{"id":10405,"date":"2025-04-02T17:59:23","date_gmt":"2025-04-02T17:59:23","guid":{"rendered":"https:\/\/www.digitalforensics.com\/blog\/?p=10405"},"modified":"2025-04-28T21:32:31","modified_gmt":"2025-04-28T21:32:31","slug":"largest-data-breaches-in-history","status":"publish","type":"post","link":"https:\/\/www.digitalforensics.com\/blog\/extortion\/largest-data-breaches-in-history\/","title":{"rendered":"Examining the Largest Data Breaches in History and Their Cybercrime Toll"},"content":{"rendered":"\n

Data breaches are a growing issue for both companies and their clients. There were 3,205 data breaches<\/a> in the United States in 2023, over 1,400 more than a year before. In 2025, U.S. data breaches<\/a> reached a record high with 3,322. That same year, the IC3 received 859,532 reports of online fraud resulting in damages eclipsing $16.6 billion<\/a>, which is the highest on record.<\/p>\n\n\n\n

While they are not the only factor at play, these numbers suggest a correlation between data breaches and cyber extortion<\/a>. Individuals can face difficulties extending far beyond the initial breaches, and companies can endure irreparable reputation damage and massive legal fees. As such, it is important for both consumers and corporations to examine past breaches to avoid the same mistakes.<\/p>\n\n\n\n

<\/span>Bybit Breach (2025): The Biggest Cryptocurrency Breach in History<\/span><\/h2>\n\n\n\n

The Bybit breach<\/a> was a large-scale breach that proved extremely difficult to trace. Hackers quickly transferred the stolen funds into numerous accounts and wallet addresses, making it very challenging for the investigators to track and recover the assets.<\/p>\n\n\n\n

<\/span>Scope of Impact<\/span><\/h3>\n\n\n\n

Hackers from North Korea\u2019s Lazarus Group, also known as TraderTraitor, stole around $1.5 billion<\/strong> in crypto. The attack surpassed all previous cryptocurrency breaches, including the $540 million Ronin Network hack in 2022 and the $600 million Poly Network breach in 2021.<\/p>\n\n\n\n

During a transfer from cold (offline) to warm (online) wallet, hackers interrupted and rerouted the funds to their controlled addresses using malicious JavaScript, immediately converting them to bitcoin and other assets. Using this technique, they obscured the transfer\u2019s digital footprint behind a multi-signature transaction.<\/p>\n\n\n\n

The attack uncovered a weakness in the security standards of the third-party wallet system. Perpetrators used advanced social engineering<\/a> and phishing tactics to obtain internal credentials and fraudulently authorize transactions.<\/p>\n\n\n\n

<\/span>Effects and Ramifications<\/span><\/h3>\n\n\n\n

Many people lost their hard-earned funds, and it broke their trust in the safety of the platform. It also highlighted Bybit\u2019s need for secure third-party integration and advanced security protocols, such as multi-factor authentication.<\/p>\n\n\n\n

Stronger protocols are required for real-time monitoring. Additionally, an effective incident response plan is necessary to decrease operational disruption. Given the scale of financial loss and the difficulty in tracing stolen data, the role of digital forensics<\/a> becomes critical in identifying attack vectors and supporting recovery efforts.<\/p>\n\n\n\n

<\/span>Jaguar Land Rover (2025): Divulgence of Internal System and Employee Data<\/span><\/h2>\n\n\n\n

In late August 2025, Jaguar Land Rover (JLR)<\/a> suffered a major data breach that leaked gigabytes of sensitive documents, source code, and employee and partner data. The incident took place on the UK\u2019s \u201cNew Plate Day,\u201d incurring a significant financial loss as dealers could not register or deliver their vehicles to respective clients.<\/p>\n\n\n\n

<\/span>Vector Scope<\/span><\/h3>\n\n\n\n

The breach halted global production for weeks and affected almost 30,000<\/strong> workers and thousands of suppliers. On top of disruption, the hackers also exposed internal company files, source codes, worker-related PII, and IT & operational systems.<\/p>\n\n\n\n

