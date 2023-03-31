Menu Close

The Independent’s journalism is supported by our readers. When you purchase through links on our site, we may earn commission.

Live company data breaches and stats for 2023

Written by Camille Dubuis-Welch
Updated May 18, 2023
Verified by Amy Reeves

In this guide

  • Top data breach stats for 2023
  • Company data breaches in 2023
  • April 2023
  • March 2023
  • February 2023
  • January 2023
  • What should you do if you were part of a data breach?
  • How can I protect my company from data breaches?
  • How can I protect my data from breaches?

Like it or not, cybercrime is prolific. With an estimated 8,000 cyberattacks per year, staying secure online simply can’t be assumed or left as an afterthought. Being savvy with your internet security is as much about keeping your passwords complex and secure as it is about installing a reliable VPN and remaining vigilant with two-factor authentication (2FA).

More and more companies are falling victim to cyberattacks, phishing scandals and ransomware leading to data leaks, huge payouts and often lawsuits. It’s clear that cybercriminals are getting increasingly creative, that anyone can be targeted and that there is still a lot to learn around prevention and recovery. 

There is a hacker attack every 39 seconds and 2023 has already seen a number of high-profile cybersecurity incidents, with some rumoured to be recurring attacks from previous years or even months before, and some big data leaks on smaller companies in the healthcare sector. 

According to IBM Security’s Cost of a Data Breach Report for 2022, 83 per cent of organisations have had more than one breach and 42 million records were supposedly exposed due to data breaches between March 2021 and February 2022. Alarmingly, these records can include anything from first names and email address, to passport copies, sensitive healthcare information and financial details. 

Generally speaking, data breaches are taking longer to identify and contain than in previous years — with ransomware-related breaches taking 49 days longer in 2021 than the average time in previous years, according to IBM. Although most people would assume that the risk of data leaks would be higher in companies that haven’t got a fully-fledged cybersecurity team in place (for example, a small hospital), cases such as the latest Twitter cyberbreach prove that companies with perceived high cybersecurity won’t always outsmart a hacker.

According to Mimecast’s State of Email Security Report for 2023, the threat of cyber incidents is now one of the most important global risks to businesses, following the Allianz Risk Barometer survey which highlights how the risks involved might outweigh climate change, staff shortages and even the likelihood of recession.

While not all cases of a data breach lead to fraud or identity theft, compromised data is still an expensive business for companies and the repercussions stretch further to impact consumer trust and brand reputation, not to mention the mental and financial health of anyone directly involved. 

Our expert researchers have compiled the most notable data breaches of 2023 so far which have led to millions of records being leaked or exposed – 346,758,345 to be precise in one way or another. Records or data include basic personally identifiable information (PII) which can be used to identify someone  – such as a name, date of birth, address, and phone number – and in some cases records may have included social security numbers, financial or sensitive health information. 

Looking more closely at the data, there were 1.9 million people affected by data breaches in April 2023 and numbers have crept up for March and February, also, as new cases of data breaches have been reported around the globe. T-Mobile discovered another breach on 27 March, although 836 is a relatively small figure compared to the 37 million customers affected in their breach in January, it’s certainly enough to eat away at the brand’s credibility.

Each case varies and, although not all reports are officially “confirmed”, they carry lots of potential risk. For example, the millions of Brits now with potential data compromised due to a Labour phone banking system glitch, while across the pond, iD Tech still isn’t confirming a breach, which potentially exposed almost one million user records, even though the incident has been reported and many of those involved were made aware by Have I Been Pwned.

