Top 10 Most Expensive Data Breaches in History

In 2024, the average cost of a data breach in the U.S. was $9.36 million, while the global average was $4.88 million. The growing number of cyberattacks on businesses has reached alarming levels, with companies of all sizes at risk. 

The most challenging reality of data breaches is their financial implications. Lost revenue, reputational damages, fines, and settlements cost a lot of money. What was the worst data breach in history? Below, we explore the top 10 most expensive data breaches in history and the various impacts these attacks have had on global organizations.

10 most costly data breaches worldwide

Wondering which is the most expensive data breach? We’ve created a list of notable data breaches in descending order. To compile and rank the data, we looked at various factors, including the number of users and accounts affected, financial costs, legal fees, and the overall impact the incident had on an organization.

1. NotPetya/ExPetr — $10 billion

The NotPetya or ExPetr is the largest and the most expensive data breach to date. The ransomware attack occurred in 2017. Cybercriminals spread malware through compromised and widely used accounting software. This attack affected thousands of organizations worldwide, with some estimates that it affected businesses worldwide. 

The financial implications of the breach included:

  • $10 billion in direct damages, recovery costs, and lost revenue.
  • Compromised global businesses, government systems, banks, and energy companies.

2. TJX Companies —  $4.5 billion

In 2005 and 2007, TJX Companies experienced one of the most notable hacking incidents involving cybercriminals stealing sensitive customer data, such as personal identification information. The second most expensive data breach affected around 45 million credit and debit card accounts, and the hackers were able to access this information for over 18 months before the company discovered the breach.

The estimated financial cost of the breach to TJX was $4.5 billion. This included costs to:

  • Legal fees, fines, and remediation efforts.
  • Loss of sales from customers, which negatively impacted the company’s stock price.
  • Additional fees in settlements.

3. Epsilon — $4 billion

In 2011, Epsilon, a marketing services company, experienced a significant data breach that involved the Secret Service. Cybercriminals attacked the company’s database and unlawfully acquired customer records. Some of its biggest clients included Best Buy, Target, and JP Morgan Chase. 

The financial implications of the $4 billion breach included:

4. Equifax — more than $1.4 billion

Equifax experienced a massive data breach in 2017, affecting approximately 147 million user accounts. Cyberattackers stole sensitive personal information from the company’s database, such as social security numbers (SSNs), driver’s license numbers, birth dates, and addresses.

The financial implications of the 4th most expensive data breach included:

  • A settlement of at least $1.4 billion in consumer class action. 
  • settlement of $575 million — and potentially up to $700 million — with the Federal Trade Commission (FTC) and other agencies related to the breach.
  • $5 billion loss in market value after the breach due to Equifax’s stock price falling.
A chart ranking the top 10 most expensive data breaches ever including the year of the breach and the estimated cost

5. Meta — $725 million

Facebook has seen a few data breaches over the past few years. One of the most expensive data breach to date was a $725 million class-action lawsuit settlement, which followed a 2018 revelation that the organization had allowed Cambridge Analytica, a British political consulting firm, access to 87 million users. This breach is different from others on the list because the company itself allowed a third-party organization to access user data without their consent.

6. Veteran’s Affairs — $500 million

Veteran’s Affairs (VA) experienced its most expensive data breach in 2006 through a stolen VA employee laptop. The stolen laptop gave cybercriminals access to personal data such as names, SSNs, and birth dates. This breach affected approximately 26.5 million veterans.

The results of the breach included:

  • $20 million to settle a lawsuit filed by veterans.
  • Response efforts and improving security measures.
  • Reputational damage and loss of trust amongst veterans.

7. Target — $292 million

Target’s most expensive data breach occurred during the 2013 holiday shopping season. Around 40 million credit and debit cards and the sensitive personal data of over 70 million customers were compromised. The attack occurred when hackers accessed Target’s network through a third-party vendor. 

The financial implications of this breach included:

8. Hannaford Bros —  $252 million

Between 2007 and 2008, Hannaford Bros experienced a data breach that compromised the company’s point-of-sale (POS) systems. Hackers installed malware on the POS terminals, affecting approximately 4.2 million credit and debit card accounts. 

The financial implications of the breach included:

  • Legal fees, implementing new security measures, and investigations.
  • Lawsuits from banks and credit card companies.
  • Loss of customer trust and reduction in sales.

9. Sony PlayStation Network — $171 million

In April 2011, the Sony PlayStation Network experienced its most expensive data breach when hackers accessed their network. This compromised over 100 million accounts, with personal information such as usernames, passwords, and financial information.

The implications of the breach included:

  • $171 million in legal fees, security improvements, and customer support.
  • Millions in lost revenue.
  • Various lawsuits and legal settlements.

10. Yahoo! — $152.5 million

In 2016, Yahoo revealed that it experienced two significant cyberattacks. The first breach, in 2013, affected 3 billion user accounts. 2014, the company saw a second breach, affecting 500 million user accounts. While some data may have been compromised, the Internet giant highlighted that the stolen data didn’t include crucial information such as bank account information, passwords in clear text, or payment card data.

Yahoo is estimated to have incurred costs amounting to $152.5 million. Here’s a breakdown of the financial implications of these breaches:

Choose Zmanda to protect your sensitive data

Choose Zmanda to protect your sensitive data

As cyber threats evolve, it has become increasingly essential for organizations to protect themselves. Investing in strong data protection solutions can help you achieve this. Zmanda Pro offers businesses comprehensive and innovative backup solutions and seamless cloud integration. With advanced data resiliency, ransomware protection, and disaster recovery, Zmanda adopts a 360-degree approach to help your business prepare for and prevent breaches.

To experience the incredible capabilities of Zmanda, you can get a 14-day free trial today. You can also talk to one of our data protection experts by booking a free 30-minute consultation to ensure you choose the right solution for your business’s needs.