The modern economy runs on data. Businesses thrive based on how they collect, analyze, and use customer data. But none of that matters if you drop the ball on cybersecurity.

Data breaches are a hot topic with C-Suite leaders, IT journalists, and customers. That’s no surprise. 2023 was bad, but 2024 has been one of the worst years yet on the cybersecurity front.

An average data breach now costs $4.9 million. Ransomware costs an average of $5.2 million, and thieves have stolen over 1 billion records.

Even so, we’re not here to spread panic. As this list of 2024’s biggest data breaches shows, every breach has a cause and a solution. Good security practices will defeat most attackers, and it helps to learn where others have failed. But first, let’s talk about statistics.

Key facts about 2024’s data breaches

2024 has been another banner year for data breaches, with cybercriminals accelerating their efforts to steal and monetize confidential information. The stats below show that data theft is commonplace, and organizations face a challenging data security environment:

• National Public Data (NPD) will probably be 2024’s biggest data breach. The mammoth breach potentially impacts 2.9 billion records, close to the most significant data leak ever.
• Change Healthcare suffered the largest health-related data breach of the year, affecting over 100 million customer records. This could make it the largest healthcare breach in history.
• The average cost of a data breach reached $4.88 million in 2024.
• The cost of a data breach in cloud environments was even higher, averaging $5.17 million.
• 40% of breaches involved data stored across multiple environments.
• 68% of 2024 data breaches involved human errors, such as falling for phishing scams.
• 14% of attacks involved security exploits, three times the 2023 total.
• On average, organizations took 194 days to identify data breaches.
• The average attack took 64 days to contain.
• Meta (Ireland) was fined 91 million euros for exposing customer data, the largest GDPR penalty in 2024.

The biggest data breaches of 2024

A devastating data breach is a nightmare for customers and affected organizations. But breaches can have a positive side. Each incident is a learning opportunity. It’s easier to defend critical data when we understand the mistakes made by others and the tactics used by attackers.

With that in mind, let’s explore 2024’s biggest data breaches. New breaches hit the news weekly, but we will discuss these cases for years.

1. National Public Data (1.3 billion individuals)

This one could be 2024’s biggest data breach. Before this year, few people knew National Public Data, a subsidiary of Jerico Pictures, Inc., but the company is now notorious for data security failures.

In April, data broker USDoD listed a cache of NPD 2.9 billion records for sale on the Dark Web. According to Jerico, the exposed data is related to 1.3 billion individuals. With a sale value of $3.5 million, it’s easy to see why criminals targeted the data handling company.

Filings with the Maine Attorney General suggested a massive regulatory penalty was on the cards. To make matters worse, NPD users filed a civil action in August, alleging the breach was foreseeable and avoidable.

Before either case could proceed, Jerico Pictures filed for bankruptcy in October. The company lost customer trust and folded as a direct result of the NPD breach. While USDoD has been arrested, the data thieves remain at large.

What data types were involved? Almost everything. The 2.9 billion records included personally identifiable information (PII), historical addresses, social security numbers, and nicknames used by record holders.

How did it happen? The details are unclear. As far as we know, the data breach started in December 2023. A bad actor nicknamed SXUL targeted NPD servers using unknown techniques. The data started to circulate on dark web forums, ending up with USDoD in April.

2. AT&T (2 breaches, over 110 million individuals)

AT&T is so big that a data breach there affects almost everyone. Unfortunately, the telecommunications giant reported two significant data breaches in 2024.

The first was a historical hack dating back to 2022. During a six-month window, hackers extracted call and messaging data for 110 million customers. In this case, AT&T was partly at fault. The compromised data resided on servers maintained by hosting company Snowflake (itself listed later in a separate breach).

The other security incident emerged when 73 million customer records appeared on a data brokerage. Alongside identifiable information, the cache contained encrypted passwords to access AT&T accounts. Panicked by the disclosure, AT&T issued a rare force reset of over 7 million passwords.

What data types were involved? The Snowflake breach involved call and message metadata, not voice or text data. Even so, attackers could use metadata to determine user locations. The cache also included details of those contacted by AT&T customers, another useful identifier.

The second breach included sensitive personal information like full names, postal addresses, and phone numbers. It also featured the encrypted passwords we noted earlier. Combining the two sets could be very powerful in the hands of bad actors.

How did it happen? In the first case, thieves targeted Snowflake’s cloud storage infrastructure. Snowflake suggested that weak authentication processes caused the leak and that the UNC5537 hacking group was responsible.

The second AT&T data breach in 2024 is less clear. AT&T have not released information about the attackers or their mitigation processes. It looks like the password reset only happened after freelance security experts notified the TechCrunch website. Not a good look for AT&T’s internal team.

3. Patelco Credit Union (726,000 individuals)

Patelco is a Bay Area credit union that dates back to 1936 and manages over $9 billion in assets. That history almost ended in June 2024 when the company detected a significant ransomware attack.

The details of the massive data breach are sobering. The company’s initial fraud alert indicates a loss of 726,000 individual records and possible exposure of over 1 million records.

