hands typing at laptop with red alerts

The Independent’s journalism is supported by our readers. When you purchase through links on our site, we may earn commission. Why trust us?

Live company data breaches and stats for 2024

Contributions by Camille Dubuis-Welch
Verified by Amy Reeves

Like it or not, cybercrime is prolific. With an estimated 8,000 cyberattacks per year, staying secure online simply can’t be assumed or left as an afterthought. Being savvy with your internet security is as much about keeping your passwords complex and secure as it is about installing a reliable VPN and remaining vigilant with two-factor authentication (2FA).

More and more companies are falling victim to cyberattacks, phishing scandals and ransomware leading to data leaks, huge payouts and often lawsuits. It’s clear that cybercriminals are getting increasingly creative, that anyone can be targeted and that there is still a lot to learn around prevention and recovery. 

There is a hacker attack every 39 seconds and 2023 saw a number of high-profile cybersecurity incidents, with some rumoured to be recurring attacks from previous years or even months before, and some big data leaks on smaller companies in the healthcare sector. 

According to IBM Security’s Cost of a Data Breach Report for 2022, 83 per cent of organisations have had more than one breach and 42 million records were supposedly exposed due to data breaches between March 2021 and February 2022. Alarmingly, these records can include anything from first names and email address, to passport copies, sensitive healthcare information and financial details. 

Generally speaking, data breaches are taking longer to identify and contain than in previous years — with ransomware-related breaches taking 49 days longer in 2021 than the average time in previous years, according to IBM. Although most people would assume that the risk of data leaks would be higher in companies that haven’t got a fully-fledged cybersecurity team in place (for example, a small hospital), cases such as the latest Twitter cyberbreach prove that companies with perceived high cybersecurity won’t always outsmart a hacker.

According to Mimecast’s State of Email Security Report for 2023, the threat of cyber incidents is now one of the most important global risks to businesses, following the Allianz Risk Barometer survey which highlights how the risks involved might outweigh climate change, staff shortages and even the likelihood of recession.

While not all cases of a data breach lead to fraud or identity theft, compromised data is still an expensive business for companies and the repercussions stretch further to impact consumer trust and brand reputation, not to mention the mental and financial health of anyone directly involved. 

Our expert researchers have compiled the most notable data breaches of 2023 so far which have led to millions of records being leaked or exposed – 346,758,345 to be precise in one way or another. Records or data include basic personally identifiable information (PII) which can be used to identify someone  – such as a name, date of birth, address, and phone number – and in some cases records may have included social security numbers, financial or sensitive health information. 

Looking more closely at the data, there were 1.9 million people affected by data breaches in April 2023 and numbers have crept up for March and February, also, as new cases of data breaches have been reported around the globe. T-Mobile discovered another breach on 27 March, although 836 is a relatively small figure compared to the 37 million customers affected in their breach in January, it’s certainly enough to eat away at the brand’s credibility.

Each case varies and, although not all reports are officially “confirmed”, they carry lots of potential risk. For example, the millions of Brits now with potential data compromised due to a Labour phone banking system glitch, while across the pond, iD Tech still isn’t confirming a breach, which potentially exposed almost one million user records, even though the incident has been reported and many of those involved were made aware by Have I Been Pwned.

Top data breach stats for 2023

Number of people affected to date in 2023: 364,121,588+

2023’s biggest breach to date in 2023: Twitter, with allegedly 235 million emails leaked

UK’s biggest breach: 40 million UK voters’ details exposed

US’s biggest breach: 37 million T-mobile customers affected

Number of potential records compromised in August: At least 43 million

Number of potential records compromised in May: At least 17,363,243

Number of potential records compromised in April: 1,920,000

Number of potential records compromised in March: 31,413,302

Number of potential records compromised in February:  25,342,580

Number of potential records compromised in January: 288,082,463

Number of personal records compromised by telecom providers: 47,000,836

Number of personal records compromised in the healthcare sector: 25,949,000

Number of personal records compromised in the finance sector: 365,000 

Data leaks caused by threat actors: 290,046,243

Data leaks caused by hacking: 89,240,580

Data breaches caused by third party data exposure: 11,354,000+

Data breaches caused by human error: 392,466

Company data breaches in 2023

Common patterns that will emerge as you review the latest company data breaches are that human (and company) error is often the culprit, all types of companies can be targeted, and the motivation behind cyberattacks are, more often than not, money-related.

Data is often stolen by hacking which is someone gaining unauthorised access, usually electronically, to a system. Phishing is a type of social engineering attack whereby seemingly innocuous emails will be sent to victims containing links that may install ransomware or allow a bad actor access to systems. Phishing can also be used to lure people into entering personal information, leading to data theft or fraud. It may be used for impersonation that eventually leads onto another cybercrime being actioned, such as asking someone to transfer a large sum of money into an offshore bank account.

Bad/threat actors refers to anyone who causes harm in the digital sphere; they are slightly different to hackers in that they may not necessarily have technical skills to hack a system but will exploit a vulnerable server, eventually leading to a data breach or another other type of cybercrime.

Other factors that commonly lead to a data breach include malware – damaging software that infects devices with viruses – ransomware and spyware. which can then corrupt files and compromise data.

Below, we have created a timeline of the data breaches so far in 2023.

November 2023

31 October

British Library 

Company type: Library 

Attack type: Threat actor

Affected: Unknown 

The British Library, situated in London and the national library of the UK, suffered a cyber attack that resulted in data loss. The British Library learned it had been part of a data breach when low-resolution images were posted online and offered for sale on the dark web. 

The attack took place on 31 October, and the British Library’s website has been down since. A ransomware group named Rhysida has claimed the attack. The hackers have also publicly let it be known how they plan to auction off the stolen data, which includes passport scans, for 20 bitcoins (about £596,459). 

The British Library has investigated the attack and claims made by the ransomware group and has advised customers to change any logins as a precaution. The National Cyber Security Centre (NCSC) has also helped with the investigation to understand the full impact of the situation.  

