2024 was the worst year for data breaches in history. Not by a small margin either. We are talking billions of records exposed across dozens of major incidents. And if you think 2026 will be any better, I have some bad news.
Let me walk you through the biggest hits of the year and explain why this problem is getting worse, not better.
> National Public Data: 2.9 Billion Records
This is the one that broke the scale. National Public Data, a background check company most people had never heard of, exposed approximately 2.9 billion records containing Social Security numbers, names, addresses, and family member data.
Think about that number. The United States has 330 million people. This breach contained records for nearly every American, many listed multiple times with historical addresses going back decades. It also included records for citizens of the UK and Canada.
The company filed for bankruptcy shortly after. Great. That really helps the billions of people whose SSNs are now permanently available to criminals.
> AT&T: 73 Million Records (Twice)
AT&T had not one but two major breaches disclosed in 2024. The first, revealed in March, exposed 73 million customer records including Social Security numbers and account passcodes dating back to 2019.
The second, disclosed in July, was arguably worse. Hackers accessed call and text metadata for virtually all AT&T cellular customers over a six month period. That is records of who called whom, when, and for how long. Not the content of the calls, but the metadata alone can reveal relationships, habits, and patterns that are deeply personal.
> Change Healthcare: 100 Million+ Records
In February, the ALPHV/BlackCat ransomware gang hit Change Healthcare, a company that processes about 40% of all US health insurance claims. The attack disrupted healthcare payments across the country for weeks. Pharmacies could not process prescriptions. Hospitals could not verify insurance. Doctors went unpaid.
UnitedHealth Group, which owns Change Healthcare, paid a reported $22 million ransom. The breach affected over 100 million individuals and exposed health insurance information, medical records, billing data, and Social Security numbers. It was the largest healthcare breach in US history.
> Ticketmaster: 560 Million Records
The ShinyHunters hacking group claimed to have stolen data on 560 million Ticketmaster customers. Names, addresses, phone numbers, email addresses, and partial payment card details. Live Nation confirmed the breach in May after the data showed up for sale on hacking forums.
For a company that already had a reputation for treating customers poorly, this was the cherry on top.
> Synnovis (UK Blood Tests): 300 Million Records
A ransomware attack on Synnovis, a pathology services provider for the UK's National Health Service, exposed patient data and caused massive disruption to blood testing services across London hospitals. Surgeries were postponed. Blood transfusions were delayed. The Qilin ransomware gang published stolen data after Synnovis refused to pay the ransom.
> The Numbers Do Not Lie
Adding up just the major breaches of 2024, we are looking at well over 4 billion records exposed in a single year. And those are only the ones that made headlines. Hundreds of smaller breaches affecting tens of thousands of people each fly completely under the radar.
Some important trends from 2024:
- Healthcare is the top target. Medical data is worth more than credit card numbers on the dark web because it cannot be easily changed. You can get a new credit card. You cannot get a new medical history.
- Third party vendors are the weak link. Companies like National Public Data and Change Healthcare process data for thousands of other organizations. One breach cascades across entire industries.
- Ransomware gangs are getting bolder. They are not just encrypting data anymore. They steal it first, then threaten to publish it. Even if you pay the ransom, there is no guarantee the data stays private.
- AI is supercharging attacks. Phishing emails are getting harder to spot because AI generates perfect grammar and personalized content. Automated tools find vulnerabilities faster than companies can patch them.
> Why 2026 Will Be Even Worse
Every year, security experts say "this was the worst year yet" and every year they are right. The structural problems driving breaches are not getting fixed.
Companies still collect way more data than they need. Regulations still lack teeth. Penalties are still just a cost of doing business. And the attack surface keeps expanding as more systems go online and more third party integrations create new entry points.
Meanwhile, AI tools are lowering the barrier to entry for cybercriminals. You no longer need to be a skilled hacker to launch sophisticated attacks. The tools are automated, cheap, and widely available.
> What This Means For You
If you have been online for more than a few years, your data has almost certainly been compromised in at least one breach. Probably several. The question is not whether your data is out there. It is how much of it is exposed and what criminals might do with it.
Most people never check. They assume that if something bad were going to happen, it would have happened already. But identity theft and fraud can occur years after a breach. Criminals are patient. They collect data from multiple sources, build comprehensive profiles, and strike when the payoff is highest.