What data types were involved? The Patelco breach involves data about customers and current and former employees. Stolen data includes names, addresses, dates of birth, license numbers, and social security numbers. Credit reports and financial accounts were all put at risk.

How did it happen? According to Patelco, attackers entered the network on May 23 before accessing customer and employee databases on June 29. A ransomware attack then took down the credit union’s online banking, mobile app, and customer service centers, making it hard to resist their demands.

Two months later, the company notified regulators and customers. It also restored banking services after a damaging two-week break and provided support for customers needing an urgent credit report.

The perpetrators are unclear. However, the Dark Web ransomware gang RansomHub lists Patelco on their data brokerage and may have been responsible.

4. Community Clinic of Maui (123,000 individuals)

Attacks against healthcare organizations become more sophisticated yearly as hackers target sensitive personal information. This year, one of the worst attacks affected the Community Clinic of Maui (or Mālama).

According to the Clinic, threat actors accessed patient records between May 4 and May 7 this year. The ransomware attack took systems offline and directly impacted patient care.

The Clinic closed for two weeks, and nurses had to use paper charts for weeks after reopening. It took months to secure digital data and restore usual service.

What data types were involved? Regulatory filings suggest criminals stole social security number data, passport numbers, and names. Even worse, the attack exposed medical histories, biometric data, and financial account data (including CVVs).

How did it happen? Analysis indicates a group called LockBit mounted the attack, as the group announced responsibility in June. Attackers breached cloud storage systems, using ransomware-as-a-service agents to extract valuable data.

5. Infosys (8.5 million records)

Outsourcing company Infosys McCammish Systems announced a major breach on September 6, 2024, potentially affecting 6.5 million records.

According to filings, the attack dated back to late 2023, with attackers active between October and November. There was a long delay between data extraction and discovery.

The effects could be significant, as Infosys serves many massive financial and insurance partners. For instance, the breach exposed thousands of records from Wells Fargo and the Teachers Insurance and Annuity Association of America (TIAA).

What data types were involved? The Infosys breach involved insurance data, creating a critical identity theft risk. Data exposed included SSNs, birth dates, medical treatments, email passwords, state IDs, and driver’s license numbers.

How did it happen? LockBit took responsibility for the Infosys attack. The Russia-linked group implanted ransomware across the Infosys network, locking over 2,000 devices.

6. UnitedHealth (100 million individuals)

Cyberattackers continue to ruthlessly target healthcare companies, including some of America’s biggest operators. In February 2024, TechCrunch reported a breach at UnitedHealth that could impact 100 million customers.

Health and Human Services (HHS) received a filing in October 2024, and investigations continue. If the numbers are accurate, UnitedHealth could be the largest sensitive data breach in US history.

The attack targeted UH’s Change Healthcare payment processing system, deploying ransomware to take systems offline. The results have been crippling for providers reliant on UnitedHealth. Patients have experienced treatment and payment delays, not to mention the risks of identity theft.

What data types were involved? The attack exposed extremely sensitive protected health information (PHI). Records included medical histories, billing data, names and addresses, and financial accounts.

How did it happen? A ransomware collective called ALPHV/BlackCat executed the UnitedHealth attack. The group gained access to Change Healthcare systems, deployed ransomware, and extracted a $22 million bounty. Sadly, they failed to honor the agreement, taking a vast data hoard.

7. Young Consulting (950,000 individuals)

In August, news emerged of another enormous data breach. This time in the financial software sector. Software vendor Young Consulting admitted an attack in early 2024 had compromised almost a million records.

Between April 10 and 13, attackers freely explored the company’s network. They took full advantage, extracting data relating to a Young Consulting client, Blue Shield Insurance.

This was a major headache as Blue Shield is a HIPAA-covered entity. The threat actors subsequently sought to extort money from Young Consulting. Their extortion failed, and criminals made the data available via the Dark Web.

What data types were involved? The attack involved insurance information, including dates of birth, policy numbers, SSNs, and protected medical information like prescriptions and past procedures.

How did it happen? This is the crucial question. We know the attack was mounted by a ransomware group called BlackSuit. BlackSuit specializes in extortion attacks that access and encrypt data. The group posts this data on public websites until target organizations pay up.

8. Ticketmaster (40 million individuals)

In May 2024, data loss affected one of the world’s biggest entertainment companies. Ticketmaster admitted that thieves had extracted data relating to 40 million customers, making it one of the largest breaches in the entertainment sector.

The 1.3TB data haul included identifiable information and earned the attackers around $500,000 within weeks, which is not bad for a few days’ work.

What data types were involved? Attackers stole personal data, including customer names and addresses, payment data, and purchase histories. This unique information is a big deal as it can be used in identity theft and targeted phishing attacks.

How did it happen? Cyberattackers from the ShinyHunters group accessed the Ticketmaster network via a vulnerability in the customer service portal. They then searched for customer data and extracted everything they needed.

