What is the most expensive data breach in history?

The Facebook/Meta FTC consent order of $5 billion (2019) is the largest single regulatory penalty arising from a privacy / data-protection failure, related to Cambridge Analytica. Including ongoing GDPR enforcement, Meta has paid over $6.6 billion in privacy-related fines through 2025. By total breach-incident cost (settlements + fines + remediation + business impact), Equifax (2017) is estimated at over $1.4 billion through 2025 and the cost is still accruing. Change Healthcare (2024) is currently estimated at $2.45 billion to UnitedHealth based on its 10-Q filings.

What is the largest data breach by number of records?

National Public Data (2024) exposed approximately 2.9 billion records containing SSNs, addresses, and DOBs of nearly all Americans, the largest single-incident exposure of US PII to date. By volume of unique users affected, Yahoo (2013-2014) remains the benchmark at 3 billion accounts compromised. The 2024 Snowflake credential-compromise campaign exposed records across 165+ companies including Ticketmaster (560M) and AT&T (110M) but was a multi-customer event rather than a single breach.

How long do data breach lawsuits take to settle?

Class-action breach lawsuits typically take 2-4 years to reach settlement. Equifax (2017) reached its $700M FTC settlement in 2019 but related class-action and state-AG actions continued through 2024. T-Mobile's 2021 breach settled for $350M in July 2022. Marriott's 2018 disclosure produced multiple ongoing actions still in litigation. Healthcare breaches under HIPAA typically settle faster because OCR investigations are time-bound.

What is the average stock price impact of a major breach?

Across publicly listed companies in this register, the average stock price decline within three months of disclosure is approximately 7.5%. The variance is huge: Equifax dropped 35% (recovered in 18 months), SolarWinds dropped 25% (12 months to recover), Capital One dropped 7% (4 months), Marriott 6% (3 months), Target 10% (6 months). The depth and duration of the drop correlates with the quality of incident-response communication, the sensitivity of exposed data, and pre-existing market position.

Why are 2024 breaches still being added to this list?

Cost figures for recent breaches accumulate over years, not days. Change Healthcare's estimate has risen from $872M (Q1 2024) to $2.45B (Q3 2024) as remediation, customer notification, lost business, and litigation costs have been disclosed in successive UnitedHealth 10-Q filings. We update each entry as new primary-source disclosures are filed and avoid speculative numbers. Cost figures marked TBD reflect breaches where the full economic impact has not yet been quantified in a public filing.

Schedule 04 / Mega-Breach Register15 incidents, primary-source cited

Disclosure timeline

Mega-breach cost register.

Each entry below is a publicly disclosed incident with a cost figure traceable to an SEC 8-K or 10-K filing, an OCR enforcement action, an AG settlement, an FTC consent order, or an ICO penalty notice. Speculative or unsourced cost numbers are excluded.

Largest known total

$5B

Facebook FTC fine, 2019

Largest by records

2.9B

National Public Data, 2024

Largest healthcare

$2.45B

Change Healthcare, 2024

Largest ransom

$75M

Dark Angels, 2024

Section 04.1 / Disclosure schedule

Verified cost figures, sortable by year

Sorted newest first. Each row carries an explicit primary-source citation. Where total cost is undisclosed in public filings, the cell shows TBD or the actual settlement / fine recorded to date.

Year	Company	Industry	Records	Total cost	Attack vector	Severity
2024	Change Healthcare Compromised credentials on Citrix portal without MFA	Healthcare	190M	$2.45B+	Ransomware (ALPHV/BlackCat)	Critical
2024	National Public Data Unprotected database containing SSNs, addresses, DOBs for nearly all Americans	Data Broker	2.9B	TBD	Database exfiltration	Critical
2024	Ticketmaster Compromised credentials for Snowflake cloud data warehouse	Entertainment	560M	TBD	Cloud breach (Snowflake)	Critical
2024	AT&T Same Snowflake credential compromise campaign	Telecommunications	110M	TBD	Cloud breach (Snowflake)	Critical
2023	MOVEit (Progress Software) Zero-day SQL injection in MOVEit Transfer (CVE-2023-34362)	Technology	95M+	$2.7B+	Supply chain (Cl0p ransomware)	Critical
2023	23andMe Credential stuffing + DNA Relatives feature exposed linked profiles	Healthcare	6.9M	$400M+	Credential stuffing	Material
2022	Optus Unauthenticated API endpoint exposed customer data	Telecommunications	10M	$140M+	API exploit	Material
2021	Colonial Pipeline Compromised VPN password without MFA	Energy	N/A	$15M+	Ransomware (DarkSide)	Material
2021	T-Mobile Unprotected router exploited to access customer database	Telecommunications	77M	$500M+	Network intrusion	Material
2020	SolarWinds SUNBURST backdoor inserted into Orion software update	Technology	18K orgs	$100M+	Supply chain	Material
2019	Capital One AWS WAF misconfiguration exploited by former employee	Financial Services	100M	$300M+	Cloud misconfiguration	Material
2019	Facebook/Meta Contact importer feature exploited to scrape user data	Technology	533M	$5B+	Data scraping	Critical
2018	Marriott Starwood database compromised since 2014, undetected through merger	Hospitality	500M	$350M+	Network infiltration	Material
2017	Equifax Unpatched Apache Struts vulnerability (CVE-2017-5638)	Financial Services	147M	$1.4B+	Web application exploit	Critical
2013	Yahoo Forged cookies, outdated encryption	Technology	3B	$470M	State-sponsored hack	Disclosed

