These are the worst hacks, cyberattacks, and data breaches of 2019

A slew of hacks, data breaches, and attacks tainted the cybersecurity landscape in 2019.
Written by Charlie Osborne, Contributing Writer

The blight of cyberattacks, criminal hacking groups, and data breaches is not going away anytime soon.

For the past few years, there has been a constant stream of data breaches that have hit the headlines, ranging from the theft of medical information, account credentials, corporate emails, and internal sensitive enterprise data. 

When a data breach occurs, companies will usually haul in third-party investigators, notify regulators, promise to do better and give any impacted consumers free credit monitoring -- but we've reached a stage where you should consider signing up to such services anyway, given how much of our information is now available in data dumps strewn all over the internet. (Consider using Have I Been Pwned to check if you've been involved in a breach.)

The reasons a cyberattack or data breach occur vary. In some cases, such as Equifax, the failure to patch a known vulnerability that has the potential to impact software or libraries in use -- and in a reasonable timeframe -- has serious repercussions. 

In others, unsecured databases left exposed to the internet may be the problem, zero-day vulnerabilities may be exploited in the wild before fixes are available, or in some of the worst cases, an organization or individual may be targeted by state-sponsored advanced persistent threat (APT) groups with substantial resources and tools at their disposal. 

According to IBM's latest annual Cost of a Data Breach study, the average data breach now costs up to $3.92 million when you take into account notification costs, expenses associated with investigation, damage control, and repairs, as well as regulatory fines and lawsuits. These costs have increased by 12% over the past five years. 

The long-term damage of a security incident may not be so apparent. Wall Street does not look upon them kindly and the public disclosure of a data breach can lead to the average share price of a company falling by 7.27% on disclosure, with low share value and growth underperformance a reality for years afterward. 

FireEye estimates that under half of organizations are ready to face a cyberattack or data breach. 

Below, we take a look at the most interesting and largest data breaches, hacks, and cyberattacks that have taken place over 2019. 


10 worst hacks and data breaches of 2019 (in pictures)


  • Ministry of Health HIV registry: In Singapore, the Ministry of Health admitted to a data breach exposing the confidential and highly sensitive records of over 14,000 individuals diagnosed with HIV. This information was then leaked online. 
  • Apple FaceTime: A Fortnite player found a bug in Apple iOS that allowed users to eavesdrop on an iPhone's environment by calling but without it being answered. It may have also been possible to view live video feeds. 
  • Oklahoma Department of Securities: A server belonging to the Oklahoma Department of Securities containing terabytes of confidential government data, including FBI investigation records and sensitive government files, was exposed to the internet and was found through the Shodan search engine.
  • Del Rio ransomware: The City of Del Rio, in Texas, was forced to go back to pen-and-paper systems after City Hall servers were rendered useless by a ransomware infection.
  • Town of Salem: Town of Salem developer BlankMediaGames said the personal details of 7.6 million users were stolen. Multiple backdoors were removed from company systems. 


  • Cabrini Hospital: A ransomware infection locked up 15,000 patient files, with operators demanding payment in return for a decryption key.
  • VFEmail: Privacy email provider VFEmail suffered a catastrophic cyberattack in which a hacker destroyed data on its main and backup systems. At the time, rumors surfaced of the provider shutting down due to the damage, but VFEmail is currently in recovery.
  • UConn: Unauthorized access to employee email accounts compromised roughly 326,000 patients. The data leak may have included Social Security numbers.
  • The wrong tax forms: In a blunder of ridiculous proportions, the State of Ohio sent 9,000 tax forms, inaccurate and containing the wrong PII, to the wrong people.
  • UW Medicine: UW Medicine revealed the existence of an open database, available to anyone with a browser, that had been leaking patient data and PII since December 2018. Close to one million individuals were embroiled in the security lapse.
  • Medical advice calls: In Sweden, recordings of roughly 2.7 million calls made to a Swedish national health service hotline were stored in an open server. Some phone numbers, connected to the recordings, were also available.
  • 620 million accounts: 620 million accounts harvested from 16 websites owned by companies including Dubsmash, Armor Games, 500px, Whitepages, and ShareThis were put up for sale in the Dark Web.
  • Tax documents lost: Approximately 42,000 students from Salt Lake Community College were told their tax information was lost after a USB drive containing this sensitive data fell out of an envelope.


