Getty Images / Dan Kitwood

The consequences of a major data beach have never been greater. Since May 25 the EU's General Data Protection Regulation (GDPR) has been in force and data breaches could now result in huge fines. We're charting the biggest data breaches and privacy flaws, and the fines resulting from them throughout the year.

The latest firm to admit it has been hacked is British Airways, which was hit by a major breach leading to customer data being stolen.


On this page we'll be tracking the year's biggest hacks. As the year goes on, we'll be updating it with new issues you should be aware of.

Data breach: British Airways

When?: August 21 to September 5

What happened?: For more than two weeks this summer, hackers were inside the systems of British Airways. They took the personal and financial details of customers who made, or changed, bookings on ba.com or its app during that time. Names, email addresses and credit card information were stolen – including card numbers, expiration dates and the three digit CVC code required to authorise payments. Around 380,000 transactions were affected. BA blamed a "sophisticated" group of cybercriminals but didn't give any more details. A post on its website says people should contact their banks, people will be reimbursed and it will pay for a credit checking service.

Read next A data fail left banks and councils exposed by a quick Google search A data fail left banks and councils exposed by a quick Google search

Data breach: Reddit

When?: June

How many people: Reddit won't say

What happened?: Reddit's systems were accessed in June, the site announced in a blog post. As Reddit staff were trying to login to their systems using text messages sent via two-factor authentication, the messages were intercepted. Using the staff members' accounts the unknown hackers were able to take email addresses of current Reddit users and a 2007 database. Reddit hasn't admitted how many email addresses were compromised. The worry for users is that email addresses will be leaked and it will be possible to link anonymous accounts to real people.

Data breach: Timehop

When?: July

How many people: 21 million

What happened?: Timehop connects to social networks and surfaces nostalgic posts from the past. On Facebook it shows users their previously popular posts in a bid to help people rekindle previous memories. However, the company detected an ongoing cyberattack in July and found names, email addresses and "keys" allowing access to previous posts had been taken. It delayed the tokens for accessing historic posts, it said.


Data breach: Polar Flow

When?: July

What happened?: The fitness app Polar Flow revealed the locations of military personal inside secret bases around the world. In similarity with the Strava data privacy issue in January, researchers found it has been possible to monitor the movements of soldiers. Changing a URL let anyone see a person's workouts.

Data breach: MyHeritage

When?: February - June

How many people: 92 million

What happened?: DNA testing firm MyHeritage suffered a huge data breach affecting 92 million people. While DNA data wasn't made public, emails and some password information were. The data was stored on a private server and whoever obtained it sent it to third-party security researchers.

Data breach: Ticketmaster

When?: February - June

How many people: 40,000

What happened?: Ticketmaster revealed that the login information, payment data, addresses, name and telephone numbers of 40,000 people was at risk. The data breach was first spotted by digital bank Monzo, which told Ticketmaster about the insecurities.

Read next Cash machine hackers are getting better at stealing your money Cash machine hackers are getting better at stealing your money

Data breach: Typeform

When?: May – June

How many people: millions

What happened?: Data collected through Typeform surveys was left unsecured and was taken by hackers. As a result, adidas, Monzo, Revolut, England's Shavington-cum-Gresty Parish Council, Fortnum and Mason's and more were forced to admit that data had been compromised.


Data breach: Dixons Carphone

When?: July 2017

How many people: 5.9 million payment cards

What happened?: Dixons Carphone revealed 5.9 million payment cards and 1.2 million personal data records were stolen in 2017. The cards haven't been used maliciously as most of them were protected by chip and PIN. Names, addresses and email addresses of more than one million people were also taken in the breach.

Fined: University of Greenwich

When?: 2004

How much: £120,000

What happened?: The UK's University of Greenwich exposed 19,500 student details – including names, addresses, phone numbers, signatures, health conditions, and dates of birth – through an insecure training website. The details were first published in 2004 but the Information Commissioner's Office hit the university with a £120,000 fine.

Fined: Yahoo!

When?: April – June

How much: $35m

What happened?: Following Yahoo!'s colossal data breach in 2014 where billions of usernames, email addresses, phone numbers, birthdates, passwords, security questions were taken, regulators have hit the firm with fines. The US Securities and Exchange Commission slapped the firm, now called Altaba, with a $35 million fine in April. The UK's data protection watchdog also fined it £250,000.

Data breach: MyFitnessPal

When?: February 2018

How many people: 150 million

What happened?: In March, sports retailer Under Armour revealed its fitness app MyFitnessPal had lost the usernames, email addresses, and passwords of 150 million people were stolen from its systems. Although, the passwords were encrypted.



Read next Chinese hackers targeted major UK companies as coronavirus raged Chinese hackers targeted major UK companies as coronavirus raged

Data breach: Equifax

When?: 2017

What's new?: More victims

What happened?: In one of the worst data breaches of all time, Equifax lost the data of 145 million US citizens. It's since emerged that another 2.4 million Americans also lost their data. Equifax said the data breach cost it $114m and separate investigations are still ongoing.

Data breach: Facebook

When?: 2014

Who's responsible: Cambridge Analytica

What happened?: The birth of Facebook's biggest scandal. The Guardian reported more than 50 million people (this later rose to more than 100 million) had data harvested for data profiling company Cambridge Analytica. Facebook found out in 2015 but the details didn't fully come to light until this year. The data was harvested through a quiz app that collected people's personal information, it was then shared beyond the original researchers who had created the app.

Data breach: OnePlus

When?: Between mid-November 2017 and January 11, 2018

How many?: 40,000 people

What happened?: Chinese smartphone manufacturer admitted in January that 40,000 of its customers had data lost after a "malicious script was injected into the payment page code" of its website. The script collected people's payment data and returned it to unknown attackers. Credit card numbers, expiry dates, and security codes entered at oneplus.net may have been compromised, the company said.

Data breach: Strava

When?: January

What happened?: The huge public map of workouts from fitness company Strava revealed the locations of military personal and their movements. In rural locations heatmap data could show how people operated around military bases, plus it was possible to discover the names and heart-rates of individuals inside highly secretive bases.


Fined: Carphone Warehouse

When: August 2015

How much?: £400,000

What happened?: The UK's data protection regulator, the Information Commissioner's Office (ICO), hit Carphone Warehouse with a £400,000 fine after the details of three million customers were access in 2015. The ICO said there were "rudimentary" security flaws that allowed information to be accessed.

Data breach: US Homeland Security

When?: Between 2002-2014

Who's responsible?: Unknown, but not a “cyber attack by external actors”

What happened?: On January 3, 2018, the US department of Homeland Security told 247,167 of its employees there had been a "privacy incident" with one of its databases for those that worked there in 2014. During the period of 2002-2014, an undisclosed number of people who were being investigated were also affected by the data loss. The lost information includes names, social security numbers and staff job roles. Officials first discovered the breach in May 2017 but took time to confirm it.

Data breach: Aadhaar

When?: January 3, 2018

Who's responsible?: Former employees

What happened?: India's giant one billion person public database has been compromised. The Tribune newspaper reported former staff members provided access to names, email addresses and phone numbers.