Top data breach stats for 2023

Number of people affected to date in 2023: 346,758,345

2023’s biggest breach to date in 2023: Twitter, with allegedly 235 million emails leaked

UK’s biggest breach: 10 million JD Sports customers exposed

US’s biggest breach: 37 million T-mobile customers affected

Number of potential records compromised in April: 1,920,000

Number of potential records compromised in March: 31,413,302

Number of potential records compromised in February:  25,342,580

Number of potential records compromised in January: 288,082,463

Number of personal records compromised by telecom providers: 46,700,836

Number of personal records compromised in the healthcare sector: 9,249,000

Number of personal records compromised in the finance sector: 365,000 

Data leaks caused by threat actors: 289,700,000

Data leaks caused by hacking: 32,303,580

Data breaches caused by third party data exposure: 11,354,000

Data breaches caused by human error: 382,466

Company data breaches in 2023

Common patterns that will emerge as you review the latest company data breaches are that human (and company) error is often the culprit, all types of companies can be targeted, and the motivation behind cyberattacks are, more often than not, money-related.

Data is often stolen by hacking which is someone gaining unauthorised access, usually electronically, to a system. Phishing is a type of social engineering attack whereby seemingly innocuous emails will be sent to victims containing links that may install ransomware or allow a bad actor access to systems. Phishing can also be used to lure people into entering personal information, leading to data theft or fraud. It may be used for impersonation that eventually leads onto another cybercrime being actioned, such as asking someone to transfer a large sum of money into an offshore bank account.

Bad/threat actors refers to anyone who causes harm in the digital sphere; they are slightly different to hackers in that they may not necessarily have technical skills to hack a system but will exploit a vulnerable server, eventually leading to a data breach or another other type of cybercrime.

Other factors that commonly lead to a data breach include malware – damaging software that infects devices with viruses – ransomware and spyware. which can then corrupt files and compromise data.

Below, we have created a timeline of the data breaches so far in 2023.

April 2023

20 April (latest updates)

American Bar Association (ABA)

Company type: Legal

Attack type: Hacking

Affected: 1.4 million

According to Bleeping Computer, ABA, the largest association of lawyers and legal professionals globally, disclosed that 1,466,000 members were affected by a data breach caused by an unauthorised third party accessing company networks on 6 March. Investigations were launched by ABA and cybersecurity experts on 17 March when the unusual activity was detected. 

The data breach may have exposed old member login credentials for a system that was decommissioned in 2018. The credentials were “hashed and salted” (converted from plain text into a more secure format). Although no personal or corporate data was stolen, this leaves room for threat actors to abuse credentials over time, especially if members have not changed the original password assigned by ABA.

 

14 April

Kodi

Company type: Open source media player software 

Attack type: Threat actor

Affected: 400,000

User records and private messages were stolen by a threat actor that twice logged into the account of an inactive Kodi MyBB forum admin member in February. The Hacker News reported that this allowed them to create, download and delete backups of the forum’s entire database. The database contained the information of 400,635 users, including public and team forum posts, user-to-user messages and general user credentials (email addresses as well as encrypted passwords). The threat actor also attempted to sell the data on cybercrime marketplace: BreachForums, which has now been taken down as the founder is being charged for stolen data.

Kodi’s MyBB forum was taken down as it commissioned a new server to relaunch a newer version of the software. Although no malicious activity or credential theft was detected, Kodi hoped to run a global password reset to stay on the side of caution, and urged users to update passwords on other websites if it was the same as they had been using for the member forum. Additionally, Kodi is reinforcing security measures to prevent future incidents, mostly around admin roles and access.

 

4 April 

NewYork-Presbyterian (NYP) Hospital 

Company type: Healthcare organisation

Attack type: Data exposure through use of third-party tracking and analytics tools

Affected: 54,000

NYP Hospital has been stung for using third-party tracking tools to analyse how visitors interacted with its website. Over 54,000 people have been notified that their patient information may have been compromised. According to Health IT Security’s report, once NYP Hospital had realised the error, it disabled use of the tracking tools and launched an investigation. It concluded that information, including the IP addresses and URls of visited pages, as well as names, email addresses and gender information, if available on particular pages, may have been exposed. There was nothing to suggest that social security numbers, financial or sensitive data was compromised and since NYP Hospital is reevaluating how it collects data and monitors user engagement. 

