbers, expiration dates and cardholder names.
Resolution: If you may have shopped at a Wawa during the breach, monitor your credit or debit card for any unusual activity. Wawa is also offering one year of free credit monitoring to those affected.
When It Happened: A large, unprotected file of Facebook user data was discovered on a hacker forum on December 12th. On December 14th, Facebook contacted the database’s host ISP (internet service provider). They eliminated it from the site on December 19th.
Who It Affected: 267 million Facebook users.
What Was Compromised: Names, phone numbers, and user IDs.
Resolution: None has been announced yet.
Update Your Facebook Privacy Settings
We recommend that social media users cultivate more control over how their profile information is shown to others by fine-tuning their account privacy settings.
- Go to “Settings and Privacy.”
- Then go to “Privacy Shortcuts” and click “See more privacy settings.”
- Set most (if not all) fields to Only me or Friends
- And select No under “Do you want search engines outside of Facebook to link to your profile.”
When It Happened: It was discovered in early November 2019 and reported at the end of the same month. The company did not disclose the length of exposure time.
Who It Affected: 1 million pre-paid customer records (less than 1% of their 75 million users).
What Was Compromised: User names, billing addresses, phone numbers, account numbers and plan information. No financial information, social security numbers or passwords were exposed.
Resolution: Nothing has been shared yet about how the company will resolve the matter.
When It Happened: Web.com, the parent company to Network Solutions and Register.com, says they became aware of the breach on October 16, 2019, but the break took place in late August 2019.
Who It Affected: Roughly 2.2 million customer records.
What Was Compromised: Names, email addresses, phone numbers and services used by the customer.
Resolution: The incident was reported to law enforcement, and an outside security agency will contact impacted customers. All users are encouraged to change their passwords.
When It Happened: CenturyLink first learned about the breach on September 15, 2019, but didn’t announce it in late-October 2019. The breach happened over 10 months.
Who It Affected: 2.8 million customer records.
What Was Compromised: Names, email addresses, phone numbers, physical addresses, CenturyLink account numbers, notification logs and conversation logs.
Resolution: The company says they are conducting a thorough investigation of the incident and are communicating with customers (our own team member who is also a customer received their email).
When It Happened: Announced in late-September 2019.
Who It Affected: 4.9 users and merchants who joined on or before April 5, 2018.
What Was Compromised: Profile information including names, emails, delivery address, order history, phone number and hashed passwords. Some credit card info (last four digits only).
Resolution: The company says they’ve added additional security layers around their data, improved security protocols and brought in outside expertise to help prevent future threats. They also encourage users to reset their passwords.
When It Happened: August 2019.
Who It Affected: Have not disclosed how many people were impacted.
What Was Compromised: State Farm usernames and passwords (from another company’s data breach) to gain access to accounts.
Resolution: The company has reset passwords for accounts whose login credentials were compromised.
When It Happened: August 2019.
Who It Affected: Did not disclose, but they have more than 50 million users.
What Was Compromised: Names, usernames, genders, city data, email addresses, size preferences and scrambled passwords.
Resolution: The company retained outside forensics to investigate and rolled out enhanced security measures.
When It Happened: Between February and August 2019.
Who It Affected: Over 23.2 million accounts were exposed.
What Was Compromised: Email addresses, phone numbers and hashed passwords.
Resolution: The company has sent out password resets and updated its password policy.
When It Happened: Between March 22-23, 2019, and includes data from as far back as 2005. Announced July 29, 2019.
Who It Affected: 100 million Capital One customers and credit card applicants.
What Was Compromised: 140,000 Social Security numbers, 1 million Canadian Social Insurance numbers, 80,000 bank account numbers, people’s full names, addresses, phone numbers, birth dates, email, income, credit scores and more.
Resolution: The company has fixed the vulnerability and is investigating the incident. Capital One will notify people affected by the breach and will offer free credit monitoring and identity protection.
Additional Notes: Although the records were exposed, Capital One says it’s “unlikely that the information was used for fraud or disseminated by this individual.”
When It Happened: Between August 1, 2018 and March 30, 2019.
Who It Affected: 11.9 million patients.
What Was Compromised: Certain medical and financial information and social security numbers.
Resolution: Patients were notified and an investigation was opened to look into what happened.
When It Happened: Between May 2018 and March 2019.
