Data breaches are a growing issue for both companies and their clients. There were 3,205 data breaches in the United States in 2023, over 1,400 more than a year before. In 2025, U.S. data breaches reached a record high with 3,322. That same year, the IC3 received 859,532 reports of online fraud resulting in damages eclipsing $16.6 billion, which is the highest on record.
While they are not the only factor at play, these numbers suggest a correlation between data breaches and cyber extortion. Individuals can face difficulties extending far beyond the initial breaches, and companies can endure irreparable reputation damage and massive legal fees. As such, it is important for both consumers and corporations to examine past breaches to avoid the same mistakes.
Bybit Breach (2025): The Biggest Cryptocurrency Breach in History
The Bybit breach was a large-scale breach that proved extremely difficult to trace. Hackers quickly transferred the stolen funds into numerous accounts and wallet addresses, making it very challenging for the investigators to track and recover the assets.
Scope of Impact
Hackers from North Korea’s Lazarus Group, also known as TraderTraitor, stole around $1.5 billion in crypto. The attack surpassed all previous cryptocurrency breaches, including the $540 million Ronin Network hack in 2022 and the $600 million Poly Network breach in 2021.
During a transfer from cold (offline) to warm (online) wallet, hackers interrupted and rerouted the funds to their controlled addresses using malicious JavaScript, immediately converting them to bitcoin and other assets. Using this technique, they obscured the transfer’s digital footprint behind a multi-signature transaction.
The attack uncovered a weakness in the security standards of the third-party wallet system. Perpetrators used advanced social engineering and phishing tactics to obtain internal credentials and fraudulently authorize transactions.
Effects and Ramifications
Many people lost their hard-earned funds, and it broke their trust in the safety of the platform. It also highlighted Bybit’s need for secure third-party integration and advanced security protocols, such as multi-factor authentication.
Stronger protocols are required for real-time monitoring. Additionally, an effective incident response plan is necessary to decrease operational disruption. Given the scale of financial loss and the difficulty in tracing stolen data, the role of digital forensics becomes critical in identifying attack vectors and supporting recovery efforts.
Jaguar Land Rover (2025): Divulgence of Internal System and Employee Data
In late August 2025, Jaguar Land Rover (JLR) suffered a major data breach that leaked gigabytes of sensitive documents, source code, and employee and partner data. The incident took place on the UK’s “New Plate Day,” incurring a significant financial loss as dealers could not register or deliver their vehicles to respective clients.
Vector Scope
The breach halted global production for weeks and affected almost 30,000 workers and thousands of suppliers. On top of disruption, the hackers also exposed internal company files, source codes, worker-related PII, and IT & operational systems.
The hackers exploited the weak login security and stole Jira credentials via infostealer malware featured in the operation. HELLCAT took responsibility for the attack. One of the identifiable methods used in the attack was phishing.
Researchers at the Cyber Monitoring Centre estimate that the total cost of the attack will reach £1.9 billion, which would make it the most economically damaging cyber event in UK history. Roughly 5,000 businesses were impacted.
Resulting Impact
The breach stopped global production for weeks, resulting in major financial losses. Since the attack compromised the PII for a lot of workers, it resulted in loss of trust in management, with some employees considering resigning. The company not only faced trust issues with their employees, but also their clients and partners.
This failure highlighted the devastating consequences of stagnant IT and operational security, which allowed the attack to move through the network unchecked. In the aftermath, the company struggled with massive supply chain disruptions and the realization that unrestricted system access was a fatal flaw. They are now forced to rebuild with isolated network segments and continuous monitoring to prevent a repeat of this systemic collapse.
Salesloft Drift (2025)
Between August 8 and 18 of 2025, hackers compromised the third-party AI chatbot Salesloft Drift to target large volumes of data belonging to hundreds of businesses, including Cloudflare, Palo Alto Networks, and Zscaler.
The attackers hacked the services, using them for a third-party supply chain attack. By exploiting these vendors, attackers gained indirect access to sensitive customer data.