March 2023

29 March 

VodafoneZiggo 

Company type: Telecom provider

Attack type: Data breach (third-party software issue)

Affected: 700,000

Dutch telecom provider VodafoneZiggo reported a data breach incident to the Dutch Data Protection Authority (DDPA) after an unauthorised person was able to access consumer information that included names and email addresses. This was due to an issue with the company’s party software provider. No bank details or passwords were compromised, according to the NL Times, but the exposure of personal contact details enhances exposure to phishing scams so anyone concerned should be vigilant. 

 

28 March 

T-Mobile

Company type: Large telecommunications company based in US

Attack type: Hacking

Affected: 836

T-Mobile became aware of their second attack of 2023 on 27 March. Hackers accessed the information of some 836 customers, which exposes them to phishing attacks and fraud. On 28 April, Bleeping Computer shared the notification letter that was sent to those affected. The letter states: “No personal financial account information or call records were affected.” It also highlighted how the information shared varied across customers, but that it may have included PII as well as social security numbers, government IDs and T-Mobile account pins. T-Mobile also reset customer pins and offered two years free credit monitoring as compensation.

 

21 March

Independent Living Systems

Company type: Large health and social support company based in US

Attack type: Hacking

Affected: 4.2 million

On 14 March 2023, Independent Living Systems, a Miami-based healthcare administration that serves 5 million Americans, issued letters to customers affected by a 2022 data breach in which sensitive patient information (potentially including names, contact information, driver’s licence, state identification, social security numbers, Medicare/Medicaid IDs, general health and health insurance information) was accessible and potentially viewed by unauthorised persons. 

The notice states: “We are unaware of any identity theft or fraud resulting from this event,” ahead of detailing how its systems were hacked between 30 June and 5 July 2022 and how, on realising the breach, the company conducted a review. The results were released on 17 January 2023, at which point the company claims to have acted as quickly as possible to notify those affected. However, Independent Living Systems is now being sued for failure to adequately safeguard patient data and for the wait time ahead of notifying those 4.2 million (the majority of its customer database) that may be at risk.

 

17 March 

Latitude Financial Services 

Company type: Large financial services company based in Australia and New Zealand

Attack type: Threat actor

Affected: 14 million

Latitude Financial Services is a leading instalments and lending business. It has a current database of 2.8 million customer accounts and over 5,500 merchant partners across Australia and New Zealand. It went public about a data breach on 16 March, confirming that a threat actor stole an employee’s log-in details and was able to access two of its service providers. According to Latitude Financial’s review (which is still ongoing), approximately 7.9 million driver licence numbers were stolen and a further 6.1 million records (including PII) were stolen.

The case is ongoing, much to customers’ fury, and  Latitude have confirmed they will not pay a ransom to those behind the cyberattack.

 

16 March

PayPal

Company type: Global online payment platform based in US

Attack type: Cyberattack

Affected: 35,000 users

In 2023, Paypal confirmed that it suffered a security breach in December 2022, compromising personal and financial information of almost 35,000 users.

According to legalscoops.com, PayPal started an investigation as soon as it detected the attack, which took place between the 6 and 8 December, but it wasn’t complete until 20 December. The letter notifying those affected was distributed 23 January, disclosing that the hackers may have had access to social security numbers, bank account numbers and PayPal account balances, in addition to PII. Although PayPal noted that log-in details weren’t accessed via its own network, it didn’t elaborate on how these credentials were acquired. 

Some users have now filed lawsuits against PayPal as they are dissatisfied with the apology and compensation of free credit monitoring and identity theft protection services. Further advice from PayPal is to update passwords and keep an eye out for suspicious activity.   

