Introduction
Cyberattacks are no longer isolated incidents affecting only large corporations or government agencies. They have become a constant threat to organizations of every size across the United States and globally.
While phishing, credential theft, and ransomware remain among the most common attack methods, cybercriminals are becoming increasingly sophisticated, often exploiting trusted third-party vendors, cloud services, and software supply chains.
This article highlights some of the most significant cyberattacks affecting organizations in recent years and the lessons businesses can draw from them.
Biggest Cyberattacks in 2026
Hackers go cruising on Carnival
In April 2026, Carnival Cruise Line was subject to a hack of 6 million of its customers’ data. Carnival is one of the largest cruise operators in the world and owns brands such as Princess, Holland America Line, Cunard, and Costa Cruises. The company operates over 90 ships worldwide and transports millions of passengers each year. They did not reveal the breach until May.
Carnival stated that an unauthorized actor used social engineering to deceive an employee into providing access to a limited portion of the company’s IT system. Information taken included driver’s license and passport numbers, phone numbers, names and addresses, and dates of birth. Hacking group ShinyHunters claimed responsibility.
This is also not the first time Carnival was hacked, experiencing breaches in 2019 and 2021, according to SecurityWeek. They were fined $1.25 million over poor handling of the 2019 incident. Some reports highlighted customer concerns regarding notification timing and the availability of credit monitoring services.
This breach highlights the ongoing threat of social engineering attacks and the importance of protecting customer data in the travel and hospitality industry, where large volumes of sensitive personal information make organizations attractive targets.
CarGurus gets taken for a ride
In February 2026, personal information for more than 12 million records was stolen from CarGurus, carried out by hacking group ShinyHunters. CarGurus is an online car research and shopping company that allows customers to buy, sell, and finance vehicle purchases. Its website gets about 40 million monthly visitors.
ShinyHunters published a 6.1GB archive of user data, which included names, email addresses, phone numbers, physical addresses, IP addresses, and in some cases, finance pre-qualification details. They allegedly used “vishing,” or voice phishing, to trick CarGurus employees into handing over access credentials that were then used to gain access.
CarGurus acknowledged the incident as a cybersecurity event and stated that the affected systems were secured. Two class-action lawsuits have been filed in Massachusetts federal court. This hack highlights a growing digital risk in the automotive industry, as platforms like CarGurus that handle sensitive consumer data have become prime targets for cybercriminals.
Navia benefit solutions data breach
In January 2026, employee benefits provider Navia Benefit Solutions was hacked, with the data of 2.7 million current and former participants and their dependents taken. The company provides employee benefits administration services, including Health Care Flexible Spending Accounts and COBRA benefits, with 10,000 nationwide clients and more than 1 million participants.
A forensic investigation confirmed that Navia’s computer environment was subject to unauthorized access. Data potentially compromised in the incident included names, email addresses, phone numbers, and Social Security numbers. The affected individuals were offered complimentary credit monitoring and identity theft protection services for 12 months. This breach highlights the risks facing benefits administrators and other organizations that store large amounts of employee and healthcare-related information, making them valuable targets for attackers seeking personal data. Navia did not confirm if it was a ransomware attack or if a ransom was demanded. No hacking group has claimed responsibility.
Biggest Cyberattacks in 2025
TransUnion data attack
In July 2025, over 4.4 million Americans had their personal information, including Social Security numbers, exposed during the TransUnion data breach. TransUnion is one of the three major U.S. credit bureaus, tracking financial data on more than 260 million Americans. That alone makes any attack significant.
The attack was linked to ShinyHunters. They gained access to a third-party application used by TransUnion’s U.S. consumer support operations. TransUnion offered two years of complimentary credit monitoring through its myTrueIdentity service and set up dedicated support for impacted consumers.
Because of the highly sensitive information stolen, the breach posed significant, long-term risks including identity theft, fraud, and phishing. It also shows the risks of data aggregators that collect personal information without direct consumer involvement.
St. Paul cyberattack
In July 2025, the city of St. Paul, Minnesota was hit with a cyberattack by Interlock. Suspicious activity was detected in city IT systems. In response, officials shut down internal networks, information systems, online payment portals, and public Wi-Fi.
The city declared a state of emergency, and the governor activated the Minnesota National Guard to assist in responding. A ransom was demanded that St. Paul refused to pay. The hackers then posted 43GB of stolen data online. By November, full system restorations were complete, but cost the city an estimated $2.5 million. This attack highlights the increasing threat ransomware poses to local governments, where disruptions can impact essential public services and place significant financial burdens on taxpayers.
Yale New Haven health system data breach
In March 2025, Yale New Haven Health System (YNHHS) suffered a massive data breach that affected over 5.5 million patients in New York, Connecticut, and Rhode Island. YNHHS is the second-largest employer in Connecticut, with 31,000 employees. It operates five hospitals and a primary care and specialist physician group practice.
YNHHS stated unusual activity affected their IT systems, which led to an unauthorized third-party gaining access to the network. Information reportedly accessed included patient and personal information. This breach highlights the continued targeting of healthcare organizations, whose vast collections of patient and medical information remain highly valuable to cybercriminals.
