JANUARY:
• Travelex: Travelex services were pulled offline following a malware infection. The company itself and businesses using the platform to provide currency exchange services were all affected.
• IRS tax refunds: A US resident was jailed for using information leaked through data breaches to file fraudulent tax returns worth $12 million.
• Manor Independent School District: The Texas school district lost $2.3 million during a phishing scam.
• Wawa: 30 million records containing customers' details were made available for sale online.
• Microsoft: The Redmond giant disclosed that five servers used to store anonymized user analytics were exposed and open on the Internet without adequate protection.
• Medical marijuana: A database backing point-of-sale systems used in medical and recreational marijuana dispensaries was compromised, impacting an estimated 30,000 US users.
FEBRUARY:
• Estée Lauder: 440 million internal records were reportedly exposed due to middleware security failures.
• Denmark's government tax portal: The taxpayer-identification numbers of 1.26 million Danish citizens were accidentally exposed.
• DOD DISA: The Defense Information Systems Agency (DISA), which handles IT for the White House, admitted to a data breach potentially compromising employee records.
• UK Financial Conduct Authority (FCA): The FCA released sensitive information belonging to roughly 1,600 consumers by accident as part of an FOIA request.
• Clearview: Clearview AI's entire client list was stolen due to a software vulnerability.
• General Electric: GE warned workers that an unauthorized individual was able to access information belonging to them due to security failures with supplier Canon Business Process Service.
MARCH:
• T-Mobile: A hacker gained access to employee email accounts, compromising data belonging to customers and employees.
• Marriott: The hotel chain suffered a cyberattack in which email accounts were infiltrated. 5.2 million hotel guests were impacted.
• Whisper: The anonymous secret-sharing app exposed millions of users' private profiles and datasets online.
• UK Home Office: GDPR was breached 100 times in the handling of the Home Office's EU Settlement Scheme.
• SIM-swap hacking rings: Europol made arrests across Europe, taking out SIM-swap hackers responsible for the theft of over €3 million.
• Virgin Media: The company exposed the data of 900,000 users through an open marketing database.
• Whisper: Millions of users' private profiles and datasets were left, exposed and online, for the world to see.
• MCA Wizard: 425GB in sensitive documents belonging to financial companies was publicly accessible through a database linked to the MCA Wizard app.
• NutriBullet: NutriBullet became a victim of a Magecart attack, with payment card skimming code infecting the firm's e-commerce store.
• Marriott: Marriott disclosed a new data breach impacting 5.2 million hotel guests.
APRIL:
• US Small Business Administration (SBA): Up to 8,000 applicants for emergency loans were embroiled in a PII data leak.
• Nintendo: 160,000 users were affected by a mass account hijacking campaign.
• Email.it: The Italian email provider failed to protect the data of 600,000 users, leading to its sale on the Dark Web.
• Nintendo: Nintendo said 160,000 users were impacted by a mass account hijacking account caused by the NNID legacy login system.
• US Small Business Administration (SBA): The SBA revealed as many as 8,000 business emergency loan applicants were involved in a data breach.
MAY:
• EasyJet: The budget airline revealed a data breach exposing data belonging to nine million customers, including some financial records.
• Blackbaud: The cloud service provider was hit by ransomware operators who hijacked customer systems. The company later paid a ransom to stop client data from being leaked online.
• Mitsubishi: A data breach suffered by the company potentially also resulted in confidential missile design data being stolen.
• Toll Group: The logistics giant was hit by a second ransomware attack in three months.
• Pakistani mobile users: Data belonging to 44 million Pakistani mobile users was leaked online.
• Illinois: The Illinois Department of Employment Security (IDES) leaked records concerning citizens applying for unemployment benefits.
• Wishbone: 40 million user records were published online by the ShinyHunters hacking group.
• EasyJet: An £18 billion class-action lawsuit was launched to compensate customers impacted by a data breach in the same month.
JUNE:
• Amtrak: Customer PII was leaked and some Amtrak Guest Rewards accounts were accessed by hackers.
• University of California SF: The university paid a $1.14 million ransom to hackers in order to save COVID-19 research.
• AWS: AWS mitigated a massive 2.3 Tbps DDoS attack.
