It’s been another banner year for data breaches. The security tracking organization Breach Level Index reports 10.5 million records lost or stolen every day in the first half of the year, in a trend that continued unabated through the Fall. Consulting firm RiskBasedSecurity reported 7 billion records exposed by the end of Q3.

This year’s roster of victims reads like a Who’s Who of top players in a range of industries, from financial services to healthcare to fast food.

The Equifax breach in particular may prove a game-changer. As a credit reporting agency, the company sits on some of the most sensitive personal data. The breach sent a powerful message: Even the gatekeepers themselves are vulnerable.

There can be no definitive list of “biggest” breaches: The scope of a breach may never be known. But we can list the worst breaches. They’re culled from among the biggest, but are also most impactful in terms of the breadth of industries, the high profile of the victims, and the ways in which they demonstrate the potential fragility of systems.


The 10 Worst Data Breaches of 2017:


  1. Equifax. A September breach at this credit reporting agency exposed Social Security and driver’s license numbers of as many as 143 million consumers. Hackers exploited a weakness in website software to linger in the system for months.
  2. Chipotle. The burrito chain said it had detected unauthorized activity on its website. An investigation found malware designed to access payment card data from cards used on point-of-sale (POS) devices.
  3. Dun & Bradstreet saw its marketing database of some 33 million corporate contacts leaked across the web. Media reports suggest full names, phone numbers and other data related to the Defense Department, AT&T and Wal-Mart may have been compromised.
  4. Verizon responded to media reports that a vendor working on its behalf had allowed a breach of data impacting some 14 million subscribers. Verizon claimed that no one had accessed the data except the researcher who spotted the breach.
  5. Security researchers at UpGuard discovered that a misconfigured database owned by the Republican National Committee had exposed voting data on nearly 200 million people. Marketing firm Deep Root Analytics had stored more than 1.1 terabytes of RNC information on a publicly accessible cloud server hosted on Amazon Web Services.
  6. The IRS acknowledged that up to 100,000 taxpayers may have had their personal information compromised by hackers exploiting the IRS Data Retrieval Tool, which is used to complete the Free Application for Federal Student Aid (FAFSA). IRS disabled the tool when they suspected identity thieves were using it to steal personal data.
  7. Kmart parent Sears Holdings revealed that store payment systems had been infected with malware, but said shoppers were not impacted.
  8. SVR Tracking, a San-Diego based service that gives auto dealership the ability to locate their vehicles, said it had allowed more than 540,000 customer records to be visible online.
  9. Edmodo got hit by a hacker known as nclay. The education platform, which claims a user base of 78 million teachers, students and parents, reportedly saw the theft of 77 million user accounts, which hackers put up for sale on the Dark Web.
  10. University of North Carolina Health Care System notified patients of a potential breach, saying an attack compromised personal information on women who had completed pregnancy home risk screening forms at prenatal appointments since 2014.


Bonus breach:

Uber got breached in late 2016 but didn’t disclose the information until November 2017. Hackers got the names and driver’s license numbers of around 600,000 drivers and personal information of 57 million Uber users.

What other breaches got your attention this year? Let us know in the comments.