The Biggest Data Breaches of 2024

Published on 02 Jan 2025

Every year, organizations around the globe face cybersecurity threats, yet many fail to implement adequate defenses. As we reflect on 2024, it becomes clear that preventable breaches continue to dominate headlines, exposing sensitive information and shaking public trust. From healthcare giants to tech titans, this year's security incidents reveal a troubling pattern of oversight, delayed responses, and misplaced blame.

1. 23andMe: Blaming Users for a Massive Breach

Genetic testing company 23andMe experienced one of the most significant breaches of the year, compromising the personal data of nearly 7 million users. Hackers accessed accounts through brute-force attacks and scraped additional data from linked profiles. The damage was exacerbated by the lack of multi-factor authentication (MFA), which the company only introduced after the breach.

Instead of accepting responsibility, 23andMe shifted the blame onto its users, accusing them of poor account security practices. This finger-pointing approach drew widespread criticism, including from lawyers representing affected customers who called it "nonsensical." Regulatory bodies in the UK and Canada subsequently launched investigations into the incident.

By the end of the year, the company faced additional turmoil, laying off 40% of its workforce amid financial uncertainty.

2. Change Healthcare: A Catastrophic Blow to U.S. Healthcare

Change Healthcare, a major healthcare billing and insurance processor in the U.S. became the target of a devastating ransomware attack. The breach disrupted healthcare services nationwide, delaying treatments, prescription refills, and billing operations.

The hackers exploited an unprotected user account lacking MFA, accessing vast amounts of private health information. Despite paying a $22 million ransom, Change Healthcare remained under attack, ultimately having to negotiate with multiple hacking groups.

It took seven months for the company to confirm that over 100 million Americans had their health data compromised, marking one of the largest healthcare data breaches in history.

3. Synnovis: A Ripple Effect on the UK’s NHS

In June, pathology services provider Synnovis suffered a ransomware attack that paralyzed healthcare services across southeast London. Thousands of appointments and over 1,700 surgeries were canceled as hospitals struggled to maintain critical services without access to vital lab systems.

Experts believe the breach could have been prevented with MFA. Staff endured months of stress, working long hours without functional systems. The ransomware group Qilin claimed responsibility, for leaking 400GB of sensitive patient data, including health records and test results.

You may also like: Staying Safe in the Digital Age: Cybersecurity Guidelines

4. Snowflake: A Domino Effect of Customer Breaches

Cloud data giant Snowflake became the common denominator in high-profile breaches affecting AT&T, Santander Bank, and Ticketmaster. Hackers used credentials stolen from third-party employees and exploited Snowflake's failure to enforce MFA by default.

In response, Snowflake rolled out MFA mandates to prevent similar incidents in the future. However, the damage had been done, with vast amounts of customer data exposed across multiple sectors.

5. Columbus, Ohio: Silencing a Security Researcher

When Columbus, Ohio, experienced a cyberattack, city officials claimed stolen data was unusable due to encryption. However, a security researcher uncovered evidence showing otherwise, including exposed Social Security numbers, arrest records, and information about vulnerable populations.

Instead of addressing the issue transparently, the city filed an injunction against the researcher, preventing him from sharing findings. The lawsuit was later dropped, but the incident highlighted how organizations sometimes prioritize secrecy over accountability.

6. Salt Typhoon: Exploiting Telecom Backdoors

A 30-year-old U.S. law known as CALEA, which mandates telecom providers to maintain wiretap systems for law enforcement, became a vulnerability in 2023. Chinese-backed hacker group Salt Typhoon exploited these systems, gaining real-time access to calls, messages, and metadata belonging to high-ranking officials and political candidates.

In response, the U.S. government recommended using end-to-end encryption for sensitive communications to prevent unauthorized surveillance.

7. MoneyGram: A Lack of Transparency

In September, global money transfer service MoneyGram was hit by a cyberattack, causing service outages and exposing sensitive customer data, including Social Security numbers and transaction details.

Despite acknowledging the breach, MoneyGram failed to disclose how many customers were affected. Regulators in the UK confirmed they received breach reports from the company, signaling the scale of the incident was significant.

8. Hot Topic: Silence Amidst a Massive Leak

Hot Topic suffered a breach affecting 57 million customers, marking one of the largest retail breaches in history. Exposed data included email addresses, phone numbers, physical addresses, and partial credit card details.

Shockingly, the company neither publicly acknowledged the breach nor notified affected customers. Cybersecurity watchdog Have I Been Pwned stepped in to alert those impacted, filling the transparency gap left by Hot Topic.

Bonus Incidents Worth Mentioning

  • AT&T: After months of denial, AT&T admitted that a dataset containing 73 million customer records indeed originated from its systems. Account passcodes exposed in the breach forced AT&T to reset millions of customer credentials.
  • Cybersecurity Firms Fined: Avaya, Check Point, Mimecast, and Unisys collectively paid $6.9 million in SEC fines for downplaying breaches tied to the SolarWinds espionage campaign.
  • pcTattletale: A spyware app provider deleted all stolen data instead of notifying victims, further compounding privacy violations.
  • Brainstack (mSpy): A breach exposed emails and documentation linking the Ukrainian company Brainstack to the spyware app mSpy. Brainstack attempted to silence data hosts with takedown notices but failed.
  • Evolve Bank: After a LockBit ransomware attack exposed sensitive financial data from 7.6 million customers, the bank threatened legal action against a journalist who reported on the breach.

The Common Thread: Preventable Failures

What stands out across these breaches is a recurring pattern: poor authentication practices, delayed transparency, and misguided priorities. Multi-factor authentication remains an essential security baseline, yet many organizations still fail to enforce it adequately.

Moreover, a lack of timely communication following breaches worsens public trust and regulatory fallout.

Conclusion: Lessons Still Unlearned

Cybersecurity is no longer optional—it’s a fundamental responsibility. Companies must prioritize robust authentication, transparent communication, and swift incident response protocols. As we move into 2024, these incidents serve as a stark reminder: failure to prepare is preparation for failure.

Organizations need to learn from these mistakes to avoid repeating them. Cyber resilience isn't just about preventing attacks but also about responding to them responsibly when they occur. Hopefully, next year's cybersecurity review won't feel like a rerun of preventable disasters.



Tags
  • #tech