The biggest data breaches of 2024

Companies in health care and finance suffered the biggest data breaches of 2024, which exposed sensitive information such as Social Security numbers. Image (c) ConsumerAffairs

AT&T tops the list

Another year, another round of data breaches.

There have been more than 100 million victims of data breaches reported in 2024 as of Dec. 16, according to a ConsumerAffairs analysis of the Maine Attorney General's data breach notifications. The yearly number of victims represents conservative estimates because companies often send in multiple filings regarding the same breach to revise the number of victims, making it difficult to tally annual totals.

Cybersecurity experts say the Maine AG has arguably the most detailed historical government records on data breaches in the U.S., in part because organizations have to disclose the total potential number of people affected and what information, such as Social Security and credit card numbers, was stolen.

Still, data breaches that don't involve residents of Maine won't be in the database, meaning some data breaches are missed but the biggest in the country are likely included.

Which companies and what information were in 2024's biggest data breaches?

Businesses in health care appeared the most in the top 10 data breaches by number of potential victims reported in 2024.

Social Security numbers were the most common sensitive information exposed, appearing in the stolen information in nine of the top 10 data breaches reported in 2024.

"It's a combination of these companies holding massive amounts of sensitive personal data—from SSNs to financial details and frankly, everything in between—while increasingly relying on complex networks of third-party vendors and software providers," Emory Roane, policy counsel at nonprofit Privacy Rights Clearinghouse, told ConsumerAffairs.

"While most of the major breaches we're seeing this year stem from unauthorized access or hacking, the AT&T breach reminds us that some of the largest exposures of sensitive data continue to result from internal security practices and unintentional disclosures," Roane added.

Below are data breaches that were reported to the Maine AG in 2024, ranked by the number of potential victims. Companies sometimes don't know when a breach occurred or discover a breach much later when information begins circulating on the dark web, which is why ConsumerAffairs ranked data breaches that were reported within the span of 2024.

What are the biggest data breaches of 2024?

1. AT&T

  • Victims: 51,226,382
  • What was stolen: Social Security numbers, account numbers, addresses, dates of birth, emails, passwords, phone numbers
  • What happened: AT&T suffered one of the biggest data breaches in history. The cellular giant said that a dataset released on the dark web in March had reams of their customers' information.

2. LoanDepot

  • Victims: 16,924,071
  • What was stolen: Social Security numbers, addresses, dates of birth, emails, financial account numbers, names, phone numbers
  • What happened: Mortgage lender LoanDepot said that a malicious actor gained access to its systems and sensitive personal information in early January.

3. Evolve Bank and Trust

  • Victims: 7,640,112
  • What was stolen: Social Security numbers, dates of birth, contact details, financial account numbers or credit or debit card numbers with security code, access code, password or PIN
  • What happened: After an employee clicked on a malicious link, mortgage lender Evolve Bank said it started noticing that some of its systems weren't working properly in late May, which it first believed was because of hardware issues but later realized was from "unauthorized activity." The breach exposed information for "most of our personal, mortgage, trust and small business banking customers," but didn't gain access to customer funds, Evolve Bank said.

4. InfoSys McCamish Systems

  • Victims: 6,078,263
  • What was stolen: Social Security numbers, biometric data, dates of birth, driver's license numbers or other ID numbers, email addresses, financial account numbers or credit or debit card numbers with security code, access code, password or PIN, medical records, passwords
  • What happened: Life insurance software provider InfoSys said it was targeted by a ransomware attack that encrypted some of its data between October and November. The breach exposed customer information, including at Bank of America, Fidelity, Vanguard and TIAA.

5. HealthEquity

  • Victims: 4,300,000
  • What was stolen: Social Security numbers, addresses, dependent information, employee IDs, health card numbers, medical records, prescriptions, names, payment card without number, phone numbers
  • What happened: Health benefits administrator HealthEquity said it received an alert in late March of a "systems anomaly" and later determined in late June that "some members’ personal information was involved." The same data wasn't stolen for every person.

6. Financial Business and Consumer Solutions (FBCS)

  • Victims: 4,253,394
  • What was stolen: Social Security numbers, addresses, dates of birth, driver's license numbers or other ID numbers, health insurance information, names
  • What happened: Debt collector FBCS said it discovered an "unauthorized actor" accessed information in February that stole different information from person to person. In a series of filings, FBCS continued to revise the number of potential victims higher. Comcast said records on nearly 238,000 of its customers was exposed in the breach because it used to work with FBCS to collect debts. 

7. Harvard Piligrim Health Care

  • Victims: 2,967,396
  • What was stolen: Social Security numbers, addresses, financial account numbers or credit or debit card numbers with security code, access code, password or PIN, medical records, phone numbers, taxpayer IDs
  • What happened: Massachusetts-based health care provider Harvard Pilgrim said a ransomware attack exposed its patients' sensitive information from March to April.

8. Prudential Insurance

  • Victims: 2,556,210
  • What was stolen: Social Security numbers, dates of birth, driver's license numbers or other ID numbers, financial account numbers or credit or debit card numbers with security code, access code, password or PIN, medical records, phone numbers
  • What happened: Prudential Insurance said an "unauthorized third party" gained access to its network in February and removed a "small percentage of personal information." But the insurer first said in March that only 36,545 people were affected and later revised the number to more than 2.5 million.

9. Advance Stores (Advance Auto Parts)

  • Victims: 2,316,591
  • What was stolen: Social Security numbers, addresses, dates of birth, driver's license numbers or other ID numbers, names, utility bills
  • What happened: Advance Auto Parts, which has more than 4,700 stores nationwide, said an "unathorized third party" gained access to Snowflake, a company which handles its cloud storage. It said it is among various companies hit by the breach.

10. Slim CD

  • Victims: 1,693,000
  • What was stolen: Addresses, financial account numbers or credit or debit card numbers with security code, access code, password or PIN, names
  • What happened: Payments company Slim CD, which processes electronic payments for U.S. and Canadian merchants, said it became aware of suspicious activity on its computers in June and later learned criminals had accessed its network between August and June and could view or obtain credit card details.

Below is a table on the top 10 data breaches in 2024.

What to do after a data breach

  • Follow the letter: Companies should send out a letter if you are a victim of a data breach. Read it carefully to get more details about what data was exposed and the steps the company recommends you take.
  • Freeze your credit: Contact each of the three credit bureaus, Experian, Equifax and TransUnion, and get your credit frozen so a criminal can’t open cards or other lines in your name.
  • Credit monitoring: Companies often will offer free credit monitoring or other services after a data breach.
  • Reset passwords: Change your passwords and use different ones for services.
  • Use a password manager: LastPass and services built into web browsers such as Google Chrome and Microsoft Edge can create and store strong passwords for you.
  • Opt out of data collection: If you have the right in your state, you can email services you use to request they don’t collect your data for use by third parties.
  • Delete data: For services you don’t use, ask to have your data deleted. California and other states have written this into law.