The Attack and its Effects
Although the exact point of entry is still being analyzed, the breach managed to hit specific pockets of financial data and customer support logs. The intruders gained access to contact lists and support messages.
The threat actors targeted Salesforce customer integrations using compromised authentication tokens. They then proceeded to export customer data, likely with the intent to harvest credentials and trade secrets. Google Threat Intelligence Group said it is aware of over 700 companies that were potentially impacted.
Outcome Evaluation and Strategic Mitigation
This incident is a textbook reminder that your security is only as tough as your least secure vendor. To plug these “weak link” gaps, companies have to get strict with “least-privilege” access for every third-party tool they plug in. It’s no longer optional to have a rigorous schedule for swapping out API keys and credentials. You have to stay ahead of the curve before a vendor’s mistake becomes your disaster.
When a breach actually hits, the first move is always to wall off the compromised accounts and bring in a digital forensics team to map out exactly how the attackers got in. Rapidly informing customers is just as critical for maintaining trust. At the end of the day, forensics is the MVP here—it’s how you actually figure out where the credentials leaked, verify what was touched, and beef up your monitoring, so it doesn’t happen twice.
AT&T (2024): The Snowflake Cloud Exfiltration
In 2024, AT&T disclosed one of the most expansive metadata breaches in telecommunications history. Unlike traditional hacks that target Social Security numbers, this breach focused on the “social graph” of nearly every cellular customer in the United States, revealing the intimate communication patterns of millions.
The Attack
The breach involved the illegal downloading of call and text logs belonging to approximately 109 million customer accounts. The data spanned a six-month period in 2022 and included records of who customers interacted with, the frequency of those interactions, and even cell tower identification numbers. While the content of the messages remained secure, the metadata was so sensitive that the Department of Justice twice delayed public notification, citing significant risks to national security. The hackers gained access through a third-party cloud environment provided by Snowflake, specifically targeting an AT&T workspace that lacked multi-factor authentication.
The Aftermath and Legal Ramifications
The breach led to a wave of federal investigations and consolidated class-action lawsuits. By late 2024, AT&T agreed to a $177 million settlement to resolve claims related to this incident and a separate legacy data leak. Beyond the settlement, the company faced immense pressure to overhaul its third-party data retention policies. Many affected individuals reported a surge in sophisticated “smishing” (SMS phishing) attacks, as scammers used the stolen logs to impersonate trusted contacts. This event proved that even if “names” aren’t stolen, the mapping of a person’s private life is equally dangerous.
McLaren Health Care (2023-2024): Revelation of Highly Sensitive Medical and Identity Data
Modern cyberattacks have evolved beyond simple IT breaches. Hackers now target highly sensitive personal data, leading to severe privacy violations and long-term consequences for victims. McLaren Health Care in Michigan fell victim to two of these attacks within the span of a calendar year.
Scope of Attack
Between 2023 and 2024, McLaren Health Care was hit with two separate data breaches, collectively impacting more than 2.8 million patients and employees. Information accessed in the attacks included names, Social Security numbers, medical records, and payment data.
The first was conducted by ALPHV/BlackCat from July 28, 2023, through August 23, 2023. The second attack, beginning on July 17, 2024, and lasting through August 3, 2024, was carried out by a group called Inc Ransom.
The Aftermath and Consequences
Many individuals were forced to rely on manually rectifying their medical records, which created difficulties and added stress during an already critical time. This situation not only made the process more complicated, but it also placed an additional burden on patients and healthcare providers.
Moreover, McLaren Health Care was responsible for being unaware of the breach for weeks because of failure to implement a continuous threat protection system. The institution agreed to a $14 million class-action settlement to resolve lawsuits from both the 2023 and 2024 breaches.
MGM Resorts (2023): The Social Engineering Shutdown
In a startling display of how “low-tech” methods can cause high-value damage, the MGM Resorts breach demonstrated that a single phone call could bring a multi-billion-dollar hospitality giant to its knees. This attack remains a benchmark for the devastating effectiveness of modern social engineering.
