Millions Exposed: A Look at the 8 Biggest Data Breaches Since 2020

This analysis looks at eight of the most significant breaches of recent years, not just to quantify the scale, but to unpack the compromised data, the reasons that might have caused the leaks, their consequences, and the urgent calls to action they present.

1. Indonesian SIM Cards (1.3 Billion Records Lost)

In a startling data breach, 1.3 billion records from Indonesian SIM card registrations were exposed, marking the largest data breach in Asia to date. Orchestrated by a hacker known as “Bjorka”, this breach laid bare national identity numbers, phone numbers, and more.

The data was harvested after a 2017 policy change mandating all Indonesian SIM card users to register their cards with their identity card (KTP) and family card (KK), creating a centralised database of sensitive information. 

This database then became a target for hackers due to the failure to promptly address cybersecurity weaknesses. Consequently, hackers like Bjorka found it easier to access and expose a significant volume of personal data.

Bjorka's actions, though illegal, found an unexpected resonance among Indonesians frustrated with the country's data governance, sparking a national conversation on cybersecurity.

2. Shanghai Police (500 Million Records Lost)

A database containing the personal information of over a billion Chinese civilians was allegedly stolen from the Shanghai National Police (SHGA). This breach, potentially one of the largest in history, resulted in the loss of records on over 500 million Chinese citizens and included sensitive information such as addresses, police records, and national ID numbers.

HackerDan made a selection of datasets public: one dataset revealed delivery addresses alongside specific instructions for delivery personnel. They tried to sell it online for 10 Bitcoin, equivalent to approximately $200,000.

The Chinese media's efforts to suppress details of the incident did little to quell the global uproar it caused. The incident revealed the vulnerability of vast amounts of sensitive data to cybercriminal activities.

3. Experian Brazil (200 Million Citizens Exposed)

Experian faced a massive data breach exposing the personal information of over 220 million Brazilian citizens and businesses, which were then offered for sale on the dark web. 

Discovered by security firm PSafe, the breach exposed data through Mosaic, a consumer segmentation model used by Experian's Brazilian subsidiary, Serasa. 

The nature of the leak potentially originated from within the company but Experian hasn’t confirmed this claim. Nevertheless, it highlighted the critical need for robust internal security measures and transparency in handling personal data. Experian did not specify the technical and organisational measures adopted to implement its data protection policy.

4. Twitter API Bug (200 Million Records)

Twitter's security was compromised by a bug in its API between June 2021 and January 2022 which affected 200 million users. It allowed attackers to link email addresses and phone numbers to specific accounts, potentially unmasking the identities of pseudonymous Twitter accounts. 

Twitter was under investigation by the US Federal Trade Commission to determine if the social media giant breached a "consent decree," which mandated the company to enhance its privacy and data security practices for users.

Rebrand didn’t help Twitter with its security threats. X (Twitter) was under fire again in 2023 when a database with 200m records was published on a notable hacker forum. This data includes email addresses, names, and usernames, but it turned out to be the same data that was originally scraped by exploiting the previous API vulnerability.

5. Indonesia’s Health Agency (279 Million Records Lost)

In 2021, Indonesia witnessed another breach, this time striking at the heart of healthcare. The personal information of the entire population–279 million citizens–was exposed through BPJS Kesehatan, the country's health insurance agency. 

This breach compromised ID numbers, salaries, and phone numbers, leaving millions vulnerable to medical identity theft, fraudulent insurance claims, and the potential misuse of sensitive health data. 

“Fraudsters could make fake ID cards, pretending that they have lost their phones, then report it to network provider or operator to get access to phone numbers. This access is crucial, considering we receive one-time passwords (OTPs) to reset email passwords and other accounts via SMS,” said Aliviyarda of Indosat Ooredoo.

6. Thailand Visitors (100 Million Records Lost)

In 2021, a data leak affecting Thailand's visitor records exposed sensitive information of up to 100 million foreigners who travelled to the country in the last decade. The compromised data included names, passport numbers, and residency status. 

In June of the same year, a government website for foreigners to sign up for a coronavirus vaccine was found to be revealing the names and passport numbers of prospective recipients. These breaches called into question Thailand's cybersecurity protocols and the protection of foreigners’ data within its borders.

7. T-Mobile (37 Million Records)

T-Mobile reported a data breach in August 2021, affecting 37 million customers. Names, birth dates, Social Security numbers, and driver's license/ID information were exposed, although direct contact information and financial details remained secure. 

This information allows scammers to target T-Mobile users with phishing messages, account takeovers and harassment. Data stolen and exposed provides enough information to be used for identity theft. 

This breach, part of a series of security lapses at T-Mobile who experienced multiple data breaches in the last few years, emphasised the persistent challenges telecom companies face in safeguarding customer data against sophisticated cyber threats.

[Bonus] 8. The Most Controversial Breach: Ashley Madison (37 Million Records Lost)

The Ashley Madison breach in 2015 stands out for its controversy. The site, which facilitated extramarital affairs, was targeted by a group called the Impact Team, leading to the exposure of 60GB of data, including users’ real names, home addresses, and search history. The company claimed the attack originated from an insider, but this wasn’t confirmed. 

The "Impact Team," responsible for the breach, claimed a moral high ground, motivated by exposing a service they deemed exploitative, profiting from "the pain of others." 

They particularly objected to a "full delete" option provided by Ashley Madison's parent company, Avid Life Media, which claimed to thoroughly remove users' profiles and personal details for a fee of $19. 

The hackers argued that, despite assurances of erasing all traces of site activity and personal data, key information such as users' real names and addresses linked to purchase records remained on the site. This ignited questions about consent in such sensitive online spaces. 

The compromised data contained users’ encrypted passwords, showing that some good security practices were in place. However, once made public, the passwords were reverse-engineered.

The exposed data triggered a tidal wave of public shaming and personal attacks on users. Lives were upended, relationships destroyed, and careers jeopardised. This underscored the chilling reality of online anonymity's fragility and the potential for immense collateral damage in data breaches, even when targeting seemingly "consenting" individuals.

The human cost of the exposed data served as a grim reminder of the far-reaching consequences of online security failures, especially when intertwined with sensitive personal choices and societal norms.

How Could These Breaches Be Avoided?

These breaches serve as stark reminders of the vulnerabilities inherent in our digital world. They highlight the ongoing battle between data security and the sophisticated techniques of cybercriminals, underscoring the importance of robust security measures and ethical data governance.

On the other hand, the technology that safeguards user data is evolving too and different emerging privacy-enhancing technologies (PETs) offer new innovative ways in which companies can bolster their security online. 

Secure enclaves, for example, can significantly enhance data protection by creating a secure, isolated environment where sensitive data and critical applications can operate safely, away from the reach of unauthorised users and malicious actors. 

This technology prevents unauthorised access by encrypting data at a hardware level, ensuring that only the people authorised by the enclave can access the data, creating a fortified barrier against both external attacks and insider threats. 

Even administrators cannot access the data when using secure enclaves, helping to prevent the possibility of human error, which often accompanies data breaches.

Additionally, secure enclaves offer strict access control and detailed audit logs, enhancing security and accountability. By adopting secure enclaves, organisations can better protect sensitive data, maintain privacy, and build user trust, staying ahead of evolving cyber threats.

If you’re looking for how you can implement advanced secure enclaves and other privacy-enhancing technologies that can help to prevent data breaches in your organisation, attend the Eyes-Off Data Summit 2024 on September 11-12 to join the community of privacy advocates and innovators working towards a more secure digital future.