Thanks to IT Governance. It has compiled Cyber Attacks and Data Breaches list by month and year since 2014, might be earlier. 

Here are leaked records numbers since 2014:

Following information are collected from

Table of Contents


Monthly Listing:


2020 cyber security statistics


Some facts from this post:
  • Total 12.3 billion data records reported lost or stolen.
  • There were 956 reported data breaches in 2019.
  • It was increased 425% on last year.
  • There were 2.3 billion breaches in 2018, compared to just 826 million in 2017
  • There were 557 reported data breaches in 2018, increased 183% compared to 2017.
  • GDPR year.
  1. Jan 3,  Spectre and Meltdown vulnerabilities (CVE-2017-5715, CVE-2017-5753, CVE-2017-5754)
  2. Jan 29,  Cisco Adaptive Security Appliance Remote Code Execution and Denial of Service Vulnerability
  3. Mach 20, Facebook’s privacy scandal – The Guardian revealed that the personal data of 50 million Facebook profiles was illegally harvested by Cambridge Analytica.
  4. June 27, Exactis – Data warehouse / consumer marketing data – 340 million PII records accessible via unprotected, online-accessible database
  5. Jul 29, Adidas – Shoes, clothing and sports equipment – PII for millions of customers (emails, login IDs, hashed passwords) – Technical details not released, potentially vulnerability on online-accessible server.
  6. Tickemaster UK – Online tickets – PII compromised, 40,000 users had their payment system compromised and money stolen – Breached through vulnerability in 3rd party chat software used on public website
  7. Typeform – Online surveys for large companies – PII for 20,000 users affected – Backup of database downloaded by exploiting vulnerability
  8. Under Armour – Sports clothing – Email, login IDs and hashed passwords for 150 million MyFitnessPal app users compromised, no details released
  9. Delta/Sears/K-Mart – Transportation, retail – PII for hundreds of thousands of customers breached – Vulnerability in chat software provided by 3rd party [24] provider
  10. Timehop – Developer / Phone Apps – 21 million PII records compromised due to weak privileged account authentication
  11. Macy’s / Bloomingdale – Retail – Stolen user credentials were used to login and access additional PII (names, addresses, credit card information)
  12. – Mexican presidential election debate content – DDoS crashed the site during a presidential debate. Attacking host originated mostly from Russia and China, 185,000 accounts requesting registration within 15 minutes.
  13. CarePartners – Home medical care – Detailed medical records stolen for 273,000 patients. Details not disclosed, attackers claim they exploited vulnerability of Internet-accessible server and weak passwords. Hundreds of Gb exfiltrated.
  14. LabCorp – Clinical medical diagnostics – Large clinical laboratories, holding medical records for millions of patients. Anomalous network activity detected on July 14. Potentially hacked, extent of breach unknown.
  15. Reddit breached employees accounts (exploited vulnerabilities in SMS authenticators). Cloud-based, 2005-2007 user data files exposed.
  16. Cryptocurrency investment platform Atlas Quantum breached, 261,000 exposed. Details not disclosed but most likely public website was compromised through vulnerabilities
  17. T-Mobile breached, PII for 2 million customers potentially accessed by malicious actors. No technical details provided.
  18. Babysitting app Sitter exposed PII of 93,000 customers through a publicly accessible MongoDB file
  19. Darden Restaurants suffered a POS system data breach – 567,000 payment cards compromised.
  20. Phishing attack on Augusta University Health leads to breach exposing PII on 400,000 persons.
  21. 50.5 million Sungy Mobile customers exposed through publicly accessible data
  22. 14 million customer records exposed in GovPayNow leak (last four digits of payment cards, names, phone numbers and addresses). Details not disclosed but most likely public website was compromised through unpatched vulnerabilities
  23. US State Department email breach leaks employee PII. Potentially due to weak authentication.
  24. Blue Cross and Blue Shield of Rhode Island and Independence Blue Cross report breached, health information for approx. 1500 patients compromised. Breached occurred due to human error in services provided by third party (supply chain). Independence Blue Cross data breach which affected nearly 17,000 people after an employee uploaded member information to an unprotected public website.
  25. Tech Bureau Corp Japanese cryptocurrency exchange hack led to $60 million being stolen during a 2 hour attack against their server. No details provided, potentially through weakness in custom code.
  26. Colorado Timberline (printing firm) out of business following multiple ransomware attacks.


Infographic: List of data breaches in 2017

  • Feb 17, CloudBleed – Google vulnerability researcher Tavis Ormandy discovered a bug in the internet infrastructure company Cloudflare‘s platform caused random leakage of potentially sensitive customer data.
  • March 7, Wikileaks CIA Vault 7 – WikiLeaks published a data trove containing 8,761 documents allegedly stolen from the CIA that contained extensive documentation of alleged spying operations and hacking tools.
  • April, Shadow Brokers (A hacking group, stole NSA data) / EternalBlue (Released by Shadow Brokers, which alleged NSA tool)
  • May 12 , WannaCry – Ransomware :WannaCry searches for and encrypts 176 different file

    types and appends .WCRY to the end of the file name. It asks users to pay a US$300 ransom in

    bitcoins. The ransom note indicates that the payment amount will be doubled after three days. If payment is not made after seven days it claims the encrypted files will be deleted. 

  • June, Petya / NotPetya / Nyetya / Goldeneya – Ransomware , which is more advanced than WannaCry. Hit Ukraninian infrastructure hard.It spreads rapidly across an organization once a computer is infected using the EternalBlue vulnerability in Microsoft Windows
  • Sep 7, Apache Struts : Equifax data breach was confirmed to be a vulnerability in Apache Struts. The security flaw (CVE-2017-5638), which was patched last March, allowed attackers to gain unauthorized access to data via remote code execution.
  • Oct 3, 3 billion Yahoo user accounts were hacked by 2013 security breach, which make yahoo tops the list of largest ever data breaches
  • Oct 16, Krack : Key Reinstallation Attack (KRACK) is a proof of concept that exploits vulnerabilities in the Wi-Fi Protected Access 2 (WPA2) protocol.
  • Nov 28, Major macOS High Sierra Bug Allows Full Admin Access Without Password

Here is another good review for 2017 security threats from youtube video  2017 Security Threats | Year in Review | WEBINAR. I have watched it and made some notes in the following points:

  • Q1. The Botnet Menace , Zeus and Conflicker, Mirai (IoT) and Pushdo (SpamBots)
  • Q2. WannaCry, Locky, H-Worm (Houdini Worm)
  • Q3. SMB, Petya (Ransomware)
  • Q4. AAEH New Hope, Apache Struts Remote Code Execution, Necurs Botnets, H-Worm


List of data breaches and cyber attacks in 2015 – over 480 million leaked records

List of cyber attacks and data breaches in 2014 – about 248.36 million records leaked (My Estimation)

Other Sourcess

Here are some other sources for data breaches records.
  • World’s Biggest data breaches and hacks.
  • Gemalto’s website collects disclosed breaches from public sources and allows organizations to do their own risk assessment based on a few simple inputs that will calculate their own risk scores, overall breach severity level, and summarize actions IT can take to reduce the risk score.


By Jon

One thought on “Cyber Attacks and Data Breaches List from 2014 to 2021”
  1. Great info!
    I think that most issues with privacy can be solved with virtual number, that you can use from various provider.
    Would love to see topic, like, privacy options in 2021.

Leave a Reply