JANUARY

• Travelex: Travelex services were pulled offline following a malware infection. The company itself and businesses using the platform to provide currency exchange services were all affected.

• IRS tax refunds: A US resident was jailed for using information leaked through data breaches to file fraudulent tax returns worth $12 million. 

• Manor Independent School District: The Texas school district lost $2.3 million during a phishing scam.

• Wawa: 30 million records containing customers' details were made available for sale online. 

• Microsoft: The Redmond giant disclosed that five servers used to store anonymized user analytics were exposed and open on the Internet without adequate protection.

• Medical marijuana: A database backing point-of-sale systems used in medical and recreational marijuana dispensaries was compromised, impacting an estimated 30,000 US users.

 

FEBRUARY: 

• Estée Lauder: 440 million internal records were reportedly exposed due to middleware security failures. 

• Denmark's government tax portal: The taxpayer-identification numbers of 1.26 million Danish citizens were accidentally exposed.

• DOD DISA: The Defense Information Systems Agency (DISA), which handles IT for the White House, admitted to a data breach potentially compromising employee records.

• UK Financial Conduct Authority (FCA): The FCA released sensitive information belonging to roughly 1,600 consumers by accident as part of an FOIA request.

• Clearview: Clearview AI's entire client list was stolen due to a software vulnerability.

• General Electric: GE warned workers that an unauthorized individual was able to access information belonging to them due to security failures with supplier Canon Business Process Service.

 

MARCH: 

• T-Mobile: A hacker gained access to employee email accounts, compromising data belonging to customers and employees. 

• Marriott: The hotel chain suffered a cyberattack in which email accounts were infiltrated. 5.2 million hotel guests were impacted. 

• Whisper: The anonymous secret-sharing app exposed millions of users' private profiles and datasets online.

• UK Home Office: GDPR was breached 100 times in the handling of the Home Office's EU Settlement Scheme.

• SIM-swap hacking rings: Europol made arrests across Europe, taking out SIM-swap hackers responsible for the theft of over €3 million.

• Virgin Media: The company exposed the data of 900,000 users through an open marketing database.

• Whisper: Millions of users' private profiles and datasets were left, exposed and online, for the world to see.

• MCA Wizard: 425GB in sensitive documents belonging to financial companies was publicly accessible through a database linked to the MCA Wizard app.

• NutriBullet: NutriBullet became a victim of a Magecart attack, with payment card skimming code infecting the firm's e-commerce store.

• Marriott: Marriott disclosed a new data breach impacting 5.2 million hotel guests.

 

APRIL: 

• US Small Business Administration (SBA): Up to 8,000 applicants for emergency loans were embroiled in a PII data leak.

• Nintendo: 160,000 users were affected by a mass account hijacking campaign.

• Email.it: The Italian email provider failed to protect the data of 600,000 users, leading to its sale on the Dark Web.

• Nintendo: Nintendo said 160,000 users were impacted by a mass account hijacking account caused by the NNID legacy login system.

• US Small Business Administration (SBA): The SBA revealed as many as 8,000 business emergency loan applicants were involved in a data breach.

 

MAY: 

• EasyJet: The budget airline revealed a data breach exposing data belonging to nine million customers, including some financial records.

• Blackbaud: The cloud service provider was hit by ransomware operators who hijacked customer systems. The company later paid a ransom to stop client data from being leaked online.

• Mitsubishi: A data breach suffered by the company potentially also resulted in confidential missile design data being stolen.

• Toll Group: The logistics giant was hit by a second ransomware attack in three months. 

• Pakistani mobile users: Data belonging to 44 million Pakistani mobile users was leaked online.

• Illinois: The Illinois Department of Employment Security (IDES) leaked records concerning citizens applying for unemployment benefits.

• Wishbone: 40 million user records were published online by the ShinyHunters hacking group.

• EasyJet: An £18 billion class-action lawsuit was launched to compensate customers impacted by a data breach in the same month.

 

JUNE: 

• Amtrak: Customer PII was leaked and some Amtrak Guest Rewards accounts were accessed by hackers.

• University of California SF: The university paid a $1.14 million ransom to hackers in order to save COVID-19 research.

• AWS: AWS mitigated a massive 2.3 Tbps DDoS attack. 

• Postbank: A rogue employee at the South African bank obtained a master key and stole $3.2 million.

• NASA: The DopplePaymer ransomware gang claimed to have breached a NASA IT contractor's networks. 

• Claire's: The accessories company fell prey to a card-skimming Magecart infection.

