Top 11 Data Breaches of 2024: In-Depth Risk Exposure and Impact Analysis
The first half of 2024 has been marked by some of the most catastrophic data breaches in recent history, affecting organizations worldwide and exposing billions of sensitive records. As the frequency and sophistication of cyberattacks continue to rise, understanding the full scope of these breaches and the factors that increase risk is critical. To assess the impact of each incident, the Risk Exposure Score offers a comprehensive view of the risk posed by a breach, considering factors such as the sensitivity of the data, financial losses, and regulatory violations.
In this blog post, we’ll explore the Top 11 Data Breaches of 2024, ranked by their Risk Exposure Scores, and provide in-depth analysis to explain why these breaches matter and what organizations can learn from them.
Understanding the Risk Exposure Score
The Risk Exposure Score is designed to provide a clear metric of the overall impact of a data breach by evaluating key factors that influence the level of risk:
- Volume of records exposed: The more records breached, the higher the potential for widespread impact, particularly in identity theft and fraud.
- Financial impact of records exposed: Assumes a cost of $173 per record. The higher the cost, the greater the risk.
- Ransomware: Ransomware attacks are particularly disruptive and create significant downtime.
- Data sensitivity: Breaches involving highly sensitive information, such as social security numbers, health records, and financial data, score higher because of the long-term damage they can cause.
- Severity of the data breach: The sensitivity of the data exposed during a breach is a critical factor in determining the risk level—personally identifiable information (PII), protected health information (PHI), intellectual property, etc.
- Regulatory exposure: Breaches that violate data protection regulations, like GDPR, CCPA, or HIPAA, carry higher financial and legal risks for organizations.
Now, let’s dive into the Top 11 Data Breaches of 2024, with an emphasis on their Risk Exposure Scores and key takeaways.
Data Breach | Risk Exposure Index | Number of Records Impacted | Estimated Total Business Impact (USD) | Type of Data Converted | Regulatory Compliance Violations | Ransomware Demand |
---|---|---|---|---|---|---|
Change Healthcare | 9.46 | 100,000,000 | $17,900,000,000 | Personal, medical, billing information | HIPAA, HITECH Act, California CMIA, Texas Medical Records Privacy Act, HIPAA Security Rule, HIPAA Privacy Rule | Yes, unknown amount |
National Public Data | 9.46 | 2,900,000,000 | $501,700,000,000 | Personal, social security numbers | FTC Act, GDPR, various US state data privacy laws such as CCPA | No |
AT&T (two breaches) | 9.37 | 110,000,000 | $19,690,000,000 | Phone numbers, call records, personal information | FCC regulations (CPNI), FTC Act, CCPA, NY SHIELD Act, GDPR, Telecommunications Act | Yes, undisclosed amount |
Synnovis | 9.11 | 300,000,000 | $53,700,000,000 | Patient interaction data | U.K. Data Protection Act 2018, GDPR, NIS Regulations, U.K. NHS Data Security and Protection Toolkit | Yes, $50 million demanded |
Ticketmaster | 8.79 | 560,000,000 | $100,240,000,000 | Full names, addresses, email addresses, phone numbers, payment card data | PCI DSS, FTC Act, CCPA, Massachusetts Data Breach Notification Law, GDPR | No |
Kaiser | 7.60 | 13,400,000 | $2,398,600,000 | Website search terms, health information | HIPAA, HITECH Act, California CMIA, FTC Act, GDPR (if EU residents are involved) | No |
MediSecure | 7.56 | 13,000,000 | $2,327,000,000 | Personal and health data | Australian Privacy Act, Healthcare Identifiers Act, state-specific health data regulations | Yes, unknown amount |
USPS | 7.31 | 62,000,000 | $11,098,000,000 | Postal addresses, tracking data | CCPA, FTC Act, various state data breach notification laws, GDPR (if applicable) | No |
Evolve Bank | 6.83 | 7,600,000 | $1,360,400,000 | Personal information | CCPA, GLBA (Gramm-Leach-Bliley Act), FTC Safeguards Rule, state financial data protection laws | Yes, unknown amount |