9 November 

McLaren Health Care 

Company type: Healthcare provider

Attack type: Data breach

Affected: 2.2 million 

Michigan-based healthcare provider McLaren Health Care has announced a data breach that has compromised the personal health information of around 2.2 million patients. The cyber attack took place in July and August 2023, when it’s believed a hacking group gained unauthorised access to McLaren’s systems for three weeks. 

In October, the ransomware group Alphv/BlackCat claimed credit for McLaren’s data breach. The hacking group also claims to have stolen around 6TB of data. McLaren began notifying impacted patients around 9 November that their personal and health data, including health insurance information, social security numbers and billing information, could have been leaked in the data breach. 

13 November 

Samsung Electronics 

Company type: Appliance and consumer electronics 

Attack type: Data breach

Affected:  Unknown 

Samsung Electronics is one of the largest appliance and consumer electronics companies in the world. On 13 November, Samsung warned customers of a cyberattack that only affected UK customers who purchased goods from the Samsung UK online store between 1 July 2019 and 20 June 2020. 

Samsung says unauthorised individuals exploited a vulnerability in a third-party business application the company uses and that some personal information of certain customers was affected. Samsung also believes the stolen data could include names, phone numbers, email addresses and postal addresses – financial records and passwords were not part of the breach. Samsung has also assured that the cyber attack has only affected UK customers and all other regions’ customer and employee data remains unaffected. 

19 November

Idaho National Laboratory

Company type: Nuclear energy

Attack type: Data breach

Affected: Unknown  

Idaho National Laboratory (INL), announced it has suffered a data breach involving sensitive information belonging to its employees. INL is part of the US Department of Energy, which employs 5,700 specialists in atomic energy, integrated energy, and national security.

INL has confirmed an unknown hacktivist group – SeigedSec – has claimed responsibility for the data breach, which involved hundreds of thousands of data points from INL. Stolen data includes social security numbers, postal addresses, employment information, date of birth and email addresses. The breach is being investigated under federal law, though none of the stolen nuclear research data has been publicly disclosed. 

20 November

Brookfield Global Relocation Services (BGRS) and SIRVA Worldwide Relocation & Moving Services

Company type: Relocation and moving services

Attack type: Data breach

Affected: 1.5TB of data

The Canadian government has reported that two of its contractors have been hacked. The data breach has leaked sensitive information relating to a number of government employees. Brookfield Global Relocation Services (BGRS) and SIRVA Worldwide Relocation & Moving Services are the contractors who suffered the data breach. 

Both services store government data dating back to 1999. Some of this information belongs to members of the Royal Canadian Mounted Police (RCMP), Canadian Armed Forces personnel, and Government of Canada employees.

The LockBit ransomware group has claimed responsibility for the data breach, claiming to have stolen around 1.5TB of documents. 

27 November 

Robeson Health Care

Company type: Healthcare provider

Attack type: Data breach

Affected: 600,000 

Robeson Health Care, a US-based healthcare provider, has disclosed two data breaches, with the most recent taking place on 27 November. Robeson has discovered malware in its computer systems and believes it to have been there since February of the same year. 

In October, Robeson carried out a security investigation and discovered malware in its systems. The North Carolina-based company believes more than 600,000 people may have been affected. Robeson says it “has no indication that our electronic medical records databases were accessed without authorisation”. Robeson also states the stolen data may include names and social security numbers. 

Following the breach, Robeson has offered those affected a year’s worth of theft protection identity services, as well as resetting passwords and ramping up its own security systems. 

28 November 

Okta 

Company type: IT management service

Attack type: Data breach

Affected: Unknown 

IT management service Okta announced it had suffered a data breach in late October. The company offers online identity management tools for companies such as FedEx and Zoom. Okta handles a plethora of sensitive data, and its main services are single sign-in and multifactor authentication. An unknown hacking group was able to infiltrate Oktas’ customer support system to access private customer data, according to the report.  

Initially, Okta estimated that around 134 customers, or 1 per cent, were affected by the data breach. Okta continued its efforts to investigate the breach and discovered it was far larger than initially expected. During the breach, hackers downloaded a report including the names and email addresses of Okta’s customers who had a customer support system account. Of the stolen data, none has been publicly advertised for sale at the time of writing, but Okta’s announcement says a “threat actor may use this information to target Okta customers via phishing or social engineering attacks.”

October 2023

1 October

D-Link

Company type: Networking equipment and smart device manufacturer

Attack type: Threat actor

Affected: Unknown 

D-Link, a Taiwanese networking equipment manufacturer, has reported a data breach in connection with information from its network. The stolen information has been put up for sale on BreachForums. 

The threat actor was able to source code from D-Links’ D-View management software, as well as the personal information of customers and employees and details relating to the company’s CEO. Reports suggest the stolen data includes phone numbers, names, email addresses, account registration dates and users’ last sign-in dates. 

On an online forum, the cyber attacker provided 45 samples of the stolen records, which were dated between 2012 and 2013. The attacker also claims to have 3 million lines of customer information obtained from D-Link’s network. The data has been available for purchase on the forum with a demand of $500 since 1 October. 

D-Link has since investigated the data breach and said the impacted server contained 700 outdated and fragmented records that have been inactive for the past seven years. D-Link believes the attacker has falsified timestamps to make the data theft appear more recent.  

3 October

Sony

Company type: Entertainment

Attack type: Data breach 

Affected: 6,800

Sony Interactive Entertainment has notified 6,800 current and former employees, including family members, that their data may have been involved in a data breach earlier this year. It’s reported that Sony sent a data breach notification in October after discovering that a third party had exploited a zero-day vulnerability in the MOVEit transfer platform.

The zero-day vulnerability CVE-2023-34362 has been exploited in large-scale attacks, and ransomware group Clop used it to leverage data from Sony. The attack took place in June, however, Sony did not release a public statement until October. 

