Between January and September 2019 there were over 7.9 billion data records exposed — a 33% increase from the same time in 2018! Although hackers are obvious culprits in uncovering this data, oftentimes they had a helping hand from human error resulting in a data breach.
Last year, we also began to see the Federal Trade Commission (FTC) impose hefty fines and penalties on organizations, such as those relating to the Equifax breach and Facebook data leaks, to settle charges of improper handling of Personally Identifiable Information (PII).
What does 2020 hold? While our hope does spring eternal, with the increase of information insecurity — from exposed databases to phishing attempts, from malware to third-party data leaks — the odds are not looking good. In the first quarter of 2020, exposed records were pacing at an increase of 273% over last year. Data breaches aren’t going anywhere and we’re here to keep you up-to-date on the worst data breaches of the year putting you at risk of identity theft.
Note: This post will be continuously updated with new information as additional 2020 data breaches are reported. Breaches appear in descending order, with the most recent appearing at the bottom of the page.
January 2, 2020: Restaurant conglomerate Landry’s announced a point-of-sale malware attack that targeted customers’ payment card data – the company’s second data breach since 2015. The collected Personally Identifiable Information (PII) included credit and debit card numbers, expiration dates, verification codes, and cardholder names.
January 14, 2020: An unsecured database on an Elasticsearch server linking back to Peekaboo Moments, an app where parents post images and videos of their children, was left exposed. An undisclosed number of email addresses, geographic location data, detailed device data, and links to photos and videos posted by parents have been impacted. The app has been downloaded 1 million times since launching in 2012.
January 20, 2020: An undisclosed number of shoppers of the children’s clothing retailer, Hanna Andersson, had sensitive payment information exposed. This breach is the latest in a string of Magecart attacks, where hackers install malicious malware in Point of Sale (POS) systems to skim credit card information. Customers who made online purchases from September 16, 2019, to November 11, 2019, had their names, shipping addresses, billing addresses, payment card numbers, CVV codes, and expiration dates skimmed and put for sale on the dark web.
January 22, 2020: A customer support database holding over 280 million Microsoft customer records was left unprotected on the web. Microsoft’s exposed database disclosed email addresses, IP addresses, and support case details. Microsoft says the database did not include any other personal information.
January 23, 2020: THSuite, a point-of-sale system of marijuana dispensaries across the U.S., disclosed personal information belonging to over 85,000 medical marijuana patients and recreational users after leaving their database unprotected. The data breach impacted names, date of births, phone numbers, emails, street addresses, patient names and medical ID numbers, cannabis variety and the quantity purchased, total transaction costs, date received, and photographs of scanned government and employee IDs.
February 11, 2020: An unsecured database belonging to the makeup company Estee Lauder exposed 440 million customer records. No payment or sensitive information was impacted but email addresses, IP addresses, ports, pathways, and storage information were disclosed in the database.
Fifth Third Bank
February 11, 2020: Fifth Third Bank, a financial institution with 1,150 branches in 10 states, claims a former employee is responsible for a data breach, which exposed customers’ name, Social Security number, driver’s license information, mother’s maiden name, address, phone number, date of birth and account numbers. The total number of affected employees and banking clients remains undisclosed.
Health Share of Oregon
February 13, 2020: The theft of an employee laptop from GridWorks IC, a third-party vendor of Health Share of Oregon, has exposed the personal and medical information of 654,000 members. The Health Share of Oregon data breach disclosed sensitive data, including names, addresses, phone numbers, dates of birth, Social Security numbers, and Medicaid ID numbers.
February 20, 2020: Over 10.6 million hotel guests who have stayed at the MGM Resorts have had their personal information posted on a hacking forum. The data dump exposed includes names, home addresses, phone numbers, emails, and dates of birth of former hotel guests. Updated July, 15 2020: Researchers found 142 million personal records from former guests at the MGM Resorts hotels for sale on the Dark Web, hinting that the original breach was larger than previously announced.
February 20, 2020: The photography app, PhotoSquared, has exposed the personal information and photos of the 100,000 individuals who have downloaded the app. Besides photos, user’s names, addresses, order receipts, and shipping labels were impacted in the unsecured database.