 

10 March

Postal Prescription Service (PPS)

Company type: Large mail-order pharmacy service

Attack type: Internal/human error

Affected: 82,466

PPS, a mail-order pharmacy service and part of retail company Kroger, had to notify 82,466 individuals that they may have had their data breached due to an internal error. No sensitive medical or financial information was shared, however, the names and emails of users that created grocery accounts between July 2014 and 13 January 2023 were exposed. Health IT Security noted how PPS did not share more information on the exact cause of the internal error, but that it is updating its website and making procedural changes to avoid recurrences.

 

10 March

Florida Medical Clinic (FMC) 

Company type: Healthcare provider

Attack type: Ransomware, followed by hacking

Affected: 95,000

FMC became aware of suspicious activity on its servers on 9 January at which point it contained the incident and launched an investigation with a third-party forensic firm which confirmed that files stored on the FMC system were accessed by one or more unauthorised parties. The data included consumers’ names, social security numbers, medical information, phone numbers, email addresses, dates of birth, and addresses, according to JD Supra’s report. Letters were sent out to those affected on 10 March.

 

9 March

AT&T

Company type: Large multinational telecommunications holding company based in US

Attack type: Data breach, vendor hack

Affected: 9 million

AT&T told BleepingComputer that 9 million wireless customers may have had their Customer Proprietary Network Information (CPNI) accessed. This kind of data includes first names, wireless account numbers, wireless phone numbers, and email addresses, with some dated information on rate plan names and payment history. According to BleepingComputer, AT&T claimed this was due to device upgrade eligibility and that their systems were not compromised. 

February 2023

13 February

TMX Finance

Company type: Lending business

Attack type: Hacking

Affected: 4,822,580

On 30 March, TMX Finance started sending letters to 4,822,580 customers that had their data leaked. The Canadian finance company detected malicious activity on 13 February and, according to Bleeping Computer’s report, it suspects that client information – including social security and driver’s licence number, financial, tax and personal identification information – was stolen between 3 and 14 February.

TMX believes the situation is contained but is continuing to monitor its systems and looks to enhance online employee and system access security. It is also encouraging those affected to enrol in a free 12-month identity protection service via Experian with a security freeze.

 

13 February

Heritage Provider Network, Regal Medical Group

Company type: Largest private healthcare network based in US

Attack type: Ransomware cyberattack

Affected: 3.3 million

A data breach notice was sent out on 1 February by Regal Medical Group disclosing that malware was detected on some of its servers as a result of a threat actor hacking its systems. Cybernews.com reported that the compromised data of those 3.3 million affected may have included basic PII as well as medical information, including radiology reports and prescriptions and health plan details.

 

6 February

Highmark Health

Company type: Large non-profit healthcare company based in US 

Attack type: Phishing attack

Affected: 300,000

According to Beckershospitalreview.com, between 13 and 15 December an employee received a phishing link via email which allowed a hacker to access data of some 300,000 members. Customers were notified by letter on 13 February. On 6 Feb Highmark Health filed the notice and Databreaches, one of the first to report on the incident, says that two versions of the letter were sent out as some had social security numbers compromised and others protected health information, passport numbers and financial information. Highmark Health, who currently serve 5.6 million members, now has details online about how to spot a phishing email and avoid email fraud.

 

3 February

TruthFinder and Instant Checkmate

Company type: Large subscription-based background check services based in US

Attack type: Cyberattack

Affected: 20.22 million 

According to BleepingComputer, on 21 January, hackers leaked a 2019 backup database containing the information of 20.22 million users of PeopleConnect-owned background check services TruthFinder and Instant Checkmate. 

Subsequent announcements share that the exposed lists were created internally several years before and logged information of customer accounts created between 2011 and 2019. The lists contained PII as well as encrypted passwords and expired or inactive password reset tokens, but no payment details or user data was included.

 

January 2023

30 January

JD Sports

Company type: Large fashion retailer based in UK

Attack type: Cyberattack

Affected: 10 million

Fashion retailer JD Sports notified the Information Commissioner’s Office about the incident which affected approximately 10 million online users, including customers purchasing items on Size?, Blacks and Millets at the end of 2022. According to a statement, the affected data was limited but included names, phone numbers, order details and the final four digits of payment cards (but not full payment details). JD is said to be investigating the incident with cybersecurity experts to avoid recurrences. 