  • Tornado sirens: Ahead of a major storm, two Texan cities were forced to pull tornado warning systems offline after a threat actor compromised them and set off over 30 false alarms. 
  • Hacked ASUS software: A campaign called Operation ShadowHammer targeted the ASUS Live Update Utility to compromise thousands of PCs.
  • Facebook, Facebook Lite and Instagram: Hundreds of millions of users may have been impacted by shoddy password storage management by Facebook, in which account credentials were stored in plaintext. 
  • Legal documents: 250,000 legal documents, some marked "not designated for publication," were stored on an open database exposed online for at least two weeks.
  • Student admissions files: A hacker allegedly compromised admissions databases belonging to three colleges, offering the chance for impacted students to buy their admissions file for one Bitcoin.
  • FEMA: FEMA accidentally exposed the PII and financial information of 2.3 million disaster victims, including those who survived Hurricane Harvey and Irma.
  • Vengeance: A sacked IT admin torched 23 servers belonging to his ex-employer.

Europol’s top hacking ring takedowns


  • Inmediata Health Group: Inmediata Health Group began notifying patients of a security incident in which the personal and medical data of clients may have been exposed. The issue was caused due to website misconfiguration that allowed internal webpages to be indexed by public search engines. It is believed up to 1.5 million individuals may have been affected. 
  • Facebook records: 540 million Facebook-related records, collected by two third-party companies, were found exposed and open to the world on AWS servers. Names, IDs, some passwords, likes, photos, groups joined, and more were leaked.
  • Georgia Tech: A web application with wide-open access compromised the security of 1.3 million records belonging to current and former Georgia Institute of Technology employees and students.
  • Toyota: Japanese automaker Toyota revealed a data breach in April that took place at sales subsidiaries and dealerships. "Unauthorized access" to systems may have exposed client data.
  • Facebook, in plaintext: Facebook admitted to storing the passwords of millions of Instagram users in plaintext.
  • Evite: Evite admitted to a data breach in which user data was sold as part of a wider dump in the Dark Web.
  • Pregnant women: A leaky server belonging to an Indian government healthcare agency exposed over 12.5 million records relating to pregnant women.
  • Docker: Docker warned that a threat actor obtained access to a database containing sensitive data belonging to 190,000 user accounts.


  • Canva: Australian tech unicorn Canva was targeted by the GnosticPlayers, which claimed to have stolen records belonging to 139 million users including names and email addresses in order to flog the data on the Dark Web.
  • First American Financial Corp.: Real estate giant FAFC leaked hundreds of millions of insurance documents dating back to 2003. Bank account numbers, statements, mortgage and tax records, and more were openly available on the internet.
  • Major hotel chains: 85GB in hotel security logs belonging to major hotel chains were exposed online due to a third-party management provider.
  • Burger King: Close to 40,000 customer records for Kool King Shop, specifically designed for kids, were left open for the world to see through a leaky database. 
  • Git repositories: A hacker wiped GitHub repositories and demanded a ransom. Source code was removed and a threat was made to release everything to the public.
  • Lunchtime: Rivalry between two Bay Area school lunch companies eventually spilled out into cyberwarfare, with an executive from one firm being arrested for allegedly hacking the other's website and illegally obtaining student data. 


  • American Medical Collection Agency(AMCA): Unauthorized access to a database led to the exposure of medical data belonging to roughly 20 million individuals. The information leak also impacted other companies including LabCorp and Quest Diagnostics.
  • Smartphone backdoors: Four entry-level smartphone models were found to be pre-loaded with backdoor malware.
  • Tech Data Corp.: The Fortune 500 company owned an open database containing 264GB of data relating to client servers, invoices, SAP integrations, and plain-text passwords.