 

JULY: 

• CouchSurfing: 17 million records belonging to CouchSurfing were found on an underground forum.

• University of York: The UK university disclosed a data breach caused by Blackbaud. Staff and student records were stolen.

• MyCastingFile: A US casting platform for actors exposed the PII of 260,000 users.

• SigRed: Microsoft patched a 17-year-old exploit that could be used to hijack Microsoft Windows Servers.

• MGM Resorts: A hacker put the records of 142 million MGM guests online for sale.

• V Shred: The PII of 99,000 customers and trainers was exposed online and V Shred only partially resolved the problem.

• BlueLeaks: Law enforcement closed down a portal used to host 269 GB in stolen files belonging to US police departments.

• MongoDB: A hacker attempted to ransom 23,000 MongoDB databases.

 

AUGUST: 

• Cisco: A former engineer pleaded guilty to causing massive amounts of damage to Cisco networks, costing the company $2.4 million to fix.

• Canon: The photography giant was struck by ransomware gang Maze.

• LG, Xerox: Maze struck again, publishing data belonging to these companies after failing to secure blackmail payments.

• Intel: 20GB of sensitive, corporate data belonging to Intel was published online.

• The Ritz, London: Fraudsters posed as staff in a clever phishing scam against Ritz clients.

• Freepik: The free photos platform disclosed a data breach impacting 8.3 million users. 

• University of Utah: The university gave in to cybercriminals and paid a $457,000 ransom to stop the group from publishing student information.

• Experian, South Africa: Experian's South African branch disclosed a data breach impacting 24 million customers. 

• Carnival: The cruise operator disclosed a ransomware attack and subsequent data breach.

 

SEPTEMBER: ​

• German hospital ransomware: A hospital patient passed away after being redirected away from a hospital suffering an active ransomware infection.

• Belarus law enforcement: The private information of 1,000 high-ranking police officers was leaked. 

• NS8: The CEO of the cyberfraud startup was accused of defrauding investors out of $123 million.

• Satellites: Iranian hackers were charged for compromising US satellites. 

• Cerberus: The developers of the Cerberus banking Trojan released the malware's source code after failing to sell it privately. 

• BancoEstado: The Chilean bank was forced to close down branches due to ransomware.

 

OCTOBER:  

• Barnes & Noble: The bookseller experienced a cyberattack, believed to be the handiwork of the ransomware group Egregor. Stolen records were leaked online as proof. 

• UN IMO: The United Nations International Maritime Organization (UN IMO) disclosed a security breach affecting public systems.

• Boom! Mobile: The telecom service provider became the victim of a Magecart card-skimming attack.

• Google: Google said it mitigated a 2.54 Tbps DDoS attack, one of the largest ever recorded.

• Dickey's: The US barbeque restaurant chain suffered a point-of-sale attack between July 2019 and August 2020. Three million customers had their card details later posted online.  

• Ubisoft, Crytek: Sensitive information belonging to the gaming giants was released online by the Egregor ransomware gang.

• Amazon insider trading: A former Amazon finance manager and their family were charged for running a $1.4 million insider trading scam.

 

NOVEMBER:  

• Manchester United: Manchester United football club said it was investigating a security incident impacting internal systems.

• Campari: Campari was knocked offline following a ransomware attack.

• $100 million botnet: A Russian hacker was jailed for operating a botnet responsible for draining $100 million from victim bank accounts. 

• Mashable: A hacker published a copy of a Mashable database online.

• Capcom: Capcom became a victim of the Ragnar Locker ransomware, disrupting internal systems.

• Home Depot: The US retailer agreed to a $17.5 million settlement after a PoS malware infection impacted millions of shoppers.

• Embraer: The Brazilian aerospace company was struck by a cyberattack leading to data theft. 

 

DECEMBER: 

• Leonardo SpA: Italian police arrested suspects believed to have stolen up to 10GB in sensitive corporate and military data from the defence contractor. 

• Flight Centre: A 2017 hackathon launched by the company was found to be the source of a leak involving credit card records and passport numbers belonging to close to 7,000 people. 

• Vancouver TransLink: A ransomware attack disrupted Compass metro cards and Compass ticketing kiosks for two days. 

• HMRC: The UK tax office was branded 'incompetent' due to 11 serious data breaches impacting close to 24,000 people.

• FireEye: FireEye disclosed a cyberattack, suspected to be the work of a nation-state group. The cybersecurity firm said the hack resulted in penetration tools being stolen.