Cencora | 6.23 | 1,000,000 | $179,000,000 | Health data | HIPAA, FDA regulations, state-specific medical privacy laws (e.g., California CMIA, Texas Medical Records Privacy Act) | No |
Infosys McCamish Systems | 6.23 | 6,078,263 | $1,074,000,000 | Social security numbers, medical information, financial data | CCPA, GLBA, FTC Act, state insurance data protection laws, HIPAA (if applicable) | Yes, unknown amount |
Top 11 Data Breaches of 2024: Ranked and Explained
1. Change Healthcare (Tied for First)
– Records Exposed: 100 million
– Risk Exposure Score: 9.46
– Data Compromised: Personal, medical, and billing information
– Estimated Financial Impact: $17.9 billion
– Regulatory Violations: HIPAA, HITECH Act, CCPA
Risk Breakdown:
Change Healthcare suffered one of the largest ransomware attacks of the year, compromising 100 million personal and medical records. The breach involved highly sensitive data, including health records, which are often among the most valuable on the dark web. Health data is not only crucial for identity theft but also for medical fraud, where criminals use stolen information to receive unauthorized healthcare services. This breach also created significant operational disruptions for healthcare providers, which are already under immense pressure due to their reliance on digital systems for patient care. The financial impact includes not only fines and legal fees but also the cost-of-service restoration and patient compensation.
Why It’s a Top Risk:
The combination of highly sensitive data, strict regulatory requirements, and long-term financial consequences makes this breach a major threat. With healthcare institutions facing heightened scrutiny under HIPAA and the HITECH Act, the regulatory and reputational risks add to the breach’s overall severity.
2. National Public Data (Tied for First)
– Records Exposed: 2.9 billion
– Individuals Impacted: 1.3 million
– Risk Exposure Score: 9.46
– Data Compromised: Social security numbers, names, email addresses, phone numbers, mailing addresses
– Estimated Financial Impact: $501.7 billion
Risk Breakdown:
On December 23, 2023, National Public Data, a data broker specializing in background checks and fraud prevention, suffered one of the most massive breaches of personal information ever recorded. While the breach directly impacted 1.3 million individuals, the 2.9 billion records exposed included social security numbers, which elevate the risk to a catastrophic level. Social security numbers are highly sensitive, making them valuable for identity theft and fraud schemes. In addition, the size of the breach makes this a global issue, potentially affecting individuals across multiple countries. The financial impact is expected to exceed $501 billion, making this the costliest breach on the list.
Why It’s a Top Risk:
While Change Healthcare’s breach impacted healthcare data, National Public Data exposed social security numbers, a unique form of sensitive data that has long-term financial implications. The scale of the breach amplifies the risk, as the sheer volume of exposed records combined with the sensitivity of the data creates a perfect storm for identity theft and fraud, placing individuals at risk for years to come.
3. AT&T (two breaches)
– Records Exposed: 110 million
– Risk Exposure Score: 9.37
– Data Compromised: Phone numbers, call records, personal information
– Estimated Financial Impact: $19.69 billion
– Regulatory Violations: FCC regulations, CCPA, GDPR
Risk Breakdown:
The AT&T breach exposed 110 million customer records, including call logs, which can be used for social engineering attacks and other types of fraud. The volume of records breached is significant, but what makes this breach particularly risky is the potential for criminals to use call records to track individuals’ communication habits, locations, and other private details. The regulatory exposure for AT&T under the FCC’s privacy regulations, GDPR, and CCPA is substantial, adding to the financial and legal costs of this breach.
Why It’s a High Risk:
The large number of records and the involvement of communications data make this a serious privacy risk. The combination of regulatory penalties and the potential for long-term exploitation of personal data places this breach among the most severe.