The initial vulnerability involved Snowflake’s hosting infrastructure. Attackers hijacked a cloud hosting account, gained access, and used hosting privileges to access a client database. This should concern any organization reliant on cloud hosting.

9. Evolve Bank (7.6 million individuals)

Finance is coming under intense pressure from cyberattackers, as the May 2024 Evolve Bank attack shows. The banking-as-a-service provider reported the security incident in July, describing a classic ransomware scenario.

Attackers accessed the bank’s network, extracted data, and threatened to sell it. When Evolve refused to pay, the cybercriminals followed through, exposing millions of accounts.

According to the bank, attackers did not directly access customer funds (a common feature of 2024 ransomware attacks). Experts attributed responsibility to LockBit, who has had a busy and productive year.

What data types were involved? LockBit always seeks certain data types above others. In the Evolve attack, exposed data included social security numbers, details of financial accounts, and postal addresses.

How did it happen? LockBit tends to launch attacks via ransomware-as-a-service kits. The attack method for Evolve is not known. In the past, LockBit has paid insiders to allow access, exploited VPN vulnerabilities, and compromised cloud infrastructure.

10. Dell (49 million customers and 10,000 employees)

Data breaches affect small startups and veteran companies alike. Few tech companies are as experienced as Dell. Nonetheless, the hardware giant fell victim to two catastrophic breaches in 2024.

In May, Dell admitted losing 49 million customer records between 2017 and 2024. According to the company, the attack did not include personal or financial data but did compromise personal addresses and purchase histories.

In September, a second incident emerged. This time, hackers extracted 3.5GB of confidential employee data.

This attack only affected 10,000 people, but the small number of victims is deceptive. Information about employees is invaluable for phishers seeking to compromise corporate assets. And the data extracted is exactly what they need.

What data types were involved? The first incident exposed previous purchases, home addresses, and customer names. Dell says that the attack did not involve financial data and SSNs.

The second attack included employees’ phone numbers and social security numbers, employee IDs, and their status. It also included data about partners, not just Dell workers.

How did it happen? Details are unclear. Most probably, threat actors posed as IT support, tricking staff into sharing VPN credentials. We know the incidents were revealed by a hacker named “grep,” who claimed to be selling personal data. Experts believe attackers gained access via Atlassian vulnerabilities.

11. Tile (66 million individuals)

Tile is a device tracking service that should improve user security. However, in June, the parent company Life360 admitted to a massive data breach involving Tile’s customer support platform.

Attackers followed the ransomware playbook, demanding a ransom from Life360. Life360 has not disclosed whether it paid.

What data types were involved? The good news is the breach did not include user location data. Unfortunately, hackers extracted customer names, home addresses, email addresses, and phone numbers.

How did it happen? Hackers used a previous employee’s credentials to access a Tile feature designed for law enforcement officers. This provided access to Life360’s data storage systems, potentially allowing attackers to extract personal information about every Tile user.

It appears that Tile lacked effective multi-factor authentication systems. The company may have failed to remove inactive accounts with administrative privileges, leaving the door wide open.

12. Snowflake (Unknown)

We’ve left Snowflake for last as it is like the “mother of all data breaches” in 2024. Snowflake is a major cloud data hosting company specializing in data processing and analysis. It has grown rapidly in the era of Big Data and AI. However, growth and cybersecurity may not be in sync.

As we’ve already seen, Snowflake was involved in some of 2024’s biggest corporate data breaches, including attacks on AT&T and Ticketmaster. In each case, a hacker known as UNC5537 claimed responsibility.

UNC5537’s task was shockingly simple. All it took to steal data from some of the world’s biggest companies was a few stolen credentials. What’s more, the stolen credentials weren’t fresh. Some had been on sale illegally for years.

What data types were involved? Everything. The attack extended to Ticketmaster, AT&T, Santander, AllState, Mitsubishi, and Anheuser-Busch.

How did it happen? Attackers accessed unencrypted user credentials on a Jira instance by exploiting an unsecured device. After that, they used the credentials to access Snowflake’s cloud environment. None of the stolen accounts had MFA enabled, making access simple.

Looking ahead: what might 2025 bring?

In 2024, we dealt with many types of cyber attacks. In 2025, we will most likely see more ransomware attacks, but against a new set of targets.

As the Snowflake attacks show, cloud deployments are a primary target. SaaS vendors need to strengthen their defenses and master access controls. That’s particularly important as AI becomes integrated into cloud operations.

The Snowflake attack exploited reliance on third-party data analysis resources. Many companies also rely on external partners to leverage LLMs and integrate with operational systems. These partners could easily become victims in 2025.

Whatever cybersecurity trends 2025 brings, now is a good time to improve your cybersecurity posture. NordLayer can help you avoid data breaches in the New Year and beyond. 

Our Business VPN and access management tools shield data, secure remote connections, and filter access requests. With our security solutions in your corner, such as traffic encryption and multi-factor authentication (MFA), you can avoid Snowflake-style vulnerabilities and ruin the chances of opportunist data thieves.