Arctic Wolf Announces $150M Series F and $4.3B Valuation  READ  
Skip to main content

7 of the Largest Data Breaches of 2019

2018 was the most devastating year ever for cyber attacks...until 2019. 

For 365 days, it was an all-out-assault of data breaches. Hundreds of millions of people had their personal data stolen. Billions of dollars were lost. Businesses of every size were left defenseless. The danger spread across virtually every industry. Financial. Medical. Legal. Popular consumer websites. Even police departments weren't spared from the sinister tactics of hackers. 

When the dust settled, what organizations were left with were massive payouts, class action lawsuits, and damaged reputations. 

lines of code on a computer screen

We've compiled a free, full list of the top 20 data breaches, but here's a look at the the first seven biggest—and most harmful—data breaches of the year. Learn about records exposed, how many people were affected, and find out what types of attacks were responsible for the damage. 

The Largest Data Breaches of 2019:

#20: Texas Municipalities 

Industry: Government 

Impact: More than 20 municipalities 

Type: Ransomware/vendor breach 

More than 20 Texas municipalities fell victim to a one-day, coordinated ransomware attack, prompting a multi-agency response that included the FBI, FEMA, and Homeland Security. The attackers, who demanded a collective ransom of $2.5 million, used the REvil ransomware to compromise the software of a third-party vendor that provided remote infrastructure management services. 

#19: Tower Legal Solutions 

Industry: Legal 

Impact: 70 customers 

Type: Phishing/credentials compromise 

Tower Legal Solutions was one of several law firms that had a data breach in 2019. An attacker stole an employee's credentials during an email phishing attack and gained access to customer data. The firm discovered the attack after identifying unusual activity related to the employee's email. At least 67 customers in at least three states were impacted, according to data-breach disclosure filings with the offices of the attorney general in those states. 

#18: Virtual Care Provider, Inc. 

Industry: Healthcare/IT 

Impact: 110 nursing homes 

Type: Ransomware 

More than 100 nursing homes in 45 states were not able to access their patient records, order medication, or pay employees after their IT services company, Virtual Care Provider, Inc. (VCPI), fell victim to ransomware. About a fifth of VCPI's servers and 80,000 computers were affected by the Ryuk ransomware, spread by the TrickBot virus. Attackers demanded a $14 million bitcoin ransom. 

#17: Los Angeles Police Department 

Industry: Government 

Impact: 20,000 employees and candidates 

Type: Hacking 

A hacker who contacted the Los Angeles Policy Department claimed to have stolen personal data for 20,000 LAPD police officers, trainees, and recruits, as well as individuals in the candidate applicant program. The cyberattacker, who was not identified, said the information came from external sources and included names, emails, birthdates, and employment credentials. 

#16: U.S. Customs and Border Protection 

Industry: Government 

Impact: Fewer than 100,000 individuals 

Type: Hacking/third-party breach 

U.S. Customs and Border Protection traveler photographs and license plates were compromised due to a breach of a vendor. The vendor transferred the information to its servers without authorization and cyberattackers who breached the vendor's network gained access to the data. CBP said fewer than 100,000 individuals were affected. 

#15: Unknown Entity  

 Industry: Legal  

 Impact: 250,000 legal documents  

 Type: Misconfiguration  

 A database with more than 250,000 legal documents was left exposed online for about two weeks, accessible to anyone without a password. The documents related to cases from 2002 to 2010, and some were marked as “not for publication." The source of the documents is unknown, but the security researcher who made the discovery said it was likely a company providing litigation research or outsourced legal services.  

  #14: Oregon Department of Human Services  

 Industry: Healthcare/government  

 Impact: 645,000 customers  

 Type: Phishing/compromised credentials  

A phishing email campaign against the Oregon Department of Human Services (DHS) led to a data breach after nine employees clicked on the malicious link and exposed their user credentials. More than 645,000 DHS customers were affected. Compromised data included both personally identifiable information and protected health information. 

Discover More Top Breaches

We're not even halfway there!

We've compiled a full report of the top 20. There's 13 more entries to go, each one more devastating than the last. Download the full report, to discover even more of the largest data breaches of 2019.