February 24, 2020: Slickwraps, an online tech customization store, admitted to leaving the information of 850,000 customers in an unprotected database. The customer information disclosed includes names, email addresses, physical addresses, phone numbers, and purchase histories.
March 2, 2020: Walgreens, the second-largest US pharmacy chain, announced an error within their mobile app’s messaging feature that exposed not only personal messages sent within the app but also the names, prescription numbers and drug names, store numbers, and shipping addresses of its users. The total number of users affected has not been disclosed but the pharmacy’s app has over 10 million downloads.
Carnival Cruise Lines
March 4, 2020: Two cruise lines under the Carnival Corporation, one of the world’s largest cruise ship operator, divulged sensitive information of its employees and customers after a hacker accessed an employee’s work email. The information accessed from the Princess Cruises and the Holland America Line includes names, addresses, Social Security numbers, government identification numbers, such as passport number or driver’s license number, credit card and financial account information, and health-related information.
March 4, 2020: Hackers successfully accessed online accounts of customers of the apparel retailer, J-Crew, through a credential stuffing attack. Using exposed emails and passwords, the hackers were able to login to an unknown number of J-Crew customer accounts and gain access to stored information including the last four digits of credit card numbers, expiration dates, card types, billing addresses, order numbers, shipping confirmation numbers, and shipment status.
March 5, 2020: An unknown number of customers’ sensitive information was accessed through a T‑Mobile employee email accounts after a malicious attack of a third-party email vendor. The personal information of T-Mobile customers accessed includes names and addresses, Social Security numbers, financial account information, and government identification numbers, as well as phone numbers, billing and account information, and rate plans and features.
March 11, 2020: Whisper, an anonymous secret-sharing app, has left member information exposed in an unsecured database. Although the app does not collect names, the database included nicknames, ages, ethnicities, genders, and location data of over 900 million users.
March 18, 2020: The online guitar lessons website, TrueFire, notified its users that a hacker gained access to names, addresses, payment card account numbers, card expiration dates, and security codes for the past six months. The total number of users affected is still unknown but TrueFire has millions of users worldwide.
Unnamed U.K-Based Security Firm
March 19, 2020: An unprotected database containing over 5 billion individual records was discovered stored on Elasticsearch. This “database of data breaches” was managed by an undisclosed U.K.-based security firm, and has since been taken offline according to the security researcher who discovered the leak. The records in the database come from various, previously breached sources dating back at least seven years, with records belonging to Adobe, Twitter, Tumbler, and LinkedIn, among many others. Data exposed includes leak dates, passwords, email addresses, email domains, and companies that were the source of the original leaks.
March 24, 2020: The technology conglomerate, General Electric (GE), disclosed that a third party vendor experienced a data breach, exposing the personally identifiable information of over 280,000 current and former employees. The employee information accessed through Canon Business Process Services included names, addresses, Social Security numbers, driver’s license numbers, bank account numbers, passport numbers, and dates of birth.
March 31, 2020: Using the login credentials of two employees through a third-party app used to provide guest services, Marriott International hotels exposed the information of 5.2 million guests. The personal information of the hotel guests impacted includes names, mailing addresses, email addresses, phone numbers, loyalty account numbers and points balances, company, genders, birth dates, linked airline loyalty programs and numbers, room preferences, and language preferences. In a previous data breach in 2018, Marriott hotels exposed the personal information of 500 million guests.
April 6, 2020: A digital wallet app, Key Ring, left stored customer data of 14 million users accessible in an unsecured database. The app allows its users to easily upload and store scans and photos of membership and loyalty cards to a digital folder in their mobile device. The exposed data includes names, full credit card details (including CVV numbers), email address, birth date, address, membership ID numbers, retail club and loyalty card memberships, government IDs, gift cards, medical insurance cards, medical marijuana IDs, IP address and encrypted passwords.
San Francisco International Airport (SFO)
April 13, 2020: Two websites hosted by the San Francisco International Airport (SFO), SFOConnect.com and SFOConstruction.com, suffered a security incident in which hackers injected malicious code to collect users’ login credentials. The malware gained access to usernames and passwords used to log on to the impacted websites.