4. Synnovis
– Records Exposed: 300 million
– Risk Exposure Score: 9.11
– Data Compromised: Patient interaction data, medical histories, lab results
– Estimated Financial Impact: $53.7 billion
– Regulatory Violations: GDPR, U.K. Data Protection Act
Risk Breakdown:
The Synnovis breach resulted from a ransomware attack, exposing 300 million patient records. The compromised data included medical histories and lab results, which pose a significant privacy risk. Healthcare organizations face severe penalties for violations of data protection regulations like GDPR and the U.K. Data Protection Act. In addition to regulatory fines, the operational disruption caused by the attack had a direct financial impact, with healthcare services interrupted across the U.K.
Why It’s a High Risk:
The sensitivity of healthcare data makes this breach particularly dangerous. The operational disruption caused by the attack added to the overall risk, as healthcare providers were unable to deliver timely care, further damaging patient trust and leading to long-term financial losses.
5. Ticketmaster
– Records Exposed: 560 million
– Risk Exposure Score: 8.79
– Data Compromised: Full names, addresses, email addresses, payment card data
– Estimated Financial Impact: $100.24 billion
– Regulatory Violations: PCI DSS, GDPR
Risk Breakdown:
Ticketmaster’s breach involved a third-party vendor, resulting in the exposure of 560 million customer records, including payment card data. This breach is particularly concerning due to the financial fraud risk posed by the exposure of credit card information. The breach also highlighted the need for better vendor management, as the vulnerability originated from a third-party provider. The breach resulted in significant fines for violations of PCI DSS and GDPR, adding to the financial damage.
Why It’s a High Risk:
Payment card data breaches are among the most serious due to the immediate financial risk to consumers. The regulatory penalties, combined with the potential for fraud, make this breach one of the most financially damaging of the year.
6. Kaiser
– Records Exposed: 13.4 million
– Risk Exposure Score: 7.60
– Data Compromised: Health information, website search terms
– Estimated Financial Impact: $2.40 billion
– Regulatory Violations: HIPAA, CCPA
Risk Breakdown:
Kaiser experienced a breach that exposed the health records of 13.4 million individuals, including search terms related to their healthcare needs. While the breach did not involve external hacking, it exposed sensitive medical data due to an internal governance failure. Violations of HIPAA and CCPA are likely to result in significant fines, while the exposure of personal health information will damage the organization’s reputation among its patients.
Why It’s a Risk:
Health data breaches are always a high risk due to the sensitivity of the information and the long-term implications for patients. In Kaiser’s case, the breach also revealed significant governance issues, which further elevate the risk.
7. MediSecure
– Records Exposed: 13 million
– Risk Exposure Score: 7.56
– Data Compromised: Personal and health data
– Estimated Financial Impact: $2.33 billion
– Regulatory Violations: Australian Privacy Act
Risk Breakdown:
MediSecure, a major healthcare provider in Australia, was hit by a ransomware attack that exposed 13 million health records. The attack disrupted critical healthcare services across the country, leading to significant operational downtime. In addition to the financial penalties under the Australian Privacy Act, the organization faced reputational damage due to the sensitive nature of the data involved.
Why It’s a Risk:
The exposure of personal and health data makes this breach particularly dangerous. Healthcare organizations are prime targets for cybercriminals, and the operational disruption caused by the breach added to the overall financial and reputational risk.
8. USPS
– Records Exposed: 62 million
– Risk Exposure Score: 7.31
– Data Compromised: Postal addresses, tracking data
– Estimated Financial Impact: $11.10 billion
– Regulatory Violations: CCPA, GDPR
Risk Breakdown:
The USPS breach occurred due to a third-party data-sharing mishap, exposing 62 million postal addresses and tracking data. While the data exposed may not seem as sensitive as financial or health records, it poses a significant privacy risk. Individuals could be targeted for stalking, harassment, or even identity theft based on their tracking data. Regulatory fines under GDPR and CCPA are expected to further increase the financial impact.
Why It’s a Risk:
Even seemingly less sensitive data can have significant implications when exposed on a large scale. The breach demonstrates the importance of governing third-party relationships and ensuring that data-sharing practices meet regulatory standards.