Scope of Impact
The attack was orchestrated by the Scattered Spider group, who reportedly used LinkedIn to identify an IT help desk employee and then called them, impersonating another staff member to reset a password. This simple entry allowed the group to deploy ransomware across the network.
The resulting blackout was total: slot machines went dark, hotel guests were locked out of their rooms as digital keys failed, and the company’s website was replaced by an “offline” notice. The chaos lasted for over a week across major properties like the Bellagio, Mandalay Bay, and the Aria.
Consequences
MGM Resorts chose not to pay the ransom, which led to an estimated $100 million loss in a single quarter due to business interruption. This included $84 million in lost revenue and roughly $10 million in technology consulting and legal fees. While the company successfully defended its refusal to negotiate, the breach resulted in the theft of Social Security and passport numbers for an undisclosed number of customers.
The incident served as a wake-up call for the casino industry, highlighting that even the most robust physical security is useless if the “human firewall” at the IT help desk can be bypassed with a phone call.
Capital One (2019): The Cloud Data Misconfiguration
Capital One experienced a data breach affecting over 100 million customers. The attack was carried out by a former Amazon employee who accessed customer data hosted on an Amazon Web Services cloud. The hacker gained access to personal information including names, addresses, credit data, and Social Security numbers. Individuals impacted included customers dating all the way back to 2005.
The Breach and Its Technical Cause
As mentioned, the Capital One breach was carried out by former Amazon employee Paige Thompson. She was able to access cloud storage by exploiting a misconfigured web application firewall.
It was initially suspected that she used insider knowledge to circumvent security detection. However, Thompson actually employed server-side request forgery, a well-known hacking strategy, to trick the already-erred firewall into running unpermitted commands.
The Importance of Cloud Security
According to cybersecurity experts, the method used by Thompson to exploit vulnerabilities and gain unauthorized access to consumer data could be used to breach any organization that uses public storage clouds.
Because of this, robust cloud security measures should be a mandatory practice for the networks of all companies. Careful consideration needs to go into the decision to use a public cloud storage provider, and regular penetration testing and security audits should be conducted.
Equifax (2017): The Credit Data Catastrophe
Over the course of the first half of 2017, Equifax suffered a data breach containing the personally identifiable information of over 147 million American citizens. As one of the three credit bureaus in the country, their data contained information such as names, addresses, birth dates, driver’s license numbers, Social Security numbers, and credit card information.
The Breach and Its Sensitivity
Hackers exploited a vulnerability in software used by Equifax to initiate the breach. Equifax had two chances to patch this vulnerability. The first was when they were alerted of the outdated software by Homeland Security. A week later, an internal security scan failed to pick up the vulnerable version of the software. Action at this point would’ve come after the initial intrusion, but it would’ve helped mitigate the extent of the breach.
The hackers initially attacked Equifax’s credit report dispute portal, giving them access to the data contained in these reports and an entry point to additional databases. Security measures were in place to encrypt this data, but Equifax failed to renew the certificate. This meant that the company was unaware of the extraction of data that could potentially lead to the identity theft and financial fraud of hundreds of millions of people.
It was determined that four Chinese military-backed hackers carried out the attack, with many experts speculating that the motivation was espionage rather than extortion. Regardless, it was confirmed that sensitive credit information of over 40% of the United States was stolen, creating the potential for such criminal activity.
The Legal and Regulatory Fallout
In 2019, Equifax agreed to a settlement of at least $575 million that could potentially reach up to $700 million. The agreement included $300 million for their consumers with the potential to add an additional $125 million if needed. Additionally, $175 million was paid to the states and territories impacted, and $100 million to the CFPB.
Equally as big as the settlement costs were the reputational damage sustained due to the breach. Equifax’s mishandling of the patching process was compounded by their erroneous handling after discovering the breach caused massive distrust.
This included creating a new domain for information on the breach that resembled a phishing site, social media posts that directed to the wrong page, and language that implied consumers would waive their lawsuit rights if they checked to see if they were affected.