YNHHS paid an $18 million settlement to resolve a federal class-action lawsuit. This marks one of the largest healthcare breaches in 2025.
Biggest Cyberattacks in 2024
Salt Typhoon caught spying
In late 2024, several major telecommunications firms were affected by a series of attacks by Salt Typhoon, an Advanced Persisted Threat (ATP) actor linked to China’s Ministry of State Security (MSS).
Companies confirmed in the breach were: Verizon, T-Mobile, AT&T, Lumen Technologies, Consolidated Communications, and Windstream Communications.
The attackers exploited zero-day vulnerabilities in Versa Director (Versa Networks) and unpatched Fortinet and Cisco devices, plus a high-level network management account without multi-factor authentication. They maintained access for over a year before detection by Microsoft threat researchers. The hack also affected both 2024 presidential candidates. A high priority was phone call records from over 1 million people who were mostly in Washington D.C., including government targets of interest.
The hack was considered one of the most significant cyber-espionage operations against U.S. telecommunications infrastructure and prompted government investigations and security reviews.
CDK Global putting dealerships in park
In June 2024, the BlackSuit ransomware group attacked CDK Global, a software provider that supplies dealership management systems to automotive retailers across North America.
More than 15,000 car dealerships experienced outages affecting vehicle sales, financing, inventory management, and service operations. The disruption lasted several weeks and caused significant financial losses throughout the automotive industry. CDK paid a $25 million ransom. It is estimated that dealerships faced over $1 billion in losses due to operational interruption. This attack highlights the dependence of entire industries on third-party technology providers, where a single compromise can create widespread operational disruption.
Ticketmaster hacking
In May 2024, Ticketmaster, one of the world’s biggest tickets sales and distribution companies, fell victim to a cyberattack by ShinyHunters. Rather than attacking Ticketmaster directly, they targeted cloud storage company Snowflake, by hacking into an employee’s account. An estimated 560 million customer accounts were affected.
ShinyHunters offered the stolen data online for $500,000. Ticketmaster offered customers a free 12-month credit or identity monitoring service. At least 160 companies that utilized Snowflake were also targeted, including Anheuser-Busch, Allstate, Santander Bank, and State Farm. This breach highlights how weaknesses in cloud environments and third-party platforms can have far-reaching consequences for organizations that rely on them to store customer data.
National Public data breach
In April 2024, the hacking group USDoD claimed it stole 2.9 billion personal records from National Public Data in December 2023, a private data broker that collects and sells access to personal information. The breach exposed personally identifiable information (PII) including names, Social Security numbers, addresses, and phone numbers. This increased risk for identity theft, fraud, phishing attacks, and burglaries. This incident highlights the risks associated with companies that collect and sell large amounts of personal information, as they become attractive targets for cybercriminals seeking valuable data.
USDoD offered the data on the dark web for $3.5 million. Jerico Pictures, the company behind National Public Data, declared bankruptcy in October 2024, and in December, they shut down.
Change Healthcare ransomware attack
In February 2024, Change Healthcare suffered a ransomware attack, orchestrated by the BlackCat (ALPHV) group. Processing 15 billion healthcare transactions yearly—about 1 in every 3 patient records—every hospital in the country felt, either directly or indirectly, the impact. It threatened the solvency of U.S. healthcare providers. This incident caused widespread disruptions to healthcare services across the country, interrupted electronic payment processes, and resulted in a $22 million ransom payment. An estimated 190 million people were affected.
The total financial impact was estimated to surpass $2.87 billion. The CEO of the American Hospital Association called the attack “the most significant and consequential incident of its kind against the U.S. health care system in history.” This attack highlights how cybersecurity failures at a single critical provider can have cascading effects across an entire industry, disrupting services on a national scale.
During a congressional hearing, the CEO of UnitedHealth, of which Change Healthcare is a subsidiary of, admitted the system did not have multi-factor authentication (MFA). This is a security measure that is considered a basic industry standard.
Biggest Cyberattacks in 2023
All in the family with 23andMe
Sometimes you only need a little to get a lot. Genetics testing company 23andMe admitted in October 2023 that a threat actor had gained access to their accounts. Approximately 14,000 of its 14 million users’ accounts worldwide were accessed. However, through those accounts, the hacker obtained data of about 6.9 million users.
The hackers used credential stuffing, using the same usernames and passwords stolen in previous unrelated attacks to access 23andMe accounts. The hackers operated undetected for over 5 months, from April to September 2023, and the company only began investigating when the stolen user data was put up for sale on the dark web and a ransom was demanded of 23andMe.
The data of millions was obtainable because of the DNA Relatives and Family Tree tools, interconnected data-sharing features that allowed one compromised account to retrieve data from other connected profiles.
Data including names, photos, birth years, locations, ancestry details, and health information were exposed. A lawsuit that was settled for $30 million accused 23andMe of not doing enough to protect its customers and not notifying certain customers that their data had specifically been targeted. This breach highlights how interconnected data-sharing features can dramatically increase the impact of account compromises, exposing information far beyond the initially affected users.