Who It Affected: 100 locations of their restaurants including Buca di Beppo, Planet Hollywood, Earl of Sandwich, Chicken Guy!, Mixology, and Tequila Taqueria. Online orders were not impacted.
What Was Compromised: It’s reported that more than 2 million credit cards were compromised and being sold on the dark web.
Resolution: The company has since launched a website for customers to check if the location they visited was impacted.
When It Happened: On March 22, 2019, the Federal Emergency Management Agency (FEMA) acknowledged that they improperly handled Personal Identifiable Information (PII) with an outside contractor who manages their Transitional Sheltering Assistance Program.
Who It Affected: 2.5 million natural disaster survivors.
What Was Compromised: 1.8 million victims’ banking information and personal addresses revealed and about 725,000 people had just their addresses shared.
Resolution: The Inspector General report told FEMA it needed to take measures to ensure data won’t be shared again with contractors and that the shared data is promptly destroyed.
When It Happened: Already exposed 50 million accounts in 2018. Then, in March 2019, Facebook admitted yet another security incident.
Who It Affected: Estimated 200 to 600 million users.
What Was Compromised: Passwords (that Facebook improperly stored on its servers).
Resolution: Facebook notified affected users.
To see how the various breaches compare, we complied a graphic showing the breadth and depth of each major compromise including a timeline of when each event happened, was announced to the public, who it impacted and the resolution (if any). The results showcase the full scope of this massive concern plaguing society today.
To share this infographic on your site, simply copy and paste the code below:
2018 Security Breaches
When It Happened: The company announcement came on December 4, 2018. Quora discovered the breach on November 30, 2018.
Who It Affected: Approximately 100 million of its 300 million users.
What Was Compromised: Names, email addresses, encrypted passwords and public content (questions, answers and comments). No sensitive data (credit card, SSN) is collected on the site.
Resolution: Quora is alerting affected users to update their passwords, working rapidly to investigate the situation and taking appropriate steps to prevent future incidents.
When It Happened: On or before September 10, 2018. Announcement did not happen until November 30, 2018.
Who It Affected: As many as 500 million guests from Marriott International hotel properties (Sheraton, Westin, W Hotels, St. Regis, Four Points, Aloft, Meridien, Tribute, Design Hotels, Elements and the Luxury Collection). Breached data may go back to 2014.
What Was Compromised: Names, addresses, dates of birth, passport numbers, email addresses, phone numbers, encrypted credit-cards.
Resolution: Marriott has a dedicated website and call center to deal with questions and has notified legal and regulatory authorities. The company is also attempting to reach out to affected customers and offer them one year of free web watcher service that monitors sites where hackers swap and sell stolen personal information.
When It Happened: Between October 4-14, 2018.
Who It Affected: Fewer than 1% of the firms’ U.S. clients.
What Was Compromised: Full name, mailing address, phone number, email address, date of birth, account numbers, account types, account balances, transaction history, payee account information, and statement history.
Resolution: HSBC sent notifications to those who were compromised and offered them one year of free credit monitoring and identity theft protection.
When It Happened: September 28, 2018, Facebook announced it learned of an attack on its computer network.
Who It Affected: First updated that 50 million of its users were impacted but later reduced the number to 30 million.
What Was Compromised: Hackers took over users accounts gaining access to their names, email addresses and phone numbers.
Resolution: Facebook fixed the vulnerability and notified law enforcement officials. They also logged 90 million users out of their accounts, forcing them to log back in, a solid safety measure for compromised accounts.
We also recommend that you are proactive and change your passwords (make sure they are secure!) for Facebook, Instagram and WhatsApp (all owned by Facebook).
When It Happened: In the Summer of 2018, Macy’s informed customers of a two-month data breach that happened between April 26th and June 12th.
Who It Affected: Online customers of Macys.com and Bloomingdales.com (they didn’t specify how many but said it was a “small number of customers.”)
What Was Compromised: Login details, including usernames and passwords which could mean full names, addresses, birthday, phone numbers, email address and credit card numbers and expiration (no security codes were stored).
Resolution: Macy’s has contacted and is providing consumer protection services for customers who were potentially impacted.
When It Happened: On June 28, 2018, Adidas says it became aware of a potential security breach that happened on June 26th.
Who It Affected: A “few million” consumers.
What Was Compromised: Names, usernames and encrypted password (no credit card or fitness information).
Resolution: Began taking steps to alert relevant consumers and is working with data firms and law enforcement to investigate the issue.