Ashley Madison (2015): The Exposure of Infidelity
Likely the most well-covered data breach, adulterous dating platform Ashley Madison suffered a massive data breach in 2015 that compromised the private data of its roughly 37 million users. This included account data such as emails, phone numbers, addresses, transaction history, and activity on the platform. Additionally, the hackers published information regarding Ashley Madison’s company servers, employee network, and financial records.
The Breach and Its Impact
The hacking group, going by the self-assigned “Impact Team” moniker, claimed the motivation of the breach was Ashley Madison’s falsely advertised “full delete” service. The company charged users a $19 fee to allegedly scrub the very data that was exfiltrated by the Impact Team.
The taboo sentiment around the promiscuous activity of the platform’s participants resulted in severe blackmail and reputational damage of the individuals featured in the breach. Users ranging from public figures to everyday people faced backlash from the public and are still plagued with potential mental and monetary mistreatment to this day.
Many of these attacks were based around revealing the infidelity of users to their family, friends, or professional colleagues if certain demands were not met. The behavior engaged in on the platform makes sextortion scams seem more believable. In some instances, the spouses of users were contacted directly with extortion threats of exposing their partner’s behavior.
The Legal and Personal Ramifications
In 2017, Ashley Madison had to pay a settlement of $11.2 million to users of the website on top of being penalized $1.6 million by the FTC. On top of the financial loss, the company was required to discontinue their deceptive practices and develop a stronger security system.
As for users, the lambasting of their personal lives is long-lasting and potentially limitless. Many marriages ended and jobs because of the breach. Even five years later, users were bombarded with sextortion email scams in such high quantities that it made national headlines.
Marriott (2014-2018): The Hotel Guest Data Leak
Marriott suffered a data breach of the guest reservation system of their subsidiary chain, Starwood, which spanned the course of four years and dated back two years before the acquisition. The breach demonstrated both poor security standards by Starwood and a lack of due diligence on the part of Marriott prior to the merger.
The Scope of the Breach
Initial estimates stated that the breach impacted 500 million customers, although Marriott would later update this figure to “less than 383 million”. The information accessed by hackers included names, addresses, emails, phone numbers, credit card information, and passport numbers.
The International Implications
Many international travelers were forced to acquire new passports after the breach, some of which Marriott offered to pay for if they could prove their passport numbers had been used to carry out fraudulent activity.
Additionally, the international operations of the Starwood chain of hotels compounded the difficulty of the investigation, with Numerous national intelligence agencies needing to cooperate.
Yahoo (2013-2014): The Massive Account Compromise
Yahoo suffered two of the top ten data breaches of the 21st century within a two-year span, one of which taking the top spot on that list. In 2013, an infiltration of Yahoo’s servers compromised the account data of all 3 billion active accounts at the time.
The next year, Yahoo would again be the target of a data breach, this time a speculated state-sponsored attack that accessed the credentials of 500 million users. Yahoo would first publicly address this second breach nearly two years after discovery on September 22, 2016. Roughly three months later and three years after its occurrence, Yahoo reported the 2013 breach.
The Scale of the Breach
The two breaches together impacted over 40% of the world’s population and went undisclosed for at least a year and a half after a potential network intrusion had been detected. Coincidentally, the announcement came months after an agreement was made to sell the company to Verizon, who claimed they were unaware of the breach until two days prior to the public announcement.
The data leaked included names, emails, phone numbers, birthdates, passwords, security question answers, and unique cryptographic values assigned to each account. Yahoo’s investigation determined that credit and banking data was not compromised, but the breach provided cybercriminals with more than enough ammunition to carry out their attacks.
With access to account emails and their corresponding cryptographic values, the hackers were able to generate cookies through an installed script which granted them access to accounts with and without passwords.
Extortion and Phishing Campaigns
The FBI believes the second breach was initiated through a spear phishing attack targeting Yahoo employee credentials. Furthermore, one of the hackers used the extracted contact information from at least 30 million users to perpetuate further spam and phishing schemes.
