2017 was bananas in a lot of ways, and cybersecurity was no exception. Critical infrastructure attacks, insecure databases, hacks, breaches, and leaks of unprecedented scale impacted institutions around the world—along with the billions of people who trust them with their data.

This list includes incidents disclosed in 2017, but note that some took place earlier. (Speaking of which, you know it's a heck of a year when Yahoo reveals that it leaked info for three billion accounts, and it's still not a clear-cut winner for worst incident.) The pace has been unrelenting, but before we forge on, here’s WIRED’s look back at the biggest hacks in 2017.

Security doomsayers have long warned about the potential dangers posed by critical infrastructure hacking. But for many years the Stuxnet worm, first discovered in 2010, was the only known piece of malware built to target and physically damage industrial equipment. But in 2017, researchers from multiple security groups published findings on two such digital weapons. First came the grid-hacking tool Crash Override, also known as Industroyer, revealed by the security firms ESET and Dragos Inc. It was used to target the Ukrainian electric utility Ukrenergo and cause a blackout in Kiev at the end of 2016. A suite of malware called Triton, discovered by the firm FireEye and Dragos, followed close behind and attacked industrial control systems.

Crash Override and Triton don't seem to be connected, but they have some similar conceptual elements that speak to the traits that are crucial to infrastructure attacks. Both infiltrate complex targets, which can potentially be reworked for other operations. They also include elements of automation, so an attack can be put in motion and then play out on its own. They aim not only to degrade infrastructure, but to target the safety mechanisms and failsafes meant to harden systems against attack. And Triton targets equipment used across numerous industrial sectors like oil and gas, nuclear energy, and manufacturing.

Not every electric grid intrusion or infrastructure probe is cause for panic, but the most sophisticated and malicious attacks are. Unfortunately, Crash Override and Triton illustrate the reality that industrial control hacks are becoming more sophisticated and concrete. As Robert Lipovsky, a security researcher at ESET, told WIRED in June, "The potential impact here is huge. If this is not a wakeup call, I don’t know what could be.”

This was really bad. The credit monitoring firm Equifax disclosed a massive breach at the beginning of September, which exposed personal information for 145.5 million people. The data included birth dates, addresses, some driver's license numbers, about 209,000 credit card numbers, and Social Security numbers—meaning that almost half the US population potentially had their crucial secret identifier exposed. Because the information Equifax coughed up was so sensitive, it's widely considered the worst corporate data breach ever. For now.

Equifax also completely mishandled its public disclosure and response in the aftermath. The site the company set up for victims was itself vulnerable to attack, and asked for the last six digits of people's Social Security numbers to confirm if they were impacted by the breach. Equifax also made the breach response page a standalone site, rather than part of its main corporate domain—a decision that invited imposter sites and aggressive phishing attempts. The official Equifax Twitter account even mistakenly tweeted the same phishing link four times. Four. Luckily, in that case, it was just a proof-of-concept research page.

Observers have since seen numerous indications that Equifax had a dangerously lax security culture and lack of procedures in place. Former Equifax CEO Richard Smith told Congress in October that he usually only met with security and IT representatives once a quarter to review Equifax's security posture. And hackers got into Equifax's systems for the breach through a known web framework vulnerability that had a patch available. A digital platform used by Equifax employees in Argentina was even protected by the ultra-guessable credentials "admin, admin"—a truly rookie mistake.