January 2021


  • Leonardo SpA: Italian police arrested suspects believed to have stolen up to 10GB in sensitive corporate and military data from the defence contractor. 

  • Flight Centre: A 2017 hackathon launched by the company was found to be the source of a leak involving credit card records and passport numbers belonging to close to 7,000 people. 

  • Vancouver TransLink: A ransomware attack disrupted Compass metro cards and Compass ticketing kiosks for two days. 

  • HMRC: The UK tax office was branded 'incompetent' due to 11 serious data breaches impacting close to 24,000 people.

  • FireEye: FireEye disclosed a cyberattack, suspected to be the work of a nation-state group. The cybersecurity firm said the hack resulted in penetration tools being stolen. 


  • Manchester United: Manchester United football club said it was investigating a security incident impacting internal systems.

  • Campari: Campari was knocked offline following a ransomware attack.

  • $100 million botnet: A Russian hacker was jailed for operating a botnet responsible for draining $100 million from victim bank accounts. 

  • Mashable: A hacker published a copy of a Mashable database online.

  • Capcom: Capcom became a victim of the Ragnar Locker ransomware, disrupting internal systems.

  • Home Depot: The US retailer agreed to a $17.5 million settlement after a PoS malware infection impacted millions of shoppers.

  • Embraer: The Brazilian aerospace company was struck by a cyberattack leading to data theft.

OCTOBER 2020  

  • Barnes & Noble: The bookseller experienced a cyberattack, believed to be the handiwork of the ransomware group Egregor. Stolen records were leaked online as proof. 

  • UN IMO: The United Nations International Maritime Organization (UN IMO) disclosed a security breach affecting public systems.

  • Boom! Mobile: The telecom service provider became the victim of a Magecart card-skimming attack.

  • Google: Google said it mitigated a 2.54 Tbps DDoS attack, one of the largest ever recorded.

  • Dickey's: The US barbeque restaurant chain suffered a point-of-sale attack between July 2019 and August 2020. Three million customers had their card details later posted online.  

  • Ubisoft, Crytek: Sensitive information belonging to the gaming giants was released online by the Egregor ransomware gang.

  • Amazon insider trading: A former Amazon finance manager and their family were charged for running a $1.4 million insider trading scam.


  • German hospital ransomware: A hospital patient passed away after being redirected away from a hospital suffering an active ransomware infection.

  • Belarus law enforcement: The private information of 1,000 high-ranking police officers was leaked. 

  • NS8: The CEO of the cyberfraud startup was accused of defrauding investors out of $123 million.

  • Satellites: Iranian hackers were charged for compromising US satellites. 

  • Cerberus: The developers of the Cerberus banking Trojan released the malware's source code after failing to sell it privately. 

  • BancoEstado: The Chilean bank was forced to close down branches due to ransomware.

AUGUST 2020 

  • Cisco: A former engineer pleaded guilty to causing massive amounts of damage to Cisco networks, costing the company $2.4 million to fix.

  • Canon: The photography giant was struck by ransomware gang Maze.

  • LG, Xerox: Maze struck again, publishing data belonging to these companies after failing to secure blackmail payments.

  • Intel: 20GB of sensitive, corporate data belonging to Intel was published online.

  • The Ritz, London: Fraudsters posed as staff in a clever phishing scam against Ritz clients.

  • Freepik: The free photos platform disclosed a data breach impacting 8.3 million users. 

  • University of Utah: The university gave in to cybercriminals and paid a $457,000 ransom to stop the group from publishing student information.

  • Experian, South Africa: Experian's South African branch disclosed a data breach impacting 24 million customers. 

  • Carnival: The cruise operator disclosed a ransomware attack and subsequent data breach.

JULY 2020

  • CouchSurfing: 17 million records belonging to CouchSurfing were found on an underground forum.

  • University of York: The UK university disclosed a data breach caused by Blackbaud. Staff and student records were stolen.

  • MyCastingFile: A US casting platform for actors exposed the PII of 260,000 users.

  • SigRed: Microsoft patched a 17-year-old exploit that could be used to hijack Microsoft Windows Servers.

  • MGM Resorts: A hacker put the records of 142 million MGM guests online for sale.

  • V Shred: The PII of 99,000 customers and trainers was exposed online and V Shred only partially resolved the problem.

  • BlueLeaks: Law enforcement closed down a portal used to host 269 GB in stolen files belonging to US police departments.

  • MongoDB: A hacker attempted to ransom 23,000 MongoDB databases.