On 31 May, MOVEit announced a vulnerability in its transfer software. Sony and hundreds of other businesses and organisations use the software – a number of those have reported security breaches. Two days prior, on 28 May, Sony sent out notices to affected individuals that some SIE files were downloaded from its MOVEit platform. The vulnerability was reportedly fixed in early June and the platform was taken offline. 

6 October

23andMe

Company type: Biotechnology

Attack type: Cyberattack 

Affected: About 6.9 million

Genetics testing company 23andMe informed its customers in October that a number of customer profiles had been involved in a data breach. 23andMe provides DNA testing that helps users learn more about their ancestry. 

The company itself was not hacked, but the attackers gained access to around 14,000 user accounts using leaked credentials, then were able to gain access to a huge number of other profiles linked to the ones they had hacked through the website’s DNA Relatives feature, which allows customers to compare ancestry information with other 23andMe users. The company was made aware of the breach when a hacker advertised unlawfully obtained customer data on a large scale in an online forum. 

An unknown threat actor has obtained access to customers’ personal information, which may include first and last names, email addresses, date of birth and information relating to the user’s ancestry. 23andMe believes the hackers may have used a technique called credential stuffing, which involves hackers using leaked credentials from other websites to breach 23andMe accounts.

The company confirmed on 5 December that around 6.9 million profiles were accessed in the breach, accounting for more than half its customer base. It said in some cases, hackers were able to access family trees, birth years and geographic locations, but not DNA records. 

11 October

Air Europa

Company type: Aviation

Attack type: Cyberattack 

Affected: 110,000 

Spanish airline Air Europa – the country’s third-largest airline company and a member of the Sky Team Alliance – suffered a cyberattack on its online payment system in October 2023. Data security analysts have concluded that Air Europa’s cyber attack lasted around nine days and affected around 110,000 customers. 

Hackers were able to obtain customers’ card numbers, expiration dates, and the three-digit card verification value (CVV). The airline carrier informed its customers of a data breach and advised them to cancel credit cards used on its system. Data obtained during the attack is thought to have been put up for sale on the dark web, and Air Europa has assumed full responsibility for the breach. It’s unknown who the hackers were, and no known hacking groups have claimed the attack.

11 October

Casio

Company type: Electronics manufacturer 

Attack type: Cyberattack 

Affected: 91,921 credentials

Casio, a popular Japanese electronics manufacturer, revealed a data breach that has impacted customers from 149 countries. During the cyberattack, hackers gained access to the servers used for Casio’s ClassPad education platform. The breach was detected on 11 October, following the failure of a ClassPad database. One day later, on 12 October, hackers accessed customers’ personal information, including names and email addresses, country of residence and purchase information, such as payment methods and licence codes. 

It has been revealed that hackers have accessed 91,921 credentials belonging to Japanese customers – including 1,108 educational institution customers – as well as 35,049 records belonging to customers from 148 countries and regions outside of Japan. 

25 October

Seiko

Company type: Watchmaker 

Attack type: Cyberattack 

Affected: 60,000 items of personal data

In October, Japanese watchmaker Seiko confirmed it experienced a data breach earlier this year. Seiko says it suffered a Black Cat ransomware attack, where its data was leaked, including sensitive personnel, partner and customer information. Seiko has confirmed that 60,000 items of personal data were compromised in the attack. 

In August, Seiko warned at least one of its servers had been compromised on 28 July. In late August, ransomware group Black Cat added Seiko to its extortion site. The group claimed to have stolen employee passport scans, new model release plans, specialised lab test results and confidential plans of new watch models. 

Seiko has confirmed the customer and personnel information such as names, email addresses and telephone numbers were obtained from the data breach, but no customer credit card information was stolen.

September 2023

4 September

Ministry of Defence

Company type: Government 

Attack type: Cyberattack 

Affected: 10 GB of data

The LockBit ransomware group from Russia has infiltrated the UK’s Ministry of Defence (MoD), releasing thousands of documents online. The breach occurred in August 2023, when LockBit targeted MoD contractor Zaun. The Wolverhampton fencing system manufacturer recently disclosed that it was a victim of a cyberattack by LockBit at the beginning of August.

The exposed data includes details on the Porton Down chemical weapon laboratory, HMNB Clyde nuclear submarine base, a GCHQ surveillance station in Cornwall, and a pivotal military location essential for cyber defence.

Reports indicate that detailed blueprints for the perimeter fencing at Cawdor, a British Army location in Pembrokeshire, and a map showing site installations have also been jeopardised. Moreover, the breach resulted in the theft of documents from several Category A prisons, including Long Lartin in Worcestershire and Whitemoor in Cambridgeshire.

4 September

Freecycle

Company type: Non-profit organisation 

Attack type: Data breach

Affected: 7 million users

Freecycle, a non-profit organisation for recycling and reusing items, reported a data breach that affected more than 7 million users. The breach was only discovered by Freecycle when the threat actor posted the stolen data on an online forum on 30 May 2023 – weeks after the breach took place.  

The online recycling platform notified its users and warned affected users to change their passwords. According to Freecycle, the stolen data includes usernames, user IDs, email addresses, and MD5-hashed passwords. During the breach, the credentials of the Freecycle founder Deron Beal were stolen, which gave the threat actor access to member information and forum posts. 

5 September

Atlas VPN

Company type: Cyber security

Attack type: Data leak caused by security vulnerability

Affected: Unknown 

Atlas VPN has announced the existence of a zero-day vulnerability affecting the Linux client, which allows website owners to discover the real IP addresses of Atlas users. The details relating to the exploit code were posted on Reddit by the person who discovered the security flaw and has since been confirmed by the company. 

Linux 1.0.3, which is the latest version, has an API endpoint that listens to the local host. It offers a command-line interface (CLI), which is responsible for disconnecting a VPN session. It was found this API does not perform an authentication, allowing any user to issue commands to the CLI – even a website you have visited. This vulnerability could potentially breach the privacy of Atlas VPN users and could expose their physical location and real IP address. 