April 14, 2020: The credentials of over 500,000 Zoom teleconferencing accounts were found for sale on the dark web and hacker forums for as little as $.02. Email addresses, passwords, personal meeting URLs, and host keys are said to be collected through a credential stuffing attack.
April 14, 2020: A collection of 4 million login records belonging to the online marketplace Quidd was breached through a hack then posted on the dark web forum for free. Once accessible, the usernames, email addresses, and hashed account passwords were shared among members of the forum. Although the passwords were hashed, cybercriminals are unhashing them and selling the data again.
April 20, 2020: The personal and medical information of over 112,000 employees and patients of Beaumont Health was accessed by a malicious actor after compromising employee email accounts through a phishing attack. The information impacted includes names, birth dates, Social Security numbers, driver’s license numbers, medical condition data, and bank account data.
April 21, 2020: More than 267 million Facebook profiles have been listed for sale on the Dark Web – all for $600. Reports link these profiles back to the data leak discovered in December, with additional PII attached, including email addresses. Researchers are still uncertain how this data was exposed originally, but have noted that 16.8 million of the Facebook profiles now include more data than originally exposed.
April 22, 2020: A card payments processor startup, Paay, left a database containing 2.5 million card transaction records accessible online without a password. The exposed payment transaction belonging to 15 to 20 merchants includes full plaintext credit card number, expiry date, and the amount spent.
April 27, 2020: A credential stuffing attack using previously exposed user IDs and passwords of popular video game company, Nintendo, granted hackers access to over 160,000 player accounts. With unauthorized access to the accounts, the fraudsters may have purchased digital items using stored cards as well as view personal information including name, date of birth, gender, country/region and email address.
April 28, 2020: Ambry Genetics, a genetic testing laboratory based in the U.S., announced 233,000 medical patients had their personal and medical information accessed by a third party through an employee email. The unauthorized party accessed names, information related to customers’ use of the genetic laboratory’s services and medical information as well as the Social Security numbers of some of the victims.
May 4, 2020: The web hosting site, GoDaddy, announced to its users that an unauthorized third party was granted access to login credentials. The site is said to have 19 million users and possibly 24,000 users had their usernames and passwords exposed. The company has reset passwords to prevent further access.
May 5, 2020: A reported ransomware attack on the Fresenius Group, a global healthcare company and one of the largest dialysis equipment providers in the U.S., impacted the company’s operations around the world. The organization claims their system was affected by a computer virus, but a source confirmed the hacker held the healthcare’s IT systems and data hostage in exchange for payment in bitcoin.
May 13, 2020: The personal information of 387,000 former and current inmates was access by a hacker who exploited a server vulnerability in a U.S. Marshals Service database. The information exposed includes names, dates of birth, social security numbers, and home addresses.
May 13, 2020: Magellan Health, a Fortune 500 healthcare company, has sent a notice to its patients that it had fallen victim to a phishing scam and ransomware attack. The information held for ransom includes names, contact information, employee ID numbers, W-2 or 1099 information, including Social Security numbers or taxpayer identification numbers, as well as login credentials and passwords for employees.
May 20, 2020: The information belonging to 8 million users of the home meal delivery service, Home Chef, was found for sale on the dark web after a data breach. The data found for sale includes names, email addresses, phone numbers, addresses, scrambled passwords, and the last four digits of credit card numbers. Home Chef was one of 11 companies impacted by the hacking group, according to security researchers, resulting in 164 million user records for sale on the dark web.
May 20, 2020: Over 40 million users of the mobile app, Wishbone, had their personal information up for sale on the dark web. Usernames, emails, phone numbers, location information and hashed passwords were exposed in a data breach before being advertised in a hacking forum.
May 24, 2020: At least 25 million Mathway app users, a top-rated mobile app calculator, had their email address and password exposed to data thieves, and the leaked database was quickly found for sale on the dark web. The breached data also included “back-end system data,” which wasn’t identified specifically, but is typically the type of data that runs behind the scenes on a server, powering the application for the end-user but is not visible to the user.