• Postbank: A rogue employee at the South African bank obtained a master key and stole $3.2 million.
• NASA: The DopplePaymer ransomware gang claimed to have breached a NASA IT contractor's networks.
• Claire's: The accessories company fell prey to a card-skimming Magecart infection.
JULY:
• CouchSurfing: 17 million records belonging to CouchSurfing were found on an underground forum.
• University of York: The UK university disclosed a data breach caused by Blackbaud. Staff and student records were stolen.
• MyCastingFile: A US casting platform for actors exposed the PII of 260,000 users.
• SigRed: Microsoft patched a 17-year-old exploit that could be used to hijack Microsoft Windows Servers.
• MGM Resorts: A hacker put the records of 142 million MGM guests online for sale.
• V Shred: The PII of 99,000 customers and trainers was exposed online and V Shred only partially resolved the problem.
• BlueLeaks: Law enforcement closed down a portal used to host 269 GB in stolen files belonging to US police departments.
• EDP: The energy provider confirmed a Ragnar Locker ransomware incident. Over 10TB in business records were apparently stolen.
• MongoDB: A hacker attempted to ransom 23,000 MongoDB databases.
AUGUST:
• Cisco: A former engineer pleaded guilty to causing massive amounts of damage to Cisco networks, costing the company $2.4 million to fix.
• Canon: The photography giant was struck by ransomware gang Maze.
• LG, Xerox: Maze struck again, publishing data belonging to these companies after failing to secure blackmail payments.
• Intel: 20GB of sensitive, corporate data belonging to Intel was published online.
• The Ritz, London: Fraudsters posed as staff in a clever phishing scam against Ritz clients.
• Freepik: The free photos platform disclosed a data breach impacting 8.3 million users.
• University of Utah: The university gave in to cybercriminals and paid a $457,000 ransom to stop the group from publishing student information.
• Experian, South Africa: Experian's South African branch disclosed a data breach impacting 24 million customers.
• Carnival: The cruise operator disclosed a ransomware attack and subsequent data breach.
SEPTEMBER:
• Nevada: A Nevada school, suffering a ransomware attack, refused to pay the cybercriminals -- and so student data was published online in retaliation.
• German hospital ransomware: A hospital patient passed away after being redirected away from a hospital suffering an active ransomware infection.
• Belarus law enforcement: The private information of 1,000 high-ranking police officers was leaked.
• NS8: The CEO of the cyberfraud startup was accused of defrauding investors out of $123 million.
• Satellites: Iranian hackers were charged for compromising US satellites.
• Cerberus: The developers of the Cerberus banking Trojan released the malware's source code after failing to sell it privately.
• BancoEstado: The Chilean bank was forced to close down branches due to ransomware.
OCTOBER:
• Barnes & Noble: The bookseller experienced a cyberattack, believed to be the handiwork of the ransomware group Egregor. Stolen records were leaked online as proof.
• UN IMO: The United Nations International Maritime Organization (UN IMO) disclosed a security breach affecting public systems.
• Boom! Mobile: The telecom service provider became the victim of a Magecart card-skimming attack.
• Google: Google said it mitigated a 2.54 Tbps DDoS attack, one of the largest ever recorded.
• Dickey's: The US barbeque restaurant chain suffered a point-of-sale attack between July 2019 and August 2020. Three million customers had their card details later posted online.
• Ubisoft, Crytek: Sensitive information belonging to the gaming giants was released online by the Egregor ransomware gang.
• Amazon insider trading: A former Amazon finance manager and their family were charged for running a $1.4 million insider trading scam.
NOVEMBER:
• Manchester United: Manchester United football club said it was investigating a security incident impacting internal systems.
• Vertafore: 27.7 million Texas drivers' PII was compromised due to "human error."
• Campari: Campari was knocked offline following a ransomware attack.
• $100 million botnet: A Russian hacker was jailed for operating a botnet responsible for draining $100 million from victim bank accounts.
• Mashable: A hacker published a copy of a Mashable database online.
• Capcom: Capcom became a victim of the Ragnar Locker ransomware, disrupting internal systems.
• Home Depot: The US retailer agreed to a $17.5 million settlement after a PoS malware infection impacted millions of shoppers.