The worst cyberattacks undertaken by nation-state hackers


  • Equifax: Equifax settled with regulators over the theft of records belonging to 146 million customers in 2017 for $700 million. A $300 million fund was set up for customers to claim up to $125 in compensation -- together with an additional $150 million -- or free credit monitoring was on offer. Less than a week later, the FTC practically begged consumers to take up the credit monitoring offer instead, as too many would reduce monetary claims. 
  • Capital One: Capital One disclosed a data breach impacting 100 million US citizens and 6 million individuals in Canada. A configuration vulnerability in a database was responsible for the exposure of PII from 2005 to 2019.
  • Los Angeles police department: The Los Angeles' Personnel Department was subject to a data breach after a hacker claimed to have stolen the PII of 2,500 serving LAPD officers, trainees, and recruits, and data belonging to roughly 17,500 Candidate Applicant program enrollees. 
  • Facebook: Facebook settled with the FTC for a record $5 billion to settle lawsuits launched following the Cambridge Analytica privacy scandal.
  • Banks: Bangladesh, India, Sri Lanka, and Kyrgyzstan banks were hit in quick succession by 'Silence' hackers, allegedly stealing millions of dollars in the process.
  • Dominion National: Virginia-based health insurer and services company Dominion National revealed a 10-year-long data breach caused by an unsecured server. The records of 2.9 million members may have been compromised.


  • Choice Hotels: An unsecured database containing roughly 700,000 customer records was accessed by an unknown threat actor and a ransom note placed on the server, demanding Bitcoin in return for the stolen data.
  • Biometric database leak: A biometrics database used by the UK Metropolitan Police, banks, and enterprise companies leaked millions of records.
  • SIM-swapper jailed: A British teenager was sentenced to 20 months behind bars for offering data theft and SIM-swapping services as a hacker-for-hire.
  • 3Fun: A mobile application used to find willing participants for threesomes was found to be a "privacy trainwreck" by researchers that could be manipulated to hone in on the specific locations of individuals. The app claims to cater to 1.5 million active users.
  • Major dating apps: Three dating applications, Grindr, Romeo, and Recon, were also found to contain security flaws that led to the exposure of a user's location.
  • Asurion: Asurion Insurance bowed to hacker demands and forked out $300,000 to an attacker who claimed he had stolen roughly 1TB of private information belonging to thousands of employees and over a million customers.
  • Cybercrime in space: A NASA astronaut was accused of monitoring her estranged spouse from space including accessing a bank account allegedly without permission.



  • DK-LOK: An unsecured AWS database belonging to South Korean industrial manufacturer DK-LOK exposed confidential emails and communication between the company and its clients. Efforts by researchers and ZDNet to have the leak closed via email were sent to the trash bin, an activity viewable due to the open bucket.
  • Ecuador: Another open, misconfigured database leaked the personal data of Ecuador's citizens. It is believed most of the country's citizens -- in total, roughly 20 million -- were impacted.
  • DoorDash: Close to five million customers of DoorDash were embroiled in a data leak. An unauthorized third-party accessed the PII of customers, drivers, and merchants. Approximately 100,000 driver licenses were also stolen and the last four digits of payment cards were exposed.


  • Yahoo: Yahoo launched a compensation fund for those who owned a Yahoo account between 2012 and 2016. Between these dates, hackers were able to access every Yahoo account in existence and steal names, email addresses, telephone numbers, dates of birth, passwords, and security question answers.
  • UniCredit: Italian bank UniCredit said a single, compromised file dating back to 2015 exposed three million customer records, including their names, telephone numbers, email addresses, and cities of residence.
  • Tū Ora Compass Health: Tū Ora Compass Health, a primary healthcare organization in New Zealand, revealed the leak of personal data belonging to one million people, potentially including names, dates of birth, ethnicity, and addresses. The PHO isn't sure if data was stolen but said it was "assuming the worst."
  • Adobe: Adobe left the details of 7.5 million Adobe Creative Cloud customers on an unsecured database exposed online without authentication credentials being required for access. 
  • 20 million Russians: Over 20 million tax records belonging to Russian citizens were contained in an open database, available online. Information leaked spanned 2009 to 2016.
  • Avast: Avast said an internal security breach, caused by compromised employee credentials, aimed to insert malware into CCleaner.
  • Nikkei: A Nikkei employee was scammed by threat actors into transferring $29 million to a bank account. The hackers pretended to be a management executive. 