May 28, 2020: More than 5 million user records belonging to Minted, an online consumer marketplace for art, home decor, and stationary, were sold by a hacker on the dark web. The information involved included customers’ names and login credentials (email address and password.) Telephone number, billing address, shipping address(es), and date of birth were also impacted for a portion of their customers. Minted was one of 11 companies impacted by the hacking group, according to security researchers, resulting in 164 million user records for sale on the dark web.
June 2, 2020: In a notification to its users, the passenger railroad service Amtrak announced an unknown third party accessed an undisclosed number of Amtrak Guest Rewards accounts. The company claims only usernames, passwords, and some personal information was exposed and no Social Security numbers or financial data was accessed.
June 15, 2020: The jewelry and accessories retailer Claire’s announced it was a victim of a magecart attack, exposing the payment card information of an unknown number of customers. The retailer has 3,500 locations worldwide and e-commerce operations and claims the breach only affected online sales.
June 17, 2020: Cognizant, one of the largest IT managed services company, announced its user’s information was accessed and stolen in a ransomware attack back in April 2020. The personal information involved in this incident included names, Social Security numbers, tax identification numbers, financial account information, driver’s licenses, and passport information.
June 22, 2020: More than 296 GB of data was leaked from US law enforcement agencies and fusion centers and posted the files online on a searchable portal titled BlueLeaks. The leaked data contains over one million files, such as scanned documents, videos, emails, audio files, some of which included sensitive and personal information, such as names, bank account numbers, and phone numbers.
June 23, 2020: A security lapse at Twitter caused the account information of the social media company’s business users to be left exposed. The number of impacted business accounts has not been disclosed but its business users’ email addresses, phone numbers, and the last four digits of their credit card number were impacted.
July 7, 2020: Popular casino gambling app Clubillion has suffered a data leak, exposing the PII of millions of users around the world according to researchers at vpnMentor. While it was open to searchers, the Clubillion database was recording up to 200 million records a day, including users’ IP addresses, email addresses, amounts won, and private messages within the app. The majority of Clubillion’s daily users are from the United States.
July 16, 2020: Over 450,000 residents of Polk County, Florida had their driver’s license numbers and Social Security numbers exposed after an employee at Polk County Tax Collector fell victim to a phishing attack.
July 20, 2020: An unsecured server exposed the sensitive data belonging to 60,000 customers of the family history search software company, Ancestry.com. The details leaked include email addresses, geolocation data, IP addresses, system user IDs, support messages and technical details.
Dave Mobile Banking App
July 26, 2020: A third-party breach leaked the account details of over 7.5 million users of the digital banking app, Dave. Although no financial information was disclosed, the breach exposed names, phone numbers, emails, birth dates, home addresses, and encrypted Social Security numbers.
July 28, 2020: The online alcohol delivery startup Drizly disclosed to its customers that a hacker accessed the account details of 2.5 million Drizly accounts. The customer information exposed included email addresses, date-of-birth, and hashed passwords.
July 28, 2020: The video creation platform, Promo.com, confirmed their 22 million customers have had their personal and account information exposed in a third-party data breach. The compromised data includes names, email addresses, IP addresses, user location, gender, and encrypted passwords.
July 28, 2020: An unsecured database exposed the Personally Identifiable Information(PII) of 19 million customers and potential employees of the cosmetic company, Avon. The leaked information included names, phone numbers, dates of birth, email and home addresses, and GPS coordinates, as well as other technical information.
Instagram, TikTok & Youtube
August 20, 2020: Researchers at Comparitech uncovered an unsecured database with 235 million Instagram, TikTok, and YouTube user profiles exposed online belonging to the defunct social media data broker, Deep Social. The scraped profile information in the data leak includes names, ages, genders, profile photos, account descriptions, statistics about follower engagement and demographic such as number of likes, followers, follower growth rate, engagement rate, audience demographic (gender, age and location), and whether the profile belongs to a business or has advertisements.
August 21, 2020: Freepik, a free image database, sent out a breach notification to 8.3 million users that their account login information was exposed through injected malware on their website. The malware collected emails of all users and hashed passwords of 3.77 million users.