 

23 January

Diksha Indian Education app

Company type: Public education app launched in 2017 based in India

Attack type: Unsecured server

Affected: 1.6 million 

Data stored in an obligatory public education app that was launched in 2017 was left unprotected for at least four years, meaning that even a simple Google search could have exposed the personal information of students and teachers. According to Wired, the files were available for download via Grayhat Warfare, a go-to searchable database on which hackers and security researchers can access unsecured servers.

The files contained full names, phone numbers and email addresses of some 1 million teachers. Another file that kept student information, although it partially concealed their email addresses and phone numbers, nearly 600,000 student names along with their schooling history, details of when they enrolled on the app and progress on the course was exposed. 

 

20 January

T-Mobile

Company type: Large telecommunications company based in US

Attack type: Bad actor, hacker

Affected: 37 million

Hit once again following no less than eight disclosed hacks since 2018, T-Mobile said that it detected malicious activity on its servers on 5 January and shut it down within 24 hours. The company was said to be less forthcoming concerning information that the bad actor gained access to customer data from 37 million accounts, around 25 November 2022. The customer information included names, birth dates, and phone numbers. 

According to wraltechwire, no passwords, PINs, bank account or credit card information were disclosed, nor were social security numbers or other government IDs.

 

19 January

Transportation Security Administration (TSA) 

Company type: Agency of the United States Department of Homeland Security

Attack type: Hacker of unsecured server (accidental)

Affected: 1.5 million 

A Swiss hacker who goes by the name maia arson crimew obtained an old copy of the US government’s Terrorist Screening Database and a “no fly” list that was available on an unsecured server. 

The data belongs to commercial airline, CommuteAir who confirmed it contained 1.5 million entries, including names and birthdates of individuals (not all unique as the list contains multiple aliases) that the government has banned from air travel as well as information on 1,000 company employees according to the Daily Dot, who first reported on the case. 

 

19 January

NortonLifeLock

Company type: Large multinational cybersecurity software and services provider with 80 million users across 150 countries based in US

Attack type: Credential stuffing attack

Affected: 925,000

Consumer safety provider NortonLifeLock, part of Gen Digital, was subject to a credential stuffing attack, compromising the data of 925,000 customers.

According to IT governance, customers’ full names, phone numbers and mailing addresses may have been leaked, and hackers may have also been able to access information stored in the Norton Password Manager feature to find passwords for other accounts, the latter being the most likely motivation for the attack. NortonLifeLock shared that the breach started 1 December 2022 and urges customers to use 2FA alongside other security measures. 

 

10 January

Zurich Insurance (car insurance)

Company type: Leading insurer serving 200 countries, founded in Zurich 

Attack type: Data breach

Affected: 757,463

This data leak stemmed from an external service provider compromised names, gender, date of birth, email addresses, policy number and more of 757,463 Zurich “Super Automobile Insurance” holders in Japan. According to the Switzerland Times, customers outside of Japan were not affected and credit card numbers or bank account information was not revealed.

 

9 January

Aflac Life Insurance (cancer insurance policyholders)

Company type: Fortune 500 company based in US

Attack type: Data breach

Affected: 1.3 million  

Aflac confirmed on 9 January that it was notified about customer information being leaked onto a data breach forum by a hacker that had accessed a server 7 January, via an external contractor. 

Aflac told Data Breach Today that the risk of misuse of information by third parties is low since it’s difficult to identify customers by the specific data leaked: last name, age, gender, insurance type number, coverage amount and premiums. 3.2 million records were accessed in total, 1.3 million of which were related to “New Cancer Insurance” and “Super Cancer Insurance” policyholders.

