Data Breach Statistics – 2021

Stolen data is a big business since it’s so highly profitable. Here are some recent numbers of dollar values of stolen data:

ItemUS Dollar Amount
Credit Card (high)$45
Credit Card (average)32
PayPal Account27
Credit Card (low)20
Credit Card (Market flooded)10
Health credentials10
Bank account details5
Credit Card (old)5
Full PII3
CVV 3 digit security code2

2019’s largest breaches:

See the source image
In 2019, data breaches cost over $2 trillion world wide.


January 2, 2020: Restaurant conglomerate Landry’s announced a point-of-sale malware attack that targeted customers’ payment card data – the company’s second data breach since 2015.

Peekaboo Moments

January 14, 2020: An unsecured database on a server linking back to Peekaboo Moments, an app where parents post images and videos of their children, was left exposed.  An undisclosed number of email addresses, geographic location data, detailed device data, and links to photos and videos posted by parents have been impacted. The app has been downloaded 1 million times since launching in 2012.

Hanna Andersson

January 20, 2020: An undisclosed number of shoppers of the children’s clothing retailer, Hanna Andersson, had sensitive payment information exposed. Customers who made online purchases from September 16, 2019, to  November 11, 2019, had their names, shipping addresses, billing addresses, payment card numbers, CVV codes, and expiration dates skimmed and put for sale on the Dark Web.


January 22, 2020: A customer support database holding over 280 million Microsoft customer records was left unprotected on the web. Microsoft’s exposed database disclosed email addresses, IP addresses, and support case details. Microsoft says the database did not include any other personal information.

Marijuana Dispensaries

January 23, 2020: THSuite, a point-of-sale system of marijuana dispensaries across the U.S., disclosed personal information belonging to over 85,000 medical marijuana patients and recreational users after leaving their database unprotected. The data breach impacted names, date of births, phone numbers, emails, street addresses, patient names and medical ID numbers, cannabis variety and the quantity purchased, total transaction costs, date received, and photographs of scanned government and employee IDs.

Estee Lauder

February 11, 2020: An unsecured database belonging to the makeup company Estee Lauder exposed 440 million customer records. No payment or sensitive information was impacted but email addresses were disclosed in the database.

Fifth Third Bank

February 11, 2020: Fifth Third Bank, a financial institution with 1,150 branches in 10 states, claims a former employee is responsible for a data breach, which exposed customers’ name, Social Security number, driver’s license information, mother’s maiden name, address, phone number, date of birth and account numbers. The total number of affected employees and banking clients remains undisclosed.

Health Share of Oregon

February 13, 2020: The theft of an employee laptop from GridWorks IC, a third-party vendor of Health Share of Oregon, has exposed the personal and medical information of 654,000 members. The Health Share of Oregon data breach disclosed sensitive data, including names, addresses, phone numbers, dates of birth, Social Security numbers, and Medicaid ID numbers.

MGM Resorts

February 20, 2020: Over 10.6 million hotel guests who have stayed at the MGM Resorts have had their personal information posted on a hacking forum. The data dump exposed includes names, home addresses, phone numbers, emails, and dates of birth of former hotel guests.


February 20, 2020: The photography app, PhotoSquared, has exposed the personal information and photos of the 100,000 individuals who have downloaded the app. Besides photos, user’s names, addresses, order receipts, and shipping labels were impacted in the unsecured database.


February 24, 2020: Slickwraps, an online tech customization store, admitted to leaving the information of 850,000 customers in an unprotected database. The customer information disclosed includes names, email addresses, physical addresses, phone numbers, and purchase histories.


March 2, 2020: Walgreens, the second-largest US pharmacy chain, announced an error within their mobile app’s messaging feature that exposed not only personal messages sent within the app but also the names, prescription numbers and drug names, store numbers, and shipping addresses of its users. The total number of users affected has not been disclosed but the pharmacy’s app has over 10 million downloads.

Carnival Cruise Lines

March 4, 2020: Two cruise lines under the Carnival Corporation, one of the world’s largest cruise ship operator, divulged sensitive information of its employees and customers after a hacker accessed an employee’s work email. The information accessed from the Princess Cruises and the Holland America Line includes names, addresses, Social Security numbers, government identification numbers, such as passport number or driver’s license number, credit card and financial account information, and health-related information.


March 4, 2020: Hackers successfully accessed online accounts of customers of the apparel retailer, J-Crew, through a credential stuffing attack. Using exposed emails and passwords, the hackers were able to login to an unknown number of J-Crew customer accounts and gain access to stored information including the last four digits of credit card numbers, expiration dates, card types, billing addresses, order numbers, shipping confirmation numbers, and shipment status.


March 5, 2020: An unknown number of customers’ sensitive information was accessed through a T‑Mobile employee email accounts after a malicious attack of a third-party email vendor. The personal information of T-Mobile customers accessed includes names and addresses, Social Security numbers, financial account information, and government identification numbers, as well as phone numbers, billing and account information, and rate plans and features.


March 11, 2020: Whisper, an anonymous secret-sharing app, has left member information exposed in an unsecured database. Although the app does not collect names, the database included nicknames, ages, ethnicities, genders, and location data of over 900 million users.


March 18, 2020:  The online guitar lessons website, TrueFire, notified its users that a hacker gained access to names, addresses, payment card account numbers, card expiration date, and security codes for the past six months. The total number of users affected is still unknown but TrueFire has millions of users worldwide.

General Electric

March 24, 2020: The technology conglomerate, General Electric (GE), disclosed that a third party vendor experienced a data breach, exposing the personally identifiable information of over 280,000 current and former employees. The employee information accessed through Canon Business Process Services included names, addresses, Social Security numbers, driver’s license numbers, bank account numbers, passport numbers, and dates of birth.

Marriott International

March 31, 2020: Using the login credentials of two employees through a third-party app used to provide guest services, Marriott International hotels exposed the information of 5.2 million guests. The personal information of the hotel guests impacted includes names, mailing addresses, email addresses, phone numbers, loyalty account numbers and points balances, company, genders, birth dates, linked airline loyalty programs and numbers, room preferences and language preferences. In a previous data breach in 2018, Marriott hotels exposed the personal information of 500 million guests.