August 26, 2020: A motion rehabilitation device manufacturer, Dynasplint Systems, experienced an encryption attack on its business devices that exposed the personal and medical information of 103,000 patients. The accessed information includes names, addresses, dates of birth, Social Security numbers, and medical information.
Utah Pathology Services
August 31, 2020: In an attempt to redirect funds from Utah Pathology Services, an unauthorized hacker gained access to an employee email account and the sensitive information of 112,000 medical patients. The accessed information includes patient names, gender, date of birth, mailing address, phone number, email address, health insurance information, internal record numbers, diagnostic information, and a small number of Social Security numbers.
September 5, 2020: Over 1 million inmates that have used the prison phone service, Telmate, have had their personal information exposed in an unsecured database. The information of both inmates and their contacts that was disclosed included names, gender, offense, religion, facility location, relationship status, medication history, emails, physical and IP addresses, phone numbers and driver’s license details.
September 7, 2020: A phishing attack led to the protected health information of 140,000 medical patients of Imperium Health Management to be exposed. The information accessed through the attack includes patient names, addresses, dates of birth, medical record numbers, account numbers, health insurance information, Medicare numbers, Medicare Health Insurance Claim Numbers (which can include Social Security numbers), and limited clinical and treatment information.
NorthShore University HealthSystem
September 9, 2020: The Chicago based healthcare system, NorthShore University HealthSystem, disclosed the protected health information of 348,000 medical patients was exposed through a third-party data breach. The data breach exposed patient names, dates of birth, addresses, phone numbers, e-mails, admission and discharge dates, locations of services, and physician names and specialties.
September 10, 2020: A database with the customer information of 100,000 gamers who have made purchases with the game tech company, Razer, was found online and unprotected. The exposed information included name, email, phone number, customer internal ID, order number, order details, billing and shipping address.
September 14, 2020: An undisclosed number of customers of the office retail giant, Staples, received email notification disclosing their information has been exposed in a data breach. The breached information includes customer names, addresses, email addresses, phone numbers, last four credit card digits, and order details.
<h2″>Children’s Hospitals and Clinics of Minnesota
September 16, 2020: Children’s Hospitals and Clinics of Minnesota sent notification that a third-party data breach exposed over 160,000 patient records. The patient impacted in the breach includes names, addresses, phone numbers, ages, dates of birth, genders, medical record numbers, dates of treatment, locations of treatment, names of doctors and health insurance status.
September 21, 2020: Over 500,000 gamer accounts of Activision, the video game publisher, were targeted in a credential stuffing attack. It has been reported that login data, such as email and password, was published publicly online, granting hackers access the Call of Duty accounts, often locking the rightful owner out of their account.
September 24, 2020: A researcher at Comparitech discovered an unsecured online database containing records of 600,000 gym members of the fitness chain, Town Sports International. Town Sports has 185 clubs under various brands, including New York Sports Clubs, Philadelphia Sports Clubs, Boston Sports Clubs, Washington Sports Clubs. The database exposed customer names, postal addresses, email addresses, phone numbers, check-in data, gym location, notes on customer accounts, last four digits of credit card, credit card expiration date, and billing history.
Warner Music Group
September 29, 2020: A recent legal filing revealed entertainment and record label conglomerate, Warner Music Group (WMG), suffered a three-month-long Magecart attack that exposed an undisclosed number of customers’ personal and financial information. Hackers accessed customers’ details from Warner Music’s e-commerce websites hosted and supported by a third-party, capturing customer’s names, email addresses, telephone numbers, billing addresses, shipping addresses, and payment card details such as card numbers, CVC/CVV, and expiration dates.
October 6, 2020: Blackbaud, a cloud-based fundraising database management vendor for non-profits and educational institutions, became victim to a ransomware attack beginning in February 2020, which remained undetected until May 2020. Blackbaud paid the ransom and received confirmation the data had been destroyed. Before deleting the data, the cybercriminals copied sensitive data from over 6 million donors, potential donors, patients, and community members including names, emails, phone numbers, dates of birth, genders, provider names, dates of service, department visited, and philanthropic giving history. A recent SEC filing in September 2020, reveals hackers gained access to more unencrypted data than originally reported, including Social Security numbers, financial accounts, and payment information. Hundreds of Blackbaud’s impacted clients continue to disclose the data incident, including Inova Health (1.5 million), Saint Luke’s Foundation (360,212), MultiCare Foundation (300,000), Spectrum Health (52,711), Northwestern Memorial HealthCare (55,983), and Main Line Health (60,595). Several organizations in Vermont were also included in the breach, such as the Vermont Foodbank, Middlebury College, and Vermont Public Radio.