The Reddit user who exposed the flaw claims there was no immediate response from Atlas VPN – which led to public exposure. When Atlas VPN did respond, it stated its team was working on a fix and that it would notify Linux users when there is an update available.

6 September

Sabre Corporation 

Company type: Travel agency 

Attack type: Data breach 

Affected: 1.3TB of data 

Sabre Corporation, a travel booking agency, reported the company was targeted by hackers in September. Sabre is a reservation system used by many companies around the world, with its software and data used for airline check-ins, hotel bookings and related apps. 

The cyber attack has been claimed by Dunghill Leak Group. The hackers claimed responsibility for the attack by listing on its dark web leak site that it had allegedly stolen around 1.3TB of data from Sabre. The leaked data includes sensitive information from ticket sales and passenger turnover, as well as corporate financial information and personal information from employees. 

11 September

Save the Children

Company type: Non-profit organisation   

Attack type: Data breach

Affected: 6.8TB of data 

The ransomware group BianLian has claimed responsibility for a cyber attack against the non-profit organisation Save the Children. The ransomware group claims to have stolen 6.8TB of data from the organisation on 11 September. It’s reported the stolen data includes personal data and HR files, as well as more than 800GB of financial records. 

A spokesperson for the charity said the hackers had gained unauthorised access to its network, but it had not affected operations, and the organisation has functioned as normal. Save the Children, which has 1,300 employees across 100 countries, says it will continue to work with external specialists to investigate the cyber attack and continue to follow cyber security protocols to protect its data. 

13 September

Airbus 

Company type: Aviation 

Attack type: Data breach

Affected: 3,200  

Aviation giant Airbus has reportedly investigated a data breach following reports that a hacker has posted personal information belonging to 3,200 of the company’s employees to the dark web. Cybercrime intelligence firm Hudson Rock reported the online moniker ‘USDoD’ claimed on a cybercrime forum that they had hacked Airbus. 

The hacker claims to have gained access to Airbus systems via a compromised account that belongs to a Turkish Airline employee. Credentials were stolen using malware. The compromised data includes email addresses, job titles, addresses, names and phone numbers.

August 2023

26 August

Metropolitan Police Service

Company type: Government 

Attack type: Data breach 

Affected: Currently unknown

The Metropolitan Police Service (MPS) launched an investigation into a potential data breach after detecting unauthorised access to the IT system of an MPS print supplier, Digital IT. The supplier had information, including names, ranks, photos, vetting levels, and pay numbers of officers and personnel. 

Digital IT also printed ID cards for the BBC, while ITV, Mitie and Royal Mail used its blank cards, loading the data in-house and leaving them unexposed to any breaches. 

21 August

Duolingo

Company type: Global language learning platform

Attack type: Data breach 

Affected: 2.6 million

The global learning language app Duolingo has over 74 million monthly users and, in January 2023, the scraped data of 2.6 million users appeared on the Breached hacking forum. An unknown party on the now-shutdown forum was advertising the data for $1,500. 

The disclosed data consists of both public elements, like login and real names, and confidential details, such as email addresses and internal Duolingo service data. Although the real and login names can be accessed from a user’s Duolingo profile, the revelation of email addresses is particularly troubling as it can facilitate potential attacks using the information.

The 16.3 million data points have just been readvertised for sale for $2.13 on a new version of the Breached forum, according to BleepingComputer. 

8 August

Electoral Commission

Company type: Government

Attack type: Data breach 

Affected: 40 million

The UK Electoral Commission revealed in August that an attack which took place as far back as August 2021 (and was discovered in October 2022), left the data of 40 million voters openly accessible.

Who the attackers were remains a mystery, with theories ranging from a hostile state such as Russia, or a cyber criminal gang. According to the Electoral Commission, much of the data already existed in the public domain and said it would be difficult to influence an election using this data, due to the UK’s largely paper-based election system.

With that said, the attackers were able to view full copies of the electoral registers, which include the name and address of anyone who was registered to vote between 2014 and 2022.

8 August

PSNI (Police Service of Northern Ireland)

Company type: Government

Attack type: Human error

Affected: Around 10,000

Another damaging data breach was revealed in August, when the details of every serving member and staff of the Police Service of Northern Ireland (PSNI) was made public for up to three hours.

The data was accidentally published online after a Freedom of Information request was made.

The breach included the surname, initials, rank or grade, a work location, and the department of all PSNI staff, but did not involve the officers’ and civilians’ private addresses. It also exposed the officers in the organised crime unit, intelligence officers, and nearly 40 officers based at the MI5 HQ in Northern Ireland.

1 August

Topgolf Callaway

Company type: US sports equipment manufacturer

Attack type: Data breach 

Affected: 1.1 million 

In early August, Topgolf Callaway (Callaway) experienced a data breach that jeopardised the account information and emails of over a million customers, including users of its subsidiaries – Odyssey, Ogio, and Callaway Gold Preowned.

The US sports equipment manufacturer focuses on golf-related products and has a global footprint in over 70 countries, making over $1.2 billion annually.

May 2023

3 May

Sysco

Company type: Food distributor 

Attack type: Threat actor 

Affected: 126,243

Leading food distribution company Sysco confirmed its network was breached earlier this year in an internal memo sent out to its employees. The cybersecurity attack was believed to have begun in January 2023 and was carried out by a threat actor who gained access to Sysco’s systems with no authorisation. 

According to bleepingcomputer.com, an investigation revealed the threat actor extracted certain company data, including data relating to the operation of the business, customers, employees and personal data of 126,243 customers. 

Sysco has stated the attack is not ongoing and the company has hired a cybersecurity firm to investigate the incident and notified federal law enforcement.

12 May

PharMerica

Company type: Pharmacy services 

Attack type: Data breach 

Affected: 5.8 million 

National pharmacy network PharMerica had to send letters out to more than 5.8 million individuals of a data breach that occurred in March 2023. PharMercia informed the Maine Attorney General’s Office in the US that more than 5.8 million individuals’ personal information was compromised after an unauthorised party accessed its computer system between 12 and 13 March.