When It Happened: On May 11, 2018, Chili’s parent company Brinker learned about a data breach which happened between March and April 2018.
Who It Affected: Customers who dined in certain restaurants (as of May they haven’t identified which of their 1,600 locations or how many people it affected).
What Was Compromised: Credit card information and names from payment systems.
Resolution: They are working with law enforcement officials to investigate the issue. The company also said they are working to provide credit monitoring services for customers who may have had their data stolen.
When It Happened: On April 3, 2018, it was reported that customer information may have been compromised on Panera Bread’s website for eight months.
Who It Affected: 37 million customers who signed up to order food via PaneraBread.com.
What Was Compromised: Names, email addresses, phone numbers, physical addresses, birthdays, ordering habits, food preferences, last four digits of payment card numbers.
Resolution: The data has been removed from Panera’s website. The investigation is still ongoing and Panera has yet to release a formal statement on the matter.
When It Happened: Saks Fifth Avenue became aware of a security issue on April 1, 2018
Who It Affected: More than 5 million Saks Fifth Avenue and Lord & Taylor customers in North America
What Was Compromised: Hackers staged an attack to steal debit and credit card information but it is not confirmed if such a breach took place.
Resolution: The company has looked into and taken steps to contain the issue and believes there is no risk to shoppers.
When It Happened: Under Armor was notified on March 25, 2018, that the breach took place during February of 2018
Who It Affected: Approximately 150 million user accounts
What Was Compromised: Usernames, email addresses, and passwords with the hashtag function called bcrypt used to secure passwords.
Resolution: Under Armour is requiring all MyFitnessPal users to change their password and update any accounts which use similar passwords to the app. They are also encouraging users to monitor suspicious activity and are working with law enforcement officials and a data security firm to investigate the breach.
2017 Security Breaches
When It Happened: July 2017
Who It Affected: 6 million confirmed, but could be as many as 14 million Verizon subscribers.
What Was Compromised: Log files that were generated when Verizon customers called customer support. Each file includes the customer’s name, email address, phone number and PIN associated with their account. With this information, some experts say that online accounts could be logged into, allowing access to phones and social media accounts.
Resolution: Verizon customers were encouraged to change their passwords immediately and be aware of any phishing emails or scammy phone calls requesting personal information to verify identity (like zip code).
When It Happened: Mid-May to July 2017, caught by Equifax July 29, 2017, and announced to public September 7, 2017.
Who It Affected: Around 147 million Americans and some Canadians. (March 1, 2018, they announced that an additional 2.4 million Americans were impacted).
What Was Compromised: Social Security numbers, birth dates, addresses, email addresses and some driver’s license and credit card numbers
Resolution: They set up a website for users to check if they were impacted and are working with a independent cybersecurity firm to conduct an assessment and provide recommendations on prevention from future hackings. Read more about Equifax.
When It Happened: Late 2016, announced fall 2017 (Uber executives knew about the breach for over a year and paid $100,000 in ransom to keep it secret from the public)
Who It Affected: 57 million rider and driver accounts
What Was Compromised: The names and driver’s license numbers of around 600,000 drivers in the United States and other personal information including email addresses, names and mobile phone numbers of riders and drivers around the world. They do not believe that social security numbers, credit card or bank info or dates of birth were compromised.
Resolution: According to Uber’s website, they do not feel that further action is needed since there has been no fraud or misuse tied to the incident. They are continuing to monitor the situation and encourage users to change passwords and report any unusual activity. But in 2018 it was reported that they will pay $148 million to settle claims.
2016 Security Breaches
In June 2016, the Democratic National Committee’s (DNC) entire database was hacked by the Russian government. The hackers gained access to the DNC’s computer network which gave them access to the research database for the Republican presidential candidate, Donald Trump. However, according to the DNC no financial, donor or personal information appears to have been stolen. The breach was purely for espionage and consumer data is at risk.
2015 Security Breaches
When It Happened: Between Sept. 1, 2013 and Sept. 16, 2015 and again in 2018
Who It Affected: Potentially exposed personal information of 15 million customers and potential customers (the 2018 breach was approximately 2.3 million customers)
What Was Compromised: Social Security numbers and birthdays of those who might have applied for T-Mobile cell service.