Additionally, the stolen data was sold on the dark web. This perpetuates the threat of further phishing attacks and expands the potential for extortion of the victims, even if they took the necessary action to secure their Yahoo accounts.
Prevention and Mitigation
Whether a data breach has occurred or you’ve avoided them to this point, preventative action is paramount. Integrating a high-level cybersecurity strategy into your business model can save the reputation and finances of both you and your clients.
- Strengthening Data Security: Organizations need to invest heavily into both their prevention and reaction systems in place for data breaches. Proper data encryption, access controls, and regular security audits can ensure your security is as strong as possible. However, a breach can happen to even the most secure system, so having a robust response plan can help prevent damage to clients, reputation, and finances.
- Educating Users About Phishing and Extortion: Security systems are only as sufficient as the individuals working within them. One user can compromise the networks of multiple corporations simply by clicking the wrong attachment in an email. Therefore, it is as important to conduct regular training on phishing and extortion tactics as it is to invest in and continually update your security software.
- Working with Law Enforcement: Working in ordinance with law enforcement can better position you to successfully mitigate a data breach and follow the proper response regulations to limit litigation costs. An example of the consequences of not doing so can be seen in the Equifax case, in which Homeland Security’s assistance was rejected and the resulting response was heavily scrutinized and sanctioned massive settlement costs.
- Consulting Cybersecurity Professionals: Cybersecurity firms can help you investigate and document a data breach, discover the vulnerabilities in your system, and develop a response plan. While this may be your first experience with this kind of cyberattack, these organizations specialize in detecting, containing, and preventing breaches.
The Evolving Landscape
As new technology releases and becomes more accessible to the general public, the ability to commit large-scale cybercrime becomes more widespread. With programs such as hacking kits available online, anyone with a device can exploit system vulnerabilities.
Just as the advancement of apparatuses sparks the development of new criminal strategies, it also enables cybersecurity professionals such as the ones at DFC to better uncover their illicit activities.
DFC can help both companies and consumers deal with the fallout of a data breach. We can contain the initial breach, discover which points were exploited, and prevent future attacks through ongoing monitoring and regular auditing. Additionally, we can scour the internet to find any areas where client data may have been exposed and assist with removal.
If you’ve suffered a data breach, had your personal information compromised in a breach, or want to position yourself to prevent a future breach, DFC has you covered. Reach out to our Cybercrime Helpline today to speak with one of our specialists and see how we can support you.
FAQ
The 2013 Yahoo breach still takes the crown for volume, with all 3 billion accounts hit. That said, we are now seeing “mega-leaks” like the 2024 Mother of All Breaches (MOAB), which consolidated 26 billion records from thousands of previous hacks into one massive, terrifying database.
The 2017 Equifax breach is still the one that keeps security pros up at night. Because it leaked Social Security numbers and credit profiles for 147 million Americans—data you can’t just “reset”—it basically gave hackers a permanent skeleton key to the U.S. financial system.
Lately, the headlines have been dominated by AT&T (losing metadata for 109 million users), Ticketmaster (affecting over 500 million fans), and Cloudflare, which got blindsided by a supply chain attack through its own vendors.
Think of it as a “backdoor” entry. Instead of kicking in the front door of a giant like Cloudflare, hackers hit a smaller, less-secure partner like Salesloft or Drift. Once they’re in the partner’s system, they use those “trusted” connections to slide right into the main target’s network.
It was a total gamechanger because of the $1.5 billion price tag. It proved that groups like Lazarus can now trick “secure” systems into approving fake transactions in real-time. It’s a wake-up call that crypto security needs to evolve, and fast.
First, don’t panic, but move quickly. Change your passwords and lock down your accounts with hardware-based multi-factor authentication, if possible. For massive hits like McLaren or Equifax, you absolutely have to freeze your credit. If you’re running a business that’s been hit, you need a forensic team like Digital Forensics Corp to find the “patient zero” device before the hackers double back.