Names, addresses, birth dates, Social Security numbers, health insurance, and medication information were among the personal data compromised during the breach. Security Week noted the letters sent out to individuals did not disclose details of the type of cyberattack, but it reportedly appears the Money Message ransomware group is responsible for the incident. 

PharMercia posted a data breach notice on its website, and informed Security Week, notifying the public of the attack, but made no mention of ransomware. 

15 May

US Department of Transportation (DOT)

Company type: Government department  

Attack type: Data breach

Affected: 237,000

Threat actors targeted the TRANServe system, which is responsible for compensating US Department of Transportation (USDOT) employees’ transportation costs. Cyber Security Connect noted the breach led to the data of 237,000 people being leaked, including 114,000 current and 123,000 former USDOT employees.

USDOT said in a statement the breach didn’t affect any transportation systems and didn’t comment on who was behind the attack. It also said transport safety systems remained unaffected.

18 May

Dish

Company type: American television provider

Attack type: Data leak caused by ransomware 

Affected: Nearly 300,000

Satellite broadcast giant Dish confirmed it was hit by ransomware and as a result, nearly 300,000 people’s personal information was leaked. The broadcast company suffered widespread outages and the attack affected internal communications, customer call centres and websites, according to The Record

On 18 May, Dish confirmed in letters sent out to customers that personal data was involved, including driver’s licence numbers. The letters also confirmed the network outage began on 23 February, which affected internal servers and IT systems. Dish claims it received confirmation the compromised data had been deleted, potentially implying the company paid a ransom to the threat actor involved.  

The Record noted Dish is offering those affected by the data breach two years of free credit-monitoring services.

22 May

Apria Healthcare

Company type: Healthcare

Attack type: Data breach

Affected: Nearly 2 million 

Apria Healthcare, one of America’s leading providers of home respiratory services and medical equipment, was impacted by a multi-year, months-long data breach between 2019 and 2021. 

According to Tech Target, nearly 2 million patients were only notified of the breach by Apria in May 2023 despite being alerted to unauthorised access to its systems in September 2021. Data potentially accessed during the incident included customers’ personal, medical, health insurance and financial information, as well as Social Security numbers. However, Apria claims there is no proof any of this data was taken from its systems.

Apria said it has since implemented additional security measures under the recommendations of forensic investigators to help prevent any future breaches.  

25 May

Tesla 

Company type: Automotive and energy 

Attack type: Whistleblower data breach

Affected: Unknown

According to Cyber Security News, Tesla suffered a data leak exposing thousands of safety complaints, with the leak traced back to a whistleblower who handed around 100GB of data to German newspaper Handelsblatt. It was reported Tesla received more than 2,400 complaints about self-acceleration issues and 1,500 complaints about brake problems on its vehicles’ Full Self-Driving (FSD) features between 2015 and March 2022. The newspaper received 23,000 files, including 3,000 entries outlining customers’ safety concerns and accounts of more than 1,000 collisions from the whistleblower. The files also reveal customer and employee information, including phone numbers, salaries of employees and bank details of customers. 

Tesla says it protects the confidential information of its customers and employees. The company intends to initiate legal proceedings for the theft of Tesla’s confidential information. 

29 May

MCNA 

Company type: Dental services

Attack type: Data breach

Affected: 8.9 million

MCNA, One of the largest government-sponsored dental care services in America, published a data breach notification on its website informing nearly 9 million patients their data had been compromised. 

MCNA became aware of the cyberattack on its computer systems on 6 March, and an investigation revealed hackers had first gained access to the network on 26 February. The data extracted included phone numbers, addresses, driving licence numbers and health insurance plan details. 

According to bleepingcomputer.com, the LockBit ransomware gang claimed the cyberattack on 7 March.

30 May

Capita

Company type: Professional services

Attack type: Hacking

Affected: 90 organisations

Capita, the outsourcing and professional services group that runs pension schemes for Royal Mail and Axa, suffered a cyber attack that affected around 90 organisations. Crucial services for local councils, the military and the NHS were among those affected by the attack, which also caused IT outages in March 2023.

The Pension Regulator (TPR) wrote to more than 300 pension funds requesting them to check whether they had been affected. 

According to The Guardian, a second data breach occurred in May when Capita reportedly left benefits data files in publicly accessible storage, prompting several councils to announce their data had been compromised. The Information Commissioner’s Office (ICO) is urging organisations that use Capita’s services to investigate whether they have been affected by the breaches.

April 2023

20 April

American Bar Association (ABA)

Company type: Legal

Attack type: Hacking

Affected: 1.4 million

According to Bleeping Computer, ABA, the largest association of lawyers and legal professionals globally, disclosed that 1,466,000 members were affected by a data breach caused by an unauthorised third party accessing company networks on 6 March. Investigations were launched by ABA and cybersecurity experts on 17 March when the unusual activity was detected. 

The data breach may have exposed old member login credentials for a system that was decommissioned in 2018. The credentials were “hashed and salted” (converted from plain text into a more secure format). Although no personal or corporate data was stolen, this leaves room for threat actors to abuse credentials over time, especially if members have not changed the original password assigned by ABA.

14 April

Kodi

Company type: Open source media player software 

Attack type: Threat actor

Affected: 400,000

User records and private messages were stolen by a threat actor that twice logged into the account of an inactive Kodi MyBB forum admin member in February. The Hacker News reported that this allowed them to create, download and delete backups of the forum’s entire database. The database contained the information of 400,635 users, including public and team forum posts, user-to-user messages and general user credentials (email addresses as well as encrypted passwords). The threat actor also attempted to sell the data on cybercrime marketplace: BreachForums, which has now been taken down as the founder is being charged for stolen data.

Kodi’s MyBB forum was taken down as it commissioned a new server to relaunch a newer version of the software. Although no malicious activity or credential theft was detected, Kodi hoped to run a global password reset to stay on the side of caution, and urged users to update passwords on other websites if it was the same as they had been using for the member forum. Additionally, Kodi is reinforcing security measures to prevent future incidents, mostly around admin roles and access.