October 6, 2020: Customers of the food delivery startup, Chowbus, received an email notification from the company that included a link to access the personal and account information of about 800,000 customers. The customer data in the data dump includes names, phone numbers, and mailing and email addresses.
Barnes & Noble
October 15, 2020: Popular bookseller, Barnes & Noble, notified customers that a cybersecurity attack led to exposed customer information and caused service disruption of Nook e-reader books. The company has not disclosed how many customers have been impacted, but noted billing and shipping addresses, telephone numbers, and email addresses were accessed in the data leak.
October 16, 2020: A year-long Point-of-Sale (POS) system breach has impacted 3 million customers of the popular national BBQ chain, Dickey’s Barbecue Pit. Hackers posted over 3 million customers’ payment card details for sale on the Dark Web, where each record is being sold for $17 per card.
October 20, 2020: Security researchers at Comparitech discovered an unsecured database containing the records of more than 350 million customers along with call transcripts belonging to the cloud-based communication company, Broadvoice. The exposed Elasticsearch database enclosed personal details such as caller names, caller identification number, phone number, and location along with voicemail transcripts.
October 20, 2020: The pharmaceutical corporation, Pfizer, exposed the personal and medical information of hundreds of medical patients taking cancer drugs through a data leak. A misconfigured Google Cloud database exposed names, phone numbers, home addresses, email addresses, customer support messages, health data, medical status, phone call transcripts, and prescription information.
Fragomen, Del Rey, Bernsen & Loewy
October 27, 2020: The immigration law firm responsible for representing Google, Fragomen, Del Rey, Bernsen & Loewy, announced a security incident has exposed the personal information of current and former Google employees. An unauthorized third party gained access to an undisclosed number of employee Form I9’s, containing full name, date of birth, phone number, social security number, passport numbers, mailing address, and email address.
November 3, 2020: Malware embedded in the online shopping platform of precious metals dealer, JM Bullion, captured the personal and banking card information of customers who made purchases between February and July 2020. Using the malicious code, hackers we able to collect an undisclosed number of customer names, addresses, and payment card details including account numbers, card expiration dates, and the security codes.
November 5, 2020: A database containing staff, users, and subscribers data of the online media company, Mashable.com, was leaked by hackers. The database contains an undisclosed number of names, email addresses, country, gender, job description, online behavior related details, date of registration, IP addresses, social media profile links, and authentication tokens.
Expedia, Hotels.com & Booking.com
November 6, 2020: A unsecured database belonging to the hotel reservation platform, Prestige Software, leaked sensitive data from over 10 million hotel guests worldwide, dating as far back as 2013. The third-party data leak affected guests that have booked reservations through travel companies such as Expedia, Hotels.com, Booking.com, Agoda, Amadeus, Hotelbeds, Omnibees, Sabre and more. The information exposed in the data leak includes names, email addresses, national ID numbers, phone numbers of hotel guests, and reservation details such as reservation number, dates of a stay, the price paid per night. The unsecured database also disclosed sensitive credit card details from over 100,000 guests, including card number, cardholder’s name, CVV, and expiration data, and total cost of hotel reservations.
November 14, 2020: Vertafore, an insurance software firm, fell victim to a data breach and exposed the personal and driver’s license data of over 27 million Texas citizens. The files accessed by an unauthorized party contained Texas driver license numbers, as well as names, dates of birth, addresses and vehicle registration histories.
November 19, 2020: An unsecured database belonging to the Christian faith app, Pray.com, exposed the personal information of over 10 million individuals – including users of the app and their contacts. The impacted information includes photos uploaded by the app’s users, names, home and email addresses, phone numbers, marital status, login information along with users’ phone contacts names, phone numbers, email, home and business addresses, company names and family ties.