Primary source:See individual breach detail cards below for each cost figure's primary-source citation.

Section 04.2 / Incident postmortems

Each filing, with primary source

2024 / Healthcare

Change Healthcare

Critical

$2.45B+

Records

190M

Attack vector

Ransomware (ALPHV/BlackCat)

Root cause

Compromised credentials on Citrix portal without MFA

Aftermath

$22M ransom paid. $2.45B estimated cost to UnitedHealth. Largest healthcare breach in US history.

Primary source for cost figure:UnitedHealth Group 10-Q filings, Q1-Q3 2024; UHG investor calls.

2024 / Data Broker

National Public Data

Critical

TBD

Records

2.9B

Attack vector

Database exfiltration

Root cause

Unprotected database containing SSNs, addresses, DOBs for nearly all Americans

Aftermath

Company filed for bankruptcy. Multiple class actions. Congressional hearings.

Primary source for cost figure:Class-action complaints (S.D. Fla.); company bankruptcy filing.

2024 / Entertainment

Ticketmaster

Critical

TBD

Records

560M

Attack vector

Cloud breach (Snowflake)

Root cause

Compromised credentials for Snowflake cloud data warehouse

Aftermath

Part of broader Snowflake campaign affecting 165+ companies. Ongoing investigation.

Primary source for cost figure:Live Nation 10-Q SEC filing, Q2 2024.

2024 / Telecommunications

AT&T

Critical

TBD

Records

110M

Attack vector

Cloud breach (Snowflake)

Root cause

Same Snowflake credential compromise campaign

Aftermath

$13M FCC settlement. Call/text metadata of nearly all customers exposed.

Primary source for cost figure:AT&T SEC 8-K, Jul 2024; FCC consent decree, Sep 2024 ($13M).

2023 / Technology

MOVEit (Progress Software)

Critical

$2.7B+

Records

95M+

Attack vector

Supply chain (Cl0p ransomware)

Root cause

Zero-day SQL injection in MOVEit Transfer (CVE-2023-34362)

Aftermath

2,700+ organizations affected. Industry-wide cost estimated at $2.7B.

Primary source for cost figure:Progress Software SEC 10-K filings 2023-2024; CISA advisory CSA-23-158A.

2023 / Healthcare

23andMe

Material

$400M+

Records

6.9M

Attack vector

Credential stuffing

Root cause

Credential stuffing + DNA Relatives feature exposed linked profiles

Aftermath

$30M settlement. Company filed for bankruptcy. Board resigned.

Primary source for cost figure:23andMe 10-Q SEC filings; class-action settlement filings.

2022 / Telecommunications

Optus

Material

$140M+

Records

10M

Attack vector

API exploit

Root cause

Unauthenticated API endpoint exposed customer data

Aftermath

CEO resigned. AU$140M+ in remediation. Sparked Australian privacy law reform.

Primary source for cost figure:ASIC announcement; Optus parent (Singtel) earnings disclosure, Nov 2022.

2021 / Energy

Colonial Pipeline

Material

$15M+

Records

N/A

Attack vector

Ransomware (DarkSide)

Root cause

Compromised VPN password without MFA

Aftermath

$4.4M ransom paid ($2.3M recovered). 6-day pipeline shutdown. New TSA directives.

Primary source for cost figure:DOJ press release, 7 Jun 2021 (FBI recovery of $2.3M); House Homeland Security testimony.

2021 / Telecommunications

T-Mobile

Material

$500M+

Records

77M

Attack vector

Network intrusion

Root cause

Unprotected router exploited to access customer database

Aftermath

$350M class action settlement. $150M security investment mandate.

Primary source for cost figure:T-Mobile SEC 8-K, Aug 2021; class-action settlement filings, $350M (Jul 2022).

2020 / Technology

SolarWinds

Material

$100M+

Records

18K orgs

Attack vector

Supply chain

Root cause

SUNBURST backdoor inserted into Orion software update

Aftermath

Stock dropped 25%. SEC enforcement action. Estimated $100M+ across victims.