4 April 

NewYork-Presbyterian (NYP) Hospital 

Company type: Healthcare organisation

Attack type: Data exposure through use of third-party tracking and analytics tools

Affected: 54,000

NYP Hospital has been stung for using third-party tracking tools to analyse how visitors interacted with its website. Over 54,000 people have been notified that their patient information may have been compromised. According to Health IT Security’s report, once NYP Hospital had realised the error, it disabled use of the tracking tools and launched an investigation. It concluded that information, including the IP addresses and URls of visited pages, as well as names, email addresses and gender information, if available on particular pages, may have been exposed. There was nothing to suggest that social security numbers, financial or sensitive data was compromised and since NYP Hospital is reevaluating how it collects data and monitors user engagement. 

March 2023

29 March 

VodafoneZiggo 

Company type: Telecom provider

Attack type: Data breach (third-party software issue)

Affected: 700,000

Dutch telecom provider VodafoneZiggo reported a data breach incident to the Dutch Data Protection Authority (DDPA) after an unauthorised person was able to access consumer information that included names and email addresses. This was due to an issue with the company’s party software provider. No bank details or passwords were compromised, according to the NL Times, but the exposure of personal contact details enhances exposure to phishing scams so anyone concerned should be vigilant. 

28 March 

T-Mobile

Company type: Large telecommunications company based in US

Attack type: Hacking

Affected: 836

T-Mobile became aware of their second attack of 2023 on 27 March. Hackers accessed the information of some 836 customers, which exposes them to phishing attacks and fraud. On 28 April, Bleeping Computer shared the notification letter that was sent to those affected. The letter states: “No personal financial account information or call records were affected.” It also highlighted how the information shared varied across customers, but that it may have included PII as well as social security numbers, government IDs and T-Mobile account pins. T-Mobile also reset customer pins and offered two years free credit monitoring as compensation.

21 March

Independent Living Systems

Company type: Large health and social support company based in US

Attack type: Hacking

Affected: 4.2 million

On 14 March 2023, Independent Living Systems, a Miami-based healthcare administration that serves 5 million Americans, issued letters to customers affected by a 2022 data breach in which sensitive patient information (potentially including names, contact information, driver’s licence, state identification, social security numbers, Medicare/Medicaid IDs, general health and health insurance information) was accessible and potentially viewed by unauthorised persons. 

The notice states: “We are unaware of any identity theft or fraud resulting from this event,” ahead of detailing how its systems were hacked between 30 June and 5 July 2022 and how, on realising the breach, the company conducted a review. The results were released on 17 January 2023, at which point the company claims to have acted as quickly as possible to notify those affected. However, Independent Living Systems is now being sued for failure to adequately safeguard patient data and for the wait time ahead of notifying those 4.2 million (the majority of its customer database) that may be at risk.

17 March 

Latitude Financial Services 

Company type: Large financial services company based in Australia and New Zealand

Attack type: Threat actor

Affected: 14 million

Latitude Financial Services is a leading instalments and lending business. It has a current database of 2.8 million customer accounts and over 5,500 merchant partners across Australia and New Zealand. It went public about a data breach on 16 March, confirming that a threat actor stole an employee’s log-in details and was able to access two of its service providers. According to Latitude Financial’s review (which is still ongoing), approximately 7.9 million driver licence numbers were stolen and a further 6.1 million records (including PII) were stolen.

The case is ongoing, much to customers’ fury, and  Latitude have confirmed they will not pay a ransom to those behind the cyberattack.

16 March

PayPal

Company type: Global online payment platform based in US

Attack type: Cyberattack

Affected: 35,000 users

In 2023, Paypal confirmed that it suffered a security breach in December 2022, compromising personal and financial information of almost 35,000 users.

According to legalscoops.com, PayPal started an investigation as soon as it detected the attack, which took place between the 6 and 8 December, but it wasn’t complete until 20 December. The letter notifying those affected was distributed 23 January, disclosing that the hackers may have had access to social security numbers, bank account numbers and PayPal account balances, in addition to PII. Although PayPal noted that log-in details weren’t accessed via its own network, it didn’t elaborate on how these credentials were acquired. 

Some users have now filed lawsuits against PayPal as they are dissatisfied with the apology and compensation of free credit monitoring and identity theft protection services. Further advice from PayPal is to update passwords and keep an eye out for suspicious activity.   

10 March

Postal Prescription Service (PPS)

Company type: Large mail-order pharmacy service

Attack type: Internal/human error

Affected: 82,466

PPS, a mail-order pharmacy service and part of retail company Kroger, had to notify 82,466 individuals that they may have had their data breached due to an internal error. No sensitive medical or financial information was shared, however, the names and emails of users that created grocery accounts between July 2014 and 13 January 2023 were exposed. Health IT Security noted how PPS did not share more information on the exact cause of the internal error, but that it is updating its website and making procedural changes to avoid recurrences.

10 March

Florida Medical Clinic (FMC) 

Company type: Healthcare provider

Attack type: Ransomware, followed by hacking

Affected: 95,000

FMC became aware of suspicious activity on its servers on 9 January at which point it contained the incident and launched an investigation with a third-party forensic firm which confirmed that files stored on the FMC system were accessed by one or more unauthorised parties. The data included consumers’ names, social security numbers, medical information, phone numbers, email addresses, dates of birth, and addresses, according to JD Supra’s report. Letters were sent out to those affected on 10 March.

9 March

AT&T

Company type: Large multinational telecommunications holding company based in US

Attack type: Data breach, vendor hack

Affected: 9 million

AT&T told BleepingComputer that 9 million wireless customers may have had their Customer Proprietary Network Information (CPNI) accessed. This kind of data includes first names, wireless account numbers, wireless phone numbers, and email addresses, with some dated information on rate plan names and payment history. According to BleepingComputer, AT&T claimed this was due to device upgrade eligibility and that their systems were not compromised. 