JUNE 2020 

  • Amtrak: Customer PII was leaked and some Amtrak Guest Rewards accounts were accessed by hackers.

  • University of California SF: The university paid a $1.14 million ransom to hackers in order to save COVID-19 research.

  • AWS: AWS mitigated a massive 2.3 Tbps DDoS attack. 

  • Postbank: A rogue employee at the South African bank obtained a master key and stole $3.2 million.

  • NASA: The DopplePaymer ransomware gang claimed to have breached a NASA IT contractor's networks. 

  • Claire's: The accessories company fell prey to a card-skimming Magecart infection.

MAY 2020

  • EasyJet: The budget airline revealed a data breach exposing data belonging to nine million customers, including some financial records.

  • Blackbaud: The cloud service provider was hit by ransomware operators who hijacked customer systems. The company later paid a ransom to stop client data from being leaked online.

  • Mitsubishi: A data breach suffered by the company potentially also resulted in confidential missile design data being stolen.

  • Toll Group: The logistics giant was hit by a second ransomware attack in three months. 

  • Pakistani mobile users: Data belonging to 44 million Pakistani mobile users was leaked online.

  • Illinois: The Illinois Department of Employment Security (IDES) leaked records concerning citizens applying for unemployment benefits.

  • Wishbone: 40 million user records were published online by the ShinyHunters hacking group.

  • EasyJet: An £18 billion class-action lawsuit was launched to compensate customers impacted by a data breach in the same month.

APRIL 2020

  • US Small Business Administration (SBA): Up to 8,000 applicants for emergency loans were embroiled in a PII data leak.

  • Nintendo: 160,000 users were affected by a mass account hijacking campaign.

  • Email.it: The Italian email provider failed to protect the data of 600,000 users, leading to its sale on the Dark Web.

  • Nintendo: Nintendo said 160,000 users were impacted by a mass account hijacking account caused by the NNID legacy login system.

  • US Small Business Administration (SBA): The SBA revealed as many as 8,000 business emergency loan applicants were involved in a data breach.

MARCH 2020 

  • T-Mobile: A hacker gained access to employee email accounts, compromising data belonging to customers and employees. 

  • Marriott: The hotel chain suffered a cyberattack in which email accounts were infiltrated. 5.2 million hotel guests were impacted. 

  • Whisper: The anonymous secret-sharing app exposed millions of users' private profiles and datasets online.

  • UK Home Office: GDPR was breached 100 times in the handling of the Home Office's EU Settlement Scheme.

  • SIM-swap hacking rings: Europol made arrests across Europe, taking out SIM-swap hackers responsible for the theft of over €3 million.

  • Virgin Media: The company exposed the data of 900,000 users through an open marketing database.

  • Whisper: Millions of users' private profiles and datasets were left, exposed and online, for the world to see.

  • MCA Wizard: 425GB in sensitive documents belonging to financial companies was publicly accessible through a database linked to the MCA Wizard app.

  • NutriBullet: NutriBullet became a victim of a Magecart attack, with payment card skimming code infecting the firm's e-commerce store.

  • Marriott: Marriott disclosed a new data breach impacting 5.2 million hotel guests.


  • Estée Lauder: 440 million internal records were reportedly exposed due to middleware security failures. 

  • Denmark's government tax portal: The taxpayer-identification numbers of 1.26 million Danish citizens were accidentally exposed.

  • DOD DISA: The Defense Information Systems Agency (DISA), which handles IT for the White House, admitted to a data breach potentially compromising employee records.

  • UK Financial Conduct Authority (FCA): The FCA released sensitive information belonging to roughly 1,600 consumers by accident as part of an FOIA request.

  • Clearview: Clearview AI's entire client list was stolen due to a software vulnerability.

  • General Electric: GE warned workers that an unauthorized individual was able to access information belonging to them due to security failures with supplier Canon Business Process Service.


  ● Travelex: Travelex services were pulled offline following a malware infection. The company itself and businesses using

     the platform to provide currency exchange services were all affected.

  • IRS tax refunds: A US resident was jailed for using information leaked through data breaches to file fraudulent tax returns worth $12 million. 

  • Manor Independent School District: The Texas school district lost $2.3 million during a phishing scam.

  • Wawa: 30 million records containing customers' details were made available for sale online. 

  • Microsoft: The Redmond giant disclosed that five servers used to store anonymized user analytics were exposed and open on the Internet without adequate protection.

  • Medical marijuana: A database backing point-of-sale systems used in medical and recreational marijuana dispensaries was compromised, impacting an estimated 30,000 US users.