The biggest data breaches in 2024: 1 billion stolen records and rising
TechCrunch · Image Credits:Bryce Durbin / TechCrunch

We're almost at the end of 2024, a year that will go down as having seen some of the biggest, most damaging data breaches in recent history. And just when you think that some of these hacks can't get any worse, they do.

From huge stores of customers' personal information getting scraped, stolen, and posted online, to reams of medical data covering most people in the United States getting stolen, the worst data breaches of 2024 have surpassed 1 billion stolen records and are rising. These breaches not only affect the individuals whose data was irretrievably exposed, but also embolden the criminals who profit from their malicious cyberattacks.

Travel with us to the not-so-distant past to look at how some of the biggest security incidents of 2024 went down, their impact, and, in some cases, how they could have been stopped.

AT&T's data breaches affect "nearly all" of its customers, and many more non-customers

For AT&T, 2024 has been a very bad year for data security. The telecoms giant confirmed not one, but two separate data breaches just months apart.

In July, AT&T said cybercriminals had stolen a cache of data that contained phone numbers and call records of "nearly all" of its customers, or around 110 million people, over a six-month period in 2022 and in some cases longer. The data wasn't stolen directly from AT&T's systems, but from an account it had with data giant Snowflake (more on that later).

Although the stolen AT&T data isn't public (and one report suggests AT&T paid a ransom for the hackers to delete the stolen data) and the data itself does not contain the contents of calls or text messages, the "metadata" still reveals who called who and when, and in some cases the data can be used to infer approximate locations. Worse, the data includes phone numbers of non-customers who were called by AT&T customers during that time. That data becoming public could be dangerous for higher-risk individuals, such as domestic abuse survivors.

That was AT&T's second data breach this year. Earlier in March, a data breach broker dumped online a full cache of 73 million customer records to a known cybercrime forum for anyone to see, some three years after a much smaller sample was teased online.

The published data included customers’ personal information, including names, phone numbers and postal addresses, with some customers confirming their data was accurate.

But it wasn’t until a security researcher discovered that the exposed data contained encrypted passcodes used for accessing a customer’s AT&T account that the telecoms giant took action. The security researcher told TechCrunch at the time that the encrypted passcodes could be easily unscrambled, putting some 7.6 million existing AT&T customer accounts at risk of hijacks. AT&T force-reset its customers’ account passcodes after TechCrunch alerted the company to the researcher’s findings.