February 2023

13 February

TMX Finance

Company type: Lending business

Attack type: Hacking

Affected: 4,822,580

On 30 March, TMX Finance started sending letters to 4,822,580 customers that had their data leaked. The Canadian finance company detected malicious activity on 13 February and, according to Bleeping Computer’s report, it suspects that client information – including social security and driver’s licence number, financial, tax and personal identification information – was stolen between 3 and 14 February.

TMX believes the situation is contained but is continuing to monitor its systems and looks to enhance online employee and system access security. It is also encouraging those affected to enrol in a free 12-month identity protection service via Experian with a security freeze.

13 February

Heritage Provider Network, Regal Medical Group

Company type: Largest private healthcare network based in US

Attack type: Ransomware cyberattack

Affected: 3.3 million

A data breach notice was sent out on 1 February by Regal Medical Group disclosing that malware was detected on some of its servers as a result of a threat actor hacking its systems. Cybernews.com reported that the compromised data of those 3.3 million affected may have included basic PII as well as medical information, including radiology reports and prescriptions and health plan details.

6 February

Highmark Health

Company type: Large non-profit healthcare company based in US 

Attack type: Phishing attack

Affected: 300,000

According to Beckershospitalreview.com, between 13 and 15 December an employee received a phishing link via email which allowed a hacker to access data of some 300,000 members. Customers were notified by letter on 13 February. On 6 Feb Highmark Health filed the notice and Databreaches, one of the first to report on the incident, says that two versions of the letter were sent out as some had social security numbers compromised and others protected health information, passport numbers and financial information. Highmark Health, who currently serve 5.6 million members, now has details online about how to spot a phishing email and avoid email fraud.

3 February

TruthFinder and Instant Checkmate

Company type: Large subscription-based background check services based in US

Attack type: Cyberattack

Affected: 20.22 million 

According to BleepingComputer, on 21 January, hackers leaked a 2019 backup database containing the information of 20.22 million users of PeopleConnect-owned background check services TruthFinder and Instant Checkmate. 

Subsequent announcements share that the exposed lists were created internally several years before and logged information of customer accounts created between 2011 and 2019. The lists contained PII as well as encrypted passwords and expired or inactive password reset tokens, but no payment details or user data was included.

January 2023

30 January

JD Sports

Company type: Large fashion retailer based in UK

Attack type: Cyberattack

Affected: 10 million

Fashion retailer JD Sports notified the Information Commissioner’s Office about the incident which affected approximately 10 million online users, including customers purchasing items on Size?, Blacks and Millets at the end of 2022. According to a statement, the affected data was limited but included names, phone numbers, order details and the final four digits of payment cards (but not full payment details). JD is said to be investigating the incident with cybersecurity experts to avoid recurrences. 

23 January

Diksha Indian Education app

Company type: Public education app launched in 2017 based in India

Attack type: Unsecured server

Affected: 1.6 million 

Data stored in an obligatory public education app that was launched in 2017 was left unprotected for at least four years, meaning that even a simple Google search could have exposed the personal information of students and teachers. According to Wired, the files were available for download via Grayhat Warfare, a go-to searchable database on which hackers and security researchers can access unsecured servers.

The files contained full names, phone numbers and email addresses of some 1 million teachers. Another file that kept student information, although it partially concealed their email addresses and phone numbers, nearly 600,000 student names along with their schooling history, details of when they enrolled on the app and progress on the course was exposed. 

20 January

T-Mobile

Company type: Large telecommunications company based in US

Attack type: Bad actor, hacker

Affected: 37 million

Hit once again following no less than eight disclosed hacks since 2018, T-Mobile said that it detected malicious activity on its servers on 5 January and shut it down within 24 hours. The company was said to be less forthcoming concerning information that the bad actor gained access to customer data from 37 million accounts, around 25 November 2022. The customer information included names, birth dates, and phone numbers. 

According to wraltechwire, no passwords, PINs, bank account or credit card information were disclosed, nor were social security numbers or other government IDs.

19 January

Transportation Security Administration (TSA) 

Company type: Agency of the United States Department of Homeland Security

Attack type: Hacker of unsecured server (accidental)

Affected: 1.5 million 

A Swiss hacker who goes by the name maia arson crimew obtained an old copy of the US government’s Terrorist Screening Database and a “no fly” list that was available on an unsecured server. 

The data belongs to commercial airline, CommuteAir who confirmed it contained 1.5 million entries, including names and birthdates of individuals (not all unique as the list contains multiple aliases) that the government has banned from air travel as well as information on 1,000 company employees according to the Daily Dot, who first reported on the case. 

19 January

NortonLifeLock

Company type: Large multinational cybersecurity software and services provider with 80 million users across 150 countries based in US

Attack type: Credential stuffing attack

Affected: 925,000

Consumer safety provider NortonLifeLock, part of Gen Digital, was subject to a credential stuffing attack, compromising the data of 925,000 customers.

According to IT governance, customers’ full names, phone numbers and mailing addresses may have been leaked, and hackers may have also been able to access information stored in the Norton Password Manager feature to find passwords for other accounts, the latter being the most likely motivation for the attack. NortonLifeLock shared that the breach started 1 December 2022 and urges customers to use 2FA alongside other security measures. 

10 January

Zurich Insurance (car insurance)

Company type: Leading insurer serving 200 countries, founded in Zurich 

Attack type: Data breach

Affected: 757,463

This data leak stemmed from an external service provider compromised names, gender, date of birth, email addresses, policy number and more of 757,463 Zurich “Super Automobile Insurance” holders in Japan. According to the Switzerland Times, customers outside of Japan were not affected and credit card numbers or bank account information was not revealed.

9 January

Aflac Life Insurance (cancer insurance policyholders)

Company type: Fortune 500 company based in US

Attack type: Data breach

Affected: 1.3 million  

Aflac confirmed on 9 January that it was notified about customer information being leaked onto a data breach forum by a hacker that had accessed a server 7 January, via an external contractor. 