Primary source for cost figure:SEC enforcement complaint vs SolarWinds, Oct 2023; SolarWinds 10-K filings.

2019 / Financial Services

Capital One

Material

$300M+

Records

100M

Attack vector

Cloud misconfiguration

Root cause

AWS WAF misconfiguration exploited by former employee

Aftermath

$190M customer settlement. $80M OCC fine. CISO replaced.

Primary source for cost figure:OCC consent order ($80M civil money penalty, 2020); Capital One 10-Q filings.

2019 / Technology

Facebook/Meta

Critical

$5B+

Records

533M

Attack vector

Data scraping

Root cause

Contact importer feature exploited to scrape user data

Aftermath

$5B FTC fine. $1.6B EU GDPR fine (2023). Multiple ongoing investigations.

Primary source for cost figure:FTC consent order, 24 Jul 2019 ($5B); EU GDPR fine, 22 May 2023 (EUR 1.2B).

2018 / Hospitality

Marriott

Material

$350M+

Records

500M

Attack vector

Network infiltration

Root cause

Starwood database compromised since 2014, undetected through merger

Aftermath

$23.8M ICO fine (reduced from $124M). Multiple class actions pending.

Primary source for cost figure:ICO Penalty Notice (Oct 2020) reduced to GBP 18.4M; Marriott 10-K filings.

2017 / Financial Services

Equifax

Critical

$1.4B+

Records

147M

Attack vector

Web application exploit

Root cause

Unpatched Apache Struts vulnerability (CVE-2017-5638)

Aftermath

$700M FTC settlement. CISO and CIO resigned. Still paying costs in 2025.

Primary source for cost figure:FTC consent order (2019); Equifax 10-K filings 2017-2024; SEC settlement.

2013 / Technology

Yahoo

Disclosed

$470M

Records

Attack vector

State-sponsored hack

Root cause

Forged cookies, outdated encryption

Aftermath

Verizon acquisition reduced by $350M. $117.5M class action settlement.

Primary source for cost figure:Verizon SEC 8-K (Feb 2017) disclosing $350M acquisition price reduction; Yahoo settlement orders.

Primary source:All cost figures traceable to public regulator filings (SEC 10-K/10-Q/8-K, FTC consent orders, OCR settlements, ICO penalty notices, AG settlements, court filings). Last verified April 2026.

Section 04.3 / Patterns in mega-breaches

Common root causes & aftermath

Root causes (frequency in this register)

Stolen credentials without MFA, the single most common precursor: Change Healthcare (Citrix portal), Colonial Pipeline (VPN), T-Mobile, 23andMe (credential stuffing).
Unpatched public-facing software: Equifax (Apache Struts), MOVEit (zero-day SQL injection in MOVEit Transfer).
Cloud or third-party data-platform compromise: Capital One (AWS WAF misconfiguration), Ticketmaster & AT&T (Snowflake credential campaign).
Supply chain: SolarWinds (poisoned Orion update), MOVEit (Cl0p ransomware via vendor software).
Insider abuse / data scraping: Capital One (former AWS employee), Facebook (contact-importer abuse).

Aftermath patterns

Executive turnover within 12 months: Equifax (CEO, CIO, CSO), Target (CEO, CIO), 23andMe (entire board), Optus (CEO).
Class actions take 2-4 years to settle: Equifax ($700M FTC + class action), T-Mobile ($350M), Marriott (multiple ongoing).
Stock price impact averages 7.5% within 3 months but Equifax fell 35% and SolarWinds 25%.
Regulatory escalation: OCC consent orders (Capital One), SEC enforcement (SolarWinds), FCC consent decrees (AT&T).
M&A consequences: Yahoo's acquisition price reduced by $350M after disclosure.

Index / Companion schedules

01 Calculator

→

Calculate your specific exposure (the modal that produces these figures).

02 Statistics

→

Global averages that contextualise these mega-breaches.

03 By industry

→

Sector-specific cost averages and notable breaches per sector.

06 Ransomware

→

Pay vs don't pay economics and largest known payments.

10 Cost breakdown

→

Where mega-breach costs actually go: lost business, litigation, etc.

09 Notification laws

→

The 72-hour and state notification clocks these companies faced.

Schedule F / Reference Q&A

Mega-breach cost register.

Verified cost figures, sortable by year

Each filing, with primary source

Change Healthcare

National Public Data

Ticketmaster

AT&T

MOVEit (Progress Software)

23andMe

Optus

Colonial Pipeline

T-Mobile

SolarWinds

Capital One

Facebook/Meta

Marriott

Equifax

Yahoo

Common root causes & aftermath

01 Calculator

02 Statistics

03 By industry

06 Ransomware

10 Cost breakdown

09 Notification laws

Frequently Asked Questions