Notable Data Breach Examples

Across sectors and years, certain data breach events stand out for the scale, the method, or the lessons they carried. The following cases illustrate common themes and the consequences of inadequate controls.

Yahoo (2013–2014)

In what became one of the largest data breach incidents in history, Yahoo disclosed that at least one major breach affected all of its user accounts—about 3 billion—spanning 2013 and 2014. The breach was linked to forged cookies and broad access to user data, including names, email addresses, and security questions. The incident underscored how long-dormant weaknesses in authentication and account recovery can enable widespread access, turning a single breach into a systemic risk over years.

Equifax (2017)

Equifax revealed a data breach that exposed the personal information of approximately 147 million people. The attackers exploited a known vulnerability in a web application framework that had not been patched. Social security numbers, birth dates, addresses, and driver’s license information were exposed. The breach highlighted the perils of patch management lapsing in critical systems and the heavy downstream impact when highly sensitive identifiers are compromised.

Target (2013)

Target faced a high-profile data breach in which criminals accessed millions of customer payment card data through compromised vendor credentials and malware on point-of-sale systems. In addition to card numbers, contact information was impacted. The incident demonstrated how attackers can enter a retail network via a third-party connection and pivot toward high-value data inside the organization.

eBay (2014)

eBay disclosed that cybercriminals gained access to a large portion of user accounts through a credential-stuffing attack and the theft of customer data. The breach emphasized how credential exposure across sites can enable unauthorized access, particularly when users reuse passwords across multiple services.

Capital One (2019)

Capital One reported a data breach affecting about 100 million individuals in the United States and Canada. The attacker exploited a misconfigured firewall in an Amazon Web Services environment and accessed credit card applications, exposing names, addresses, and in some cases Social Security numbers. The breach illustrated how misconfigurations and cloud storage exposure can turn advanced security into a soft spot if not properly monitored.

Marriott (2018)

Marriott disclosed a breach involving its Starwood properties that affected roughly 500 million guests. Information exposed included passport numbers and travel histories, with some payment data involved. The event underscored how long-held mergers and acquisitions can complicate security boundaries and how long after discovery a breach can remain undetected or underreported.

MyFitnessPal (2018)

MyFitnessPal suffered a data breach affecting around 150 million accounts, primarily exposing usernames, email addresses, and hashed passwords. The incident highlighted the risk when consumer-facing apps collect personal data for health and wellness services, and the importance of securing authentication credentials even when other data remains less sensitive.

LinkedIn (2012, disclosed 2016)

LinkedIn announced a data breach that compromised hundreds of millions of user records. The breach brought attention to the long tail of breached data, where earlier incidents resurface in later years on the dark web and in credential reuse scenarios, amplifying risk for users who reused passwords.

Uber (2016, disclosed 2017)

Uber disclosed a breach involving roughly 57 million riders and drivers. The attackers obtained names, email addresses, and phone numbers, and the company paid off the attackers to keep the incident quiet for over a year. The case underscored the importance of rapid disclosure and transparent breach response to preserve trust.

Common Patterns Across Data Breaches

While each incident has its unique details, several recurring patterns emerge from these data breach examples:

• Weak or misconfigured access controls: Accessing sensitive data often starts with inadequate authentication or improperly configured cloud resources, as seen in several large breaches.
• Unpatched software and known vulnerabilities: Attackers frequently exploit publicly disclosed vulnerabilities that remain unpatched, a core lesson from Equifax and other cases.
• Credential reuse and phishing: Many breaches begin with stolen user credentials or phishing schemes, enabling attackers to move within networks or datasets.
• Third-party and supply chain risk: Vendors or partners can become entry points for attackers, illustrating the need for ongoing third-party risk management.
• Slow detection and delayed disclosure: In several incidents, breaches were not detected for months, amplifying the impact and complicating response efforts.

Lessons for Individuals and Organizations

From these data breach examples, two audiences emerge with clear responsibilities: individuals who protect personal information and organizations that safeguard customer data. Here are the practical takeaways.

For Individuals

• Use unique, strong passwords for every service and enable multi-factor authentication (MFA) wherever possible to reduce the effectiveness of credential-based data breaches.
• Monitor your credit and financial statements regularly; consider freezing or blocking credit if you are not actively applying for new credit, especially after a widely publicized breach.
• Be cautious with email links and attachments; phishing remains a common initial access method in many data breach scenarios.
• Practice good privacy hygiene on mobile apps and online services—review app permissions and limit the amount of data you share.

For Organizations

• Adopt a proactive patch management program and prioritize high-risk vulnerabilities, particularly those that are publicly disclosed in the wake of a breach elsewhere.
• Implement defense-in-depth, including strong access controls, encryption at rest and in transit, and robust monitoring to detect unusual activity early.
• Move toward zero-trust architecture, where access is granted on a need-to-know basis and continuous authentication is part of the workflow.
• Regularly test incident response plans with tabletop exercises and live simulations to shorten the time from breach to containment.
• Institute third-party risk management with security requirements, audits, and breach notification expectations for vendors and partners.

Turning Lessons into Practice

Data breach prevention is not just about technology; it’s about processes, culture, and guardrails that make security a daily priority. For organizations, the cost of a breach—financially and reputationally—makes a strong case for investing in layered defenses and rapid response. For individuals, awareness of common attack vectors and vigilant personal practices reduces the likelihood that a data breach will translate into real harm.

Putting the right controls in place

Key controls to consider include:

• End-to-end encryption for sensitive data, both at rest and in transit.
• Zero-trust network segmentation to limit lateral movement after any breach attempt.
• Automated monitoring and alerting for unusual login patterns, data downloads, or access to sensitive files.
• Secure software development lifecycles (SDLC) with secure coding practices and regular code reviews.
• Integrated privacy-by-design when collecting or sharing personal information, including minimizing data retention where possible.

In the end, the best defense against data breach risks is a combination of proactive prevention and transparent, accountable response. Studying real-world breaches helps translate abstract principles into concrete steps that people and organizations can take today.

Conclusion

Data breach examples across different industries reveal a common truth: cyber threats evolve, but the fundamentals of good security remain constant. Prioritizing patch hygiene, access control, encryption, and vigilant monitoring can greatly reduce the likelihood of a data breach and, when one occurs, shorten the path to containment and recovery. By learning from these cases, businesses can design more resilient systems, and individuals can protect themselves more effectively in a landscape where data remains a valuable target.