9. Evolve Bank
– Records Exposed: 7.6 million
– Risk Exposure Score: 6.83
– Data Compromised: Personal information, financial data
– Estimated Financial Impact: $1.36 billion
– Regulatory Violations: GLBA, FTC Safeguards Rule
Risk Breakdown:
Evolve Bank experienced a ransomware attack that compromised 7.6 million financial records, including bank account numbers and personal identifiers. The risk of financial fraud is high, and the bank faces significant fines under the Gramm-Leach-Bliley Act (GLBA) and FTC Safeguards Rule. The operational disruption caused by the breach also contributed to its financial impact.
Why It’s a Risk:
Financial institutions are among the most heavily regulated industries, and breaches that expose financial data can result in immediate and long-term losses. Evolve Bank must improve its encryption protocols and cyber defenses to prevent future incidents.
10. Infosys McCamish Systems
– Records Exposed: 6.1 million
– Risk Exposure Score: 6.23
– Data Compromised: Social security numbers, medical, and financial information
– Estimated Financial Impact: $1.07 billion
– Regulatory Violations: HIPAA, CCPA, GLBA
Risk Breakdown:
The Infosys McCamish Systems breach exposed 6.1 million social security numbers, along with medical and financial information. This breach poses a high risk of identity theft and fraud for the individuals affected. Regulatory violations under HIPAA, CCPA, and GLBA will likely result in steep fines for the organization. The exposure of highly sensitive data amplifies the overall risk.
Why It’s a Risk:
The exposure of social security numbers combined with medical and financial data elevates this breach’s overall risk. Identity theft is one of the most damaging consequences of such breaches, making this incident particularly dangerous.
11. Cencora
– Records Exposed: 1 million
– Risk Exposure Score: 6.23
– Data Compromised: Health records, patient information
– Estimated Financial Impact: $179 million
– Regulatory Violations: HIPAA, FDA regulations
Risk Breakdown:
The Cencora breach exposed the health records of 1 million patients, making it a significant incident within the healthcare industry. While the number of records breached is smaller compared to other breaches, the sensitivity of the data—including patient health records—elevates the overall risk. Health data, especially when connected to patient identities, is particularly vulnerable to misuse for medical fraud and other forms of identity theft. Regulatory scrutiny under HIPAA and FDA regulations is expected to result in substantial fines for Cencora.
Why It’s a Risk:
Although the total number of records breached is smaller, the sensitivity of health data makes this breach a serious concern. The long-term implications for patients, especially if their medical data is exploited, increases the severity of the breach. Furthermore, the regulatory impact under HIPAA and other healthcare-related laws ensures that Cencora will face legal and financial consequences, driving the overall risk score higher.
Key Lessons From 2024’s Data Breaches: The New Era of Cyber Risk
The Top 11 Data Breaches of 2024 provide critical insights into the evolving threat landscape and highlight the importance of proactive cybersecurity measures. As cybercriminals continue to advance their tactics, organizations need to adopt robust strategies to reduce the likelihood and impact of breaches. These breaches reveal several key trends and lessons that businesses can apply to better safeguard their data, operations, and customers.
1. Third-party Vulnerabilities Are a Major Threat
One of the most striking trends across multiple breaches, including those at Ticketmaster and USPS, is the role of third-party vulnerabilities. These breaches occurred because external vendors, such as cloud service providers or data-sharing partners, were compromised. While companies may have stringent internal security measures, these measures are often undermined by weaker security protocols from third-party vendors.
To mitigate this threat, organizations need to implement comprehensive third-party risk management programs. This includes conducting regular audits of third-party vendors’ security practices, enforcing strict security standards in contracts, and ensuring continuous monitoring of all external systems connected to their networks. Furthermore, businesses must work with their vendors to establish incident response plans that clearly define roles and actions in the event of a breach.
2. Ransomware Is on the Rise
Ransomware attacks have continued to increase in both frequency and severity, with MediSecure and Synnovis among the top healthcare providers targeted. These attacks are not only costly in terms of ransom payments but also lead to operational shutdowns and reputational damage. In healthcare, this means the potential for delayed patient care, which can have life-threatening consequences.