See also: 


  • OnePlus: A vulnerability in the smartphone vendor's website paved the way for attackers to obtain access to records of past customer orders, including names, telephone numbers, email addresses, and shipping details. 
  • Facebook: The social networking giant revealed a privacy breach in which roughly 100 developers were given access to profile data they shouldn't have. 
  • Trend Micro: A rogue employee of the cybersecurity firm stole personal information belonging to support customers, including names, email addresses, support ticket numbers, and some telephone numbers, later selling this information on to scammers. 
  • PayMyTab: An open AWS database belonging to the mobile payment service was found by researchers, exposing customer names, email addresses, telephone numbers, order details, restaurant visit records, and the last four digits of payment cards.
  • T-Mobile: T-Mobile revealed a data breach impacting prepaid service customers. Unauthorized access exposed names, billing addresses, phone numbers, account numbers, and plans.
  • UK Labour Party: The UK Labour Party was subject to multiple distributed denial-of-service (DDoS) attacks flooding both the party's website and campaign tools. 
  • Macy's: US retailer Macy's revealed a week-long Magecart attack impacting e-commerce customers. It is not known how many customers were impacted, but the card-skimming code found in the firm's payment portal and wallet service stole payment card details. 
  • Disney+: Only hours after the service launched, the Disney+ content streaming service was compromised and underground traders began offering accounts on hacking forums. 
  • 1.2 million records leaked: An unsecured database was found by researchers that contained 1.2 million records of individuals including their email addresses, employers, locations, job titles, names, phone numbers, and social media profiles.

The FBI's most wanted cybercriminals


  • Politician by day, hacker by night: On Christmas eve, a Dutch politician will be sentenced for being part of the "fappening" movement in 2014. The politician is accused of compromising the iCloud accounts of roughly 100 women and leaking explicit photos and videos online.
  • Mixcloud: Data belonging to approximately 21 million Mixcloud users went up for sale on the Dark Web.
  • New Zealand's gun buyback: New Zealand's gun buyback scheme, launched following mass shootings in Christchurch, was subject to a data breach caused by human error at SAP. SAP developed a custom platform for licensees to register their weapons before turning them in. 
  • Nebraska Medical Center: An insider managed to access a database without permission that contained patient data including names, addresses, dates of birth, social security numbers, and test results. The employee was immediately fired.
  • Reveton: A 25-year-old computer science student was issued a demand for restitution amounting to £270,000 -- and a Rolex -- following the award of a six-year jail term for distributing Reveton ransomware. If he fails to pay up, he will spend longer behind bars. 
  • New Orleans: the city of New Orleans grappled with a cyberattack, forcing officials to shut down computer systems and disconnect from Wi-Fi. Ransomware was to blame. 
  • RSA certificates: Researchers found that IoT devices with poor entropy were contributing to a massive problem in encryption standards -- in which one in every 172 active keys could be broken. 
  • Epilepsy Foundation: The Epilepsy Foundation filed criminal complaints against Twitter users uploading seizure-inducing videos to YouTube in response to tweets and hashtags. 
  • LifeLabs: LifeLabs paid hackers to recover the data of 15 million account holders. In addition, 85,000 lab result records were compromised.
  • Stand in line: Over 38,000 students and staff members at Justus Liebig University (JLU), in Germany, were asked to queue to receive a new password following a malware infection. 
  • Unroll.me: The FTC settled a case with email cleanup service Unroll.me. The agency alleged that Unroll.me was not transparent in how user data was accessed, stored, and sold on to third-party services. 
  • Insider trading: A former Palo Alto Networks IT administrator was charged by US law enforcement for allegedly running an insider trading ring, using his privileges and credentials to tip-off others to likely changes in the stock market. 
  • The Dark Overlord: A member of "The Dark Overlord" hacking group was extradited to the United States. 
  • Extreme cyberstalking: A man from Florida was sentenced to over five years in prison for cyberstalking and threatening a former high school classmate.

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards