A report from cybersecurity experts at CSO reveals the most damaging data breaches seen so far in the 21st century.
We count them down to the worst hack of all, one that exposed the personal information of a staggering number of consumers.
The worst data breaches
10. JPMorgan Chase
Accounts affected: 76 million households, 7 million small businesses
In the summer of 2014 — at a time when JPMorgan Chase was spending $250 million a year on digital security — a group of hackers managed to find their way past the banking giant's safeguards.
The interlopers were able to gain access to more than 90 of the bank's servers.
Though the bank claimed there was no evidence that any money was stolen, the personal information of over half the households in the U.S. was compromised, including names, addresses, phone numbers and more.
In the aftermath, JPMorgan Chase doubled its security spending to half a billion dollars a year.
Accounts affected: 57 million Uber users, 600,000 drivers
The only thing worse than Uber's 2016 data breach was the way the ride-hailing company handled the situation.
Uber discovered that two hackers had gained access to the names, emails and phone numbers of millions of its riders — as well as the driver license numbers of hundreds of thousands of its drivers.
The company waited a year to inform the public about what had happened. In the meantime, it paid the hackers $100,000 to delete the stolen data, though there was no way to prove they ever complied.
Uber later paid a $148 million settlement over the breach and its ensuing cover-up.
8. TJX Companies
Consumer accounts affected: 94 million
TJX Companies owns major retail chains including TJ Maxx, HomeGoods and Marshalls, and it runs its own rewards credit card program.
In 2006, millions of credit card numbers were stolen from TJX by hackers led by Albert Gonzalez — a young man who was working simultaneously as a paid informant on cybercrimes for the Secret Service.
An agent told The New York Times, "It seemed he was trying to do the right thing." But that assessment was obviously wrong.
The theft cost companies, banks and insurers almost $200 million, and Gonzalez was convicted and sentenced to 20 years in prison. Eleven other hackers were arrested.
Consumer accounts affected: 110 million
Target initially announced in 2013 that hackers had gained access to about 40 million customer credit and debit card numbers.
It took several months for the retailer to admit that nearly three times as many accounts had been compromised.
While most of the stolen information was payment-related, the hackers also swiped addresses and contact information.
In the fallout over the breach, Target’s chief information officer resigned, and the company made major changes to its security infrastructure.
6. Heartland Payment Systems
Consumer accounts affected: 134 million
Heartland Payment Systems processes payments from major credit card networks such as Visa and Mastercard. The company was running 100 million payments a month when it got hacked in March 2008.
The firm fell prey to an attack that installed spyware throughout its data systems. The hack was the work of none other than Albert Gonzalez, who had been responsible for the earlier TJX hack.
Ten months passed before the Heartland breach was discovered, in January of 2009. The company eventually paid out $145 million in compensation.
It also was found in violation of industry security standards and was barred from processing credit card payments for several months.
Consumer accounts affected: 147.9 million
Equifax, one of America's three major credit bureaus, announced in July 2017 that it uncovered a major data breach that had likely begun a few months earlier.
The hackers were able to work around a weak point in the company's systems to gain access to the Social Security numbers, birth dates, addresses and drivers license numbers of tens of millions consumers.
Some 290,000 of the victims also had their credit card information compromised. Consumers were urged to keep watch on their credit reports.
Equifax disclosed in a recent filing with federal securities regulators that it expects to face expensive penalties from the Federal Trade Commission and the Consumer Financial Protection Bureau.
Consumer accounts affected: 145 million
In 2014, hackers were able to use the credentials of three eBay employees to tap into the online marketplace's user database.
In the 229 days before the breach was discovered, the hackers gained access to the personal information of all eBay users. Names, addresses, birthdates and passwords were stolen.
The company assured consumers that credit card and other financial data was not compromised and urged users to change their account passwords.
Consumer accounts affected: 412.2 million
In October 2016, a hacker in Thailand launched a revenge attack on Adult FriendFinder, part of the Friend Finder Networks' family of adult content and casual meet-up websites.
The hack compromised the personal data and identities of millions of users, leaking their IP addresses, emails, online handles, addresses and more.
The breach was particularly troubling for users who were married or who worked in public positions — and left them open to potential extortion schemes.
2. Marriott International
Consumer accounts affected: 500 million
In 2018, Marriott International announced it had discovered a data breach that ran all the way back to 2014.
The breach began when the compromised systems were still being operated by the Starwood hotel company and remained in effect after the it was acquired by Marriott in 2016.
Some customers had personal information exposed, including contact information, passport numbers and travel details. More than 100 million customers also had their credit card information stolen.
Investigators suspect the hack was orchestrated by a Chinese intelligence group.
Consumer accounts affected: 3 billion
Yahoo was one of the internet’s first giants — but the brand was seriously tarnished after the company fell prey to the worst data breach in history.
As Yahoo was in the midst of being acquired by Verizon in 2016, executives revealed that Yahoo had suffered a number of data breaches in 2013 and 2014 that affected billions of user accounts.
The hack revealed users’ real names, email addresses, birthdays, phone numbers, passwords and security questions.
Because of the breaches, Verizon trimmed its purchase price for Yahoo by $350 million, to $4.48 billion.
More: Use Efani to protect your cell phone service with military-grade verification, encryption, and up to $5 million in insurance coverage.