 

4 January

Twitter

Company type: Large social media company based in US

Attack type: Data leak (threat actor)

Affected: 235 million

On 4 January, an estimated 235 million Twitter users and their associated email addresses were leaked to an online hacking forum, selling for around $2 according to BleepingComputer. This isn’t the first data breach for Twitter and BleepingComputer continued to report that it may be a cleaned-up version of the 400 million Twitter profiles which were circulated in November 2022, created by threat actors as far back as 2021. Twitter doesn’t believe there is evidence to show the data exploited a vulnerability in its systems and urges account holders to enable 2FA and hardware security apps to stay better protected.

What should you do if you were part of a data breach?

If you were affected by a breach, the company will usually inform you by letter or email. However, it could depend on the nature of the cyberattack. Many US-based companies prefer to keep information regarding a breach quiet when they are first made aware, and will sometimes attempt to contain the situation in a way in which they may not be legally obliged to inform those involved or to officially report the incident at all. In some cases, months have gone by without the people concerned being notified, as with the Independent Living Systems breach when almost eight months had passed, increasing the chances of lawsuits. 

If you’re in any doubt, you can simply check if your email address has been compromised, and where, on Have I Been Pwned. Also, if you have been officially notified, said company should also offer up information on how it’s rectifying the situation, how you can stay secure and how they will prevent problems in the future. It goes without saying that you should stay wary of phishing emails, and fact check the business or company’s data breach claim(s) by keeping an eye out for official communication on news outlets, or even for word on socials, like (albeit ironically) Twitter, Reddit and so on, to be a part of the immediate conversation. 

Companies in the UK must notify the ICO within 24 hours of discovering the data breach to avoid penalty, the website offers further information on what to include in the alert and how to let customers know. In the US, the Federal Trade Commission has a step-by-step guide on best practice. 

How can I protect my company from data breaches?

Prevention is the best protection when it comes to cybersecurity according to experts and, although 80 per cent of data breaches are caused by external actors as per Verizon’s Data Breach Investigations Report 2022, rigorous training of staff to help recognise phishing emails and malicious activity is a must. “Human error was a major contributing cause in 95 per cent of all breaches,” according to a historic IBM Cyber Security Intelligence Index Report. Further, the more recent 2022 report notes that: “Human errors, meaning breaches caused unintentionally through negligent actions of employees or contractors, were responsible for 21 per cent of breaches” in organisations. 

With that in mind, SoSafe Cyber Trends Report 2023 shares that people can also be the biggest asset to a company when it comes to cybersecurity, so companies should invest in knowledge and training concerning cybercrime. The same report highlights how security teams should strive to keep up with the pace of cybercriminals, considering AI-powered tools and more that can fend off attacks. 

Forging a sense of trust with employees is worthwhile, too, so that, should someone realise they opened a file or clicked a link they shouldn’t have, they will be comfortable reporting the incident rather than ignoring it, which could lead to an aggravated outcome. Cybercrime causes lots of different stresses, notably financial and emotional stress, and if companies don’t offer enough support to employees in their cybersecurity departments by investing in their training, and that of the general staff, it can lead to burnout and increased resignation rates.

How can I protect my data from breaches?

An easy way to start protecting your data is to set up a secure VPN across all of your devices (laptop, mobile, tablet, etc). Note that the most protected options will usually be monitisied, but for many it’s a small price to pay for peace of mind and better security. 

Also, turning on 2FA where you can and updating passwords regularly with a mix of uppercase and lowercase letters, special characters, and numbers that don’t relate to your personal information. You should try not to replicate your password(s) across multiple log-ins. If you’ve run out of steam for new passwords, you can use online tools like Secure Password Generator to help.

PCWorld advised in the wake of the PayPal data leaks that by using a good password and 2FA some of the data would have been better protected and secured. This is likely to be the case for the Twitter breaches and the NortonLifeLock case. If you own a company, there are payable options with enhanced security settings for employees, like LastPass and Dashlane.

Find the best [category]