The hackers exploited the weak login security and stole Jira<\/strong> credentials via infostealer malware featured in the operation. HELLCAT<\/strong> took responsibility for the attack. One of the identifiable methods used in the attack was phishing.<\/p>\n\n\n\n

Researchers at the Cyber Monitoring Centre estimate that the total cost of the attack will reach \u00a31.9 billion, which would make it the most economically damaging cyber event in UK history. Roughly 5,000 businesses were impacted.<\/p>\n\n\n\n

<\/span>Resulting Impact<\/span><\/h3>\n\n\n\n

The breach stopped global production for weeks, resulting in major financial losses. Since the attack compromised the PII for a lot of workers, it resulted in loss of trust in management, with some employees considering resigning. The company not only faced trust issues with their employees, but also their clients and partners.<\/p>\n\n\n\n

This failure highlighted the devastating consequences of stagnant IT and operational security, which allowed the attack to move through the network unchecked. In the aftermath, the company struggled with massive supply chain disruptions and the realization that unrestricted system access was a fatal flaw. They are now forced to rebuild with isolated network segments and continuous monitoring to prevent a repeat of this systemic collapse.<\/p>\n\n\n\n

<\/span>Salesloft Drift (2025)<\/span><\/h2>\n\n\n\n

Between August 8 and 18 of 2025, hackers compromised the third-party AI chatbot Salesloft Drift<\/a> to target large volumes of data belonging to hundreds of businesses, including Cloudflare, Palo Alto Networks, and Zscaler.<\/p>\n\n\n\n

The attackers hacked the services, using them for a third-party supply chain attack. By exploiting these vendors, attackers gained indirect access to sensitive customer data.<\/p>\n\n\n\n

<\/span>The Attack and its Effects<\/span><\/h3>\n\n\n\n

Although the exact point of entry is still being analyzed, the breach managed to hit specific pockets of financial data and customer support logs. The intruders gained access to contact lists and support messages.<\/p>\n\n\n\n

The threat actors targeted Salesforce customer integrations using compromised authentication tokens. They then proceeded to export customer data, likely with the intent to harvest credentials and trade secrets. Google Threat Intelligence Group said it is aware of over 700 companies that were potentially impacted.<\/p>\n\n\n\n

<\/span>Outcome Evaluation and Strategic Mitigation<\/span><\/h3>\n\n\n\n

This incident is a textbook reminder that your security is only as tough as your least secure vendor. To plug these “weak link” gaps, companies have to get strict with “least-privilege” access for every third-party tool they plug in. It\u2019s no longer optional to have a rigorous schedule for swapping out API keys and credentials. You have to stay ahead of the curve before a vendor’s mistake becomes your disaster.<\/p>\n\n\n\n

When a breach actually hits, the first move is always to wall off the compromised accounts and bring in a digital forensics team to map out exactly how the attackers got in. Rapidly informing customers is just as critical for maintaining trust. At the end of the day, forensics is the MVP here\u2014it\u2019s how you actually figure out where the credentials leaked, verify what was touched, and beef up your monitoring, so it doesn’t happen twice.<\/p>\n\n\n\n

<\/span>AT&T (2024): The Snowflake Cloud Exfiltration<\/span><\/h2>\n\n\n\n

In 2024, AT&T disclosed one of the most expansive metadata breaches in telecommunications history. Unlike traditional hacks that target Social Security numbers, this breach focused on the “social graph” of nearly every cellular customer in the United States, revealing the intimate communication patterns of millions.<\/p>\n\n\n\n

<\/span>The Attack<\/span><\/h3>\n\n\n\n

The breach involved the illegal downloading of call and text logs belonging to approximately 109 million customer accounts. The data spanned a six-month period in 2022 and included records of who customers interacted with, the frequency of those interactions, and even cell tower identification numbers. While the content of the messages remained secure, the metadata was so sensitive that the Department of Justice twice delayed public notification, citing significant risks to national security. The hackers gained access through a third-party cloud environment provided by Snowflake, specifically targeting an AT&T workspace that lacked multi-factor authentication.<\/p>\n\n\n\n