Resolution: Two years of free credit monitoring and identity protection
When It Happened: July 2015
Who It Affected: Users of a Ashley Madison, a commercial website that enables extramarital affairs
What Was Compromised: Hackers obtained 60 gigabytes of personal information and threatened to publicly share the names of users unless Ashley Madison agreed to shut down its site
Resolution: Those users whose details were exposed are filing a $567 million class-action lawsuit against the parent company of Ashley Madison
When It Happened: April – June 2015
Who It Affected: 21.5 million federal employees
What Was Compromised: Social Security numbers, names, dates and places of birth, email addresses, mailing addresses as well as security clearance info.
Resolution: Employees and dependent minor children who were under the age of 18 as of July 1, 2015 were offered credit and identity monitoring, identity theft insurance, and identity restoration services for the next three years through ID Experts
Are you a federal employee? Get more info on OPM’s Cybersecurity.
When It Happened: February 2015
Who It Affected: Originally reported that it was as many as 37.5 million insurance customers but later raised the number to 78.8 million people.
What Was Compromised: Records including Social Security numbers, birthdays, email addresses and physical addresses.
Resolution: AllClear ID identity protection for two years at no cost to customers and in 2018 they reached an agreement with regulators to pay out $16 million to the Department of Health and Human Services.
2014 Security Breaches
When It Happened: 2013 and again in late 2014 (both announced in 2016)
Who It Affected: 3 billion in 2013 and 500 million user accounts in 2014
What Was Compromised: Names, email addresses, telephone numbers, dates of birth, user names, hashed passwords and encrypted or unencrypted security questions and answers.
Resolution: Encouraged customers to update passwords and security questions and in 2018 it was reported they would pay $50 million in damages as part of the settlement. If you think your Yahoo account was part of the breach, you can visit their settlement site to file a claim.
When It Happened: September 2014
Who It Affected: 83 million accounts, 76 million households, 7 million small businesses
What Was Compromised: Email and postal addresses, names and phone numbers of account holders.
Resolution: JPMorgan says it spends $250 million a year on online security and intends to double that amount
When It Happened: April 2014 – September 2014
Who It Affected: 56 million customers
What Was Compromised: Credit card information and names.
Resolution: Offered the affected customers a free year of identity theft protection from AllClear ID. In 2017 the retailer agreed to pay $25 million for damages they incurred as a result of the breach.
When It Happened: Late 2013 and early 2014, announced in October 2015 and again in 2017
Who It Affected: 4.6 million customers (and another 20,000 customers in 2017)
What Was Compromised: Names and street addresses (possibly Social Security numbers, email addresses and other sensitive data). The smaller breach in 2017 exposed credit profiles including SSN, names, addresses, phone numbers and more.
Resolution: Offered customers identity theft protection services
2013 Security Breaches
When It Happened: November to December 2013
Who It Affected: About 40 million customer’s credit and debit card information and 70 million customer’s email and addresses.
What Was Compromised: Credit/debit card information, names, addresses, phone numbers and email addresses.
Resolution: Customers who shopped during that time were offered a free year of Protect My ID. In 2017 Target agreed to pay a bulk settlement of $18.5 million to be distributed among 47 state governments and Washington, D.C.
When It Happened: Announced in October 2013
Who It Affected: At least 38 million Adobe users
What Was Compromised: Credit/debit card records stolen, users’ Adobe IDs and encrypted passwords.
Resolution: Notified users to change passwords and offered a year’s worth of credit monitoring to customers whose encrypted credit card data was stolen in the breach.
When It Happened: Between July 16 and October 30, 2013 but the investigation is ongoing.
Who It Affected: Originally reported that 1.1 million Neiman-Marcus customers’ credit card info in 77 stores nationwide but the number has since been reduced to roughly 370,000 credit cards were used.
What Was Compromised: Credit/debit card information.
Resolution: Customers affected received one free year of credit monitoring. In January 2019 it was announced that Neiman Marcus will pay $1.5 million to 43 states in a settlement over the breach.
So, the hackers have your data – now what do they do with it after they “pump and dump” your information from the servers? Find out more about the black market trading and selling of personal information that goes on behind the scenes in this two-minute video from Norton.
How have you been affected by a security breach?
Sources:  Comparitech
Disclaimer: This website contains reviews, opinions and information regarding products and services manufactured or provided by third parties. We are not responsible in any way for such products and services, and nothing contained here should be construed as a guarantee of the functionality, utility, safety or reliability of any product or services reviewed or discussed. Please follow the directions provided by the manufacturer or service provider when using any product or service reviewed or discussed on this website.