Aflac told Data Breach Today that the risk of misuse of information by third parties is low since it’s difficult to identify customers by the specific data leaked: last name, age, gender, insurance type number, coverage amount and premiums. 3.2 million records were accessed in total, 1.3 million of which were related to “New Cancer Insurance” and “Super Cancer Insurance” policyholders.

4 January

Twitter

Company type: Large social media company based in US

Attack type: Data leak (threat actor)

Affected: 235 million

On 4 January, an estimated 235 million Twitter users and their associated email addresses were leaked to an online hacking forum, selling for around $2 according to BleepingComputer. This isn’t the first data breach for Twitter and BleepingComputer continued to report that it may be a cleaned-up version of the 400 million Twitter profiles which were circulated in November 2022, created by threat actors as far back as 2021. Twitter doesn’t believe there is evidence to show the data exploited a vulnerability in its systems and urges account holders to enable 2FA and hardware security apps to stay better protected.

What should you do if you were part of a data breach?

If you were affected by a breach, the company will usually inform you by letter or email. However, it could depend on the nature of the cyberattack. Many US-based companies prefer to keep information regarding a breach quiet when they are first made aware, and will sometimes attempt to contain the situation in a way in which they may not be legally obliged to inform those involved or to officially report the incident at all. In some cases, months have gone by without the people concerned being notified, as with the Independent Living Systems breach when almost eight months had passed, increasing the chances of lawsuits. 

If you’re in any doubt, you can simply check if your email address has been compromised, and where, on Have I Been Pwned. Also, if you have been officially notified, said company should also offer up information on how it’s rectifying the situation, how you can stay secure and how they will prevent problems in the future. It goes without saying that you should stay wary of phishing emails, and fact check the business or company’s data breach claim(s) by keeping an eye out for official communication on news outlets, or even for word on socials, like (albeit ironically) Twitter, Reddit and so on, to be a part of the immediate conversation. 

Companies in the UK must notify the ICO within 24 hours of discovering the data breach to avoid penalty, the website offers further information on what to include in the alert and how to let customers know. In the US, the Federal Trade Commission has a step-by-step guide on best practice. 

How can I protect my company from data breaches?

Prevention is the best protection when it comes to cybersecurity according to experts and, although 80 per cent of data breaches are caused by external actors as per Verizon’s Data Breach Investigations Report 2022, rigorous training of staff to help recognise phishing emails and malicious activity is a must. “Human error was a major contributing cause in 95 per cent of all breaches,” according to a historic IBM Cyber Security Intelligence Index Report. Further, the more recent 2022 report notes that: “Human errors, meaning breaches caused unintentionally through negligent actions of employees or contractors, were responsible for 21 per cent of breaches” in organisations. 

With that in mind, SoSafe Cyber Trends Report 2023 shares that people can also be the biggest asset to a company when it comes to cybersecurity, so companies should invest in knowledge and training concerning cybercrime. The same report highlights how security teams should strive to keep up with the pace of cybercriminals, considering AI-powered tools and more that can fend off attacks. 

Forging a sense of trust with employees is worthwhile, too, so that, should someone realise they opened a file or clicked a link they shouldn’t have, they will be comfortable reporting the incident rather than ignoring it, which could lead to an aggravated outcome. Cybercrime causes lots of different stresses, notably financial and emotional stress, and if companies don’t offer enough support to employees in their cybersecurity departments by investing in their training, and that of the general staff, it can lead to burnout and increased resignation rates.

How can I protect my data from breaches?

An easy way to start protecting your data is to set up a secure VPN across all of your devices (laptop, mobile, tablet, etc). Note that the most protected options will usually be monitisied, but for many it’s a small price to pay for peace of mind and better security. 

Also, turning on 2FA where you can and updating passwords regularly with a mix of uppercase and lowercase letters, special characters, and numbers that don’t relate to your personal information. You should try not to replicate your password(s) across multiple log-ins. If you’ve run out of steam for new passwords, you can use online tools like Secure Password Generator to help.

PCWorld advised in the wake of the PayPal data leaks that by using a good password and 2FA some of the data would have been better protected and secured. This is likely to be the case for the Twitter breaches and the NortonLifeLock case. If you own a company, there are payable options with enhanced security settings for employees, like LastPass and Dashlane.

rachel

Rachel Sadler

Home Tech Writer

Rachel is a seasoned writer who has been producing online and print content for seven years. 

As a home tech expert for Independent Advisor, Rachel researches and writes buying guides and reviews, helping consumers navigate the realms of broadband and home security gadgets. She also covers home tech for The Federation of Master Builders, where she reviews and tests home security devices. 

She started as a news and lifestyle journalist in Hong Kong reporting on island-wide news stories, food and drink and the city’s events. She’s written for editorial platforms Sassy Hong Kong, Localiiz and Bay Media. While in Hong Kong she attended PR events, interviewed local talent and project-managed photoshoots. 

Rachel holds a BA in English Language and Creative Writing and is committed to simplifying tech jargon and producing unbiased reviews.

Cam is an experienced writer and editor who has been creating content for more than 10 years. She studied English Language and Italian at The University of Manchester, where she started out blogging and copywriting on fashion and travel.

She’s worked for Groupon and its partnerships – including <em>The Guardian</em> UK and US, the <em>HuffPost</em>, and Today.com</i> – and has covered a plethora of topics, from kitchen design trends to the best ways to score a good deal on home insurance. S

Swifty tapping into her love for everything home decor-related, she moved into the interior design space and edited realhomes.com, part of Future plc, for three years, where she worked with a tonne of DIY and renovation experts.

She currently lives in North London and is passionate about helping others perfect their surroundings with stunning interiors and functional home additions, whether they own or rent.

amy

Amy Reeves

Editor

Amy is a seasoned writer and editor with a special interest in home design, sustainable technology and green building methods.

She has interviewed hundreds of self-builders, extenders and renovators about their journeys towards individual, well-considered homes, as well as architects and industry experts during her five years working as Assistant Editor at Homebuilding & Renovating, part of Future plc.