To defend against ransomware, organizations need to deploy robust encryption to protect their data in transit and at rest, implement frequent backups to avoid data loss, and create detailed incident response plans that prioritize fast recovery. Additionally, organizations must focus on employee education to prevent phishing and other social engineering attacks that commonly serve as entry points for ransomware.
3. Regulatory Compliance Is Critical
As seen in breaches like National Public Data, Change Healthcare, and Cencora, the regulatory environment for data protection is becoming increasingly stringent. Regulations such as GDPR, CCPA, and HIPAA impose heavy penalties for organizations that fail to protect sensitive personal data. Healthcare providers and organizations handling personal financial data face increased scrutiny from regulators, as breaches in these industries tend to involve high-value information such as health records, social security numbers, and credit card details.
Regulatory compliance is no longer optional—it is a critical part of doing business in today’s digital age. Organizations need to prioritize compliance with data protection regulations, regularly update their security policies to reflect changes in the regulatory landscape, and conduct frequent compliance audits to ensure they meet the highest standards for data security. Failure to comply with these regulations not only results in significant financial penalties but also damages the organization’s reputation and customer trust.
4. Data Sensitivity Amplifies Risk
Breaches involving sensitive data, such as health records (Synnovis, Cencora) and social security numbers (National Public Data), pose the greatest risk to individuals and organizations alike. The long-term impact of identity theft, financial fraud, and medical fraud can continue to harm victims years after the initial breach. Sensitive data is also more valuable on the black market, meaning that cybercriminals are more likely to target industries such as healthcare, finance, and government.
Organizations must prioritize the protection of their most sensitive data by using advanced encryption, access controls, and regular monitoring to detect and respond to potential threats. In addition, businesses should employ data minimization strategies—only collecting the information necessary for business operations and reducing the amount of sensitive data stored long term. This reduces the potential harm in the event of a breach.
5. Incident Response Plans Are Essential
One of the most overlooked aspects of breach prevention is the development and implementation of incident response plans. Even the best security measures can fail, but having a solid response plan in place can make a significant difference in minimizing the damage. In the cases of AT&T and Change Healthcare, the failure to have an effective response plan worsened the financial and operational impact of the breaches.
Organizations should create comprehensive incident response plans that outline the steps to be taken in the event of a breach, including communication with stakeholders, engagement with law enforcement, and public relations strategies to manage reputational damage. Regular incident response drills can help ensure that all employees understand their roles in the event of a breach and can respond swiftly to mitigate its effects.
6. Financial Impact Is Long Term
The financial impact of data breaches extends far beyond the immediate costs of response and recovery. Organizations like National Public Data and Synnovis will continue to face the financial consequences of their breaches for years, as they deal with lawsuits, fines, lost customers, and the cost of rebuilding trust. The financial impact is often compounded by the regulatory fines imposed on organizations that fail to comply with data protection laws.
Conclusion: The Path Forward for Organizations
This blog post highlights the urgent need for organizations to adapt to the evolving cyber threat landscape. From third-party vulnerabilities to ransomware attacks and regulatory compliance, the lessons learned from these incidents can guide businesses in strengthening their defenses and preparing for the future.
As cybercriminals become more sophisticated, organizations must go beyond basic security measures and adopt a comprehensive approach to data protection. This includes proactive risk management, continuous monitoring, and a focus on regulatory compliance. By prioritizing these areas, businesses can reduce the likelihood of data breaches and minimize the financial, operational, and reputational damage caused by such incidents.
Investing in tools like the Kiteworks Risk Exposure Index allows organizations to measure their risk accurately and take targeted action to protect their most valuable assets. As we move into a new era of cyber risk, the organizations that succeed will be those that make cybersecurity a core part of their business strategy.
For more details on the Top 11 Data Breaches Risk Exposure Report, read the entire report.
To calculate the Risk Exposure Score of a data breach, check out our Risk Exposure Calculator.
Additional Resources