Biggest Data Breach Lawsuits to Date

Data breach lawsuits usually occur when private information held by a business or the government is disclosed without the consent of the persons to whom the data pertains. Some disclosures are inadvertent.

For example, someone with access to a database might mistakenly send data to another person who isn’t authorized to have it. Other data breaches are caused by deliberate theft of the information, often by hacking the database.

A data breach can have serious consequences for the person whose data was disclosed. Data that is commonly stolen includes personally identifying information, including addresses and social security numbers, that can be used to facilitate identity theft.

Other sensitive data includes information in medical records, employment records, and academic records. Of course, credit card numbers are the ultimate goal of criminal organizations involved in hacking.

When data breaches occur, companies often try to cover them up by failing to notify affected individuals of the breach. Even when customers are notified, the notice often comes too late to give them an opportunity to protect themselves.

A delay can impair credit scores and cause individuals to become responsible for debt that they didn’t incur. The release of sensitive data can also harm reputations.

More than 5,000 data breaches in the United States have been made public since 2005. Some of those involve millions of people. Here are five of the biggest data breaches to date.


In September 2016, Yahoo disclosed that unidentified hackers, perhaps supported by a foreign nation, stole data involving more than 500 million Yahoo users. While no financial information was compromised, the stolen data included names, emails, telephone numbers, dates of birth, hashed passwords, and security questions and answers.

That’s the kind of information that facilitates identity theft.

Yahoo recently acknowledged that it discovered the attack two years before it was disclosed. The Yahoo data breach is the largest data breach in history involving a single company.


MySpace has become less popular as Facebook has grown, but the social networking website still has millions of user accounts in its database. That’s unfortunate for both current and former MySpace users, as a hacker was able to steal the login credentials (usernames and passwords) concerning an estimated 360 million accounts.

That makes it the second largest data breach involving a single source.

MySpace discovered the hack in May 2016, when it learned that MySpace login credentials were for sale on a hacker forum. MySpace suspects that a hacker who uses the name “Peace” is responsible for the data theft. Peace has also been implicated in recent hacks of Tumblr and LinkedIn.

While millions of MySpace users abandoned the social networking site in favor of Facebook, they left their login credentials behind. MySpace account holders who use the same username and password for other online accounts may find those accounts breached by hackers who use computer programs to enter MySpace login credentials on hundreds of other websites.

Former MySpace members who haven’t used their account in years should take care to assure that they are not using their MySpace login credentials to access any other online account.


The third largest data breach involving a single site occurred in 2014, when hackers obtained the login credentials to 145 million eBay accounts. About three months later, the e-commerce business notified its users to change their passwords.

According to eBay, financial information is encrypted and stored on a separate server that was not affected by the hack. The company owns PayPal, but told users that the PayPal data was not breached.

Still, eBay account holders may be affected if they use the same login name and password on other sites.

Heartland Payment Systems

The fourth largest single-site data breach is arguably more harmful than the first three combined, because the breach involved the theft of financial information. In 2009, Heartland Payment Systems, a credit card processor, announced that it had been the victim of a data breach at some point in 2008.

The breach exposed 130 million credit card numbers.

At the time, Heartland was processing 100 million credit card transactions each month from 250,000 businesses. The hackers installed a “sniffer” on one of Heartland’s servers that went undetected for months. When Heartland realized that it might have been hacked, it took three months for the business to confirm that credit card numbers had been compromised.

The company eventually paid more than $110 million to settle fraud claims that resulted from misuse of the stolen credit card numbers.

Multiple Hacks by Russian Gang

As the recent presidential election demonstrated, Russia — a country that is beyond the reach of U.S. law enforcement agencies — is the source of significant computer hacking schemes. Although an American carried out the Heartland data theft, he was backed by a Russian criminal organization.

The largest known data breach involving multiple companies was committed by a Russian hacking gang that stole usernames and passwords from more than 420,000 websites.

The criminal organization initially purchased stolen log-in credentials from the black market, then used those credentials to send spam messages that installed malicious viruses on the computers of people who clicked message attachments. The viruses allowed the gangs to collect data from individual users’ computers

The gang later identified websites that were particularly vulnerable to hacking. They were able to harvest more than 1.2 billion unique username and password combinations from those websites.

The gang has been selling those login credentials to other thieves, who hope that people will make themselves vulnerable by using the same credentials for every website they join.