The effect was crippling. 23andMe later filed for Chapter 11 bankruptcy in 2025 and its assets sold that July to TTAM Research Institute for $305 million. In May 2026, California’s attorney general filed a lawsuit against 23andMe.
Grounding Boeing
An unsealed Department of Justice (DOJ) indictment revealed that cybercriminal group LockBit attempted a $200 million ransomware extortion with the aerospace manufacturer Boeing in October 2023. Because they refused to pay the ransom, 43GB of company data was posted online.
The DOJ identified Dmitry Yuryevich Khoroshev as the main administrator and developer behind the LockBit operation. Boeing stated the attack impacted elements of their parts and distribution business, but did not affect flight safety. This incident highlights the growing threat ransomware groups pose to major corporations, where stolen data can become a powerful tool for extortion even when operations remain largely unaffected.
Hitting the jackpot at MGM and Caesars
Las Vegas was rocked in September 2023 by two cyberattacks against MGM Resorts and Caesars Entertainment, which are two of the biggest casino and resort companies globally. Both were carried out by Scattered Spider, but MGM also was hit by BlackCat (ALPHV).
A data breach into Caesars compromised information of its loyalty program members, including social security, driver’s license, and other personal information. The company paid $15 million of a $30 million ransom to have the hackers delete the data.
MGM’s cyberattack crippled 30 properties, internal networks, ATMs, slot machines, digital room key cards, and electronic payment systems, taking personal information of 37 million people dating back to March 2019. This rendered staff having to rely on pen and paper to manage the large lines of guests. MGM refused to pay the ransom, resulting in $100 million in losses after they shut down internal systems. Hackers got in using social engineering techniques by pretending to be an IT employee whose info was found on LinkedIn, and calling the help desk to get access via administrator rights. MGM settled a $45 million lawsuit, and the Federal Trade Commission (FTC) dropped a Civil Investigative Demand (CID).
For both attacks, the Clark County District Attorney’s office filed charges against a teenager, who was fifteen years old at the time, and federal charges were brought against 5 adult suspects.
The MGM and Caesars attacks both highlight common cybersecurity weaknesses in the hospitality industry and the need for stronger protections against social engineering and data breaches.
MOVEit software breach
In June 2023, the MOVEit file transfer software was exploited in a widespread attack. Hackers from ransomware group Cl0p accessed sensitive data from 2,700 organizations, 80% being in the U.S., and exposed personal data of about 93.3 million individuals. Organizations included the U.S. Department of Energy, Shell, Johns Hopkins University, and Georgia’s state-wide university system.
Attackers used an SQL injection flaw to steal data. This breach demonstrated the importance of timely software updates and strong security protocols to protect against increasingly sophisticated cyber threats.
Biggest Cyberattacks in 2022
Taking Uber for a ride
For all the cyber hardware and software safeguards companies can have, one of the hardest to control is human error.
In September 2022, Uber was breached by an 18-year-old. The hacker bought an employee’s stolen credentials on the dark web, attempted to log in to the employee’s account, but could not because of multi-factor authentication (MFA). They carried out an MFA fatigue attack on the employee for an hour, pretending to be from Uber’s IT team to get the employee to accept the notification, who fed up, gave in and approved it. This allowed the hacker to get into Uber.
Once in, the hacker, who was apparently affiliated with Lapsus$, gained access to the company’s VPN, login credentials to Uber’s Privileged Access Management (PAM) tool which had full admin access to all Uber’s sensitive services, and bug bounty reports.
This method worked because the irritated employee approved the notification to make them go away. And then, the hacker posted on Uber’s internal Slack: “I announce I am a hacker and Uber has suffered a data breach.” This was met with jokes and emojis, as employees did not realize an actual cyberattack was taking place.
This shows that an organization’s security is only as good as its employees’ awareness. Massive breaches often are the result of a minor mistake. And do not leave credentials lying around, because the hacker found admin access in a script on a shared drive.
OneTouchPoint data breach
2.6 million individuals and 35 healthcare providers and insurance carriers were impacted by a data breach that hit OneTouchPoint in April 2022. The Wisconsin-based company provides mailing and printing services.
Affected organizations included Kaiser Permanente, Geisenger, Humana, Anthem, and Blue Cross Blue Shield. The attack compromised personally identifiable information (PII) stored in OneTouchPoint’s systems, comprising names, addresses, birth dates, date of service, description of service, diagnosis codes, health assessment information, and member ID.
OneTouchPoint waited nearly three months after the breach discovery to begin notifying those whose information was compromised, who face heightened risk of identity theft and fraud. Explains why they were hit with a class action lawsuit, alleging that they failed to safeguard the information of its customers. This breach has only further emphasized the importance of third-party risk management in healthcare, where vendors often have access to large amounts of sensitive information.
Shields Health Care Group cyberattack
Over 2.3 million patients’ protected health information was compromised in a cyberattack on Shields Health Care Group in March 2022. Across New England, the company provides ambulatory surgical center management and medical imaging services. Sensitive patient information, including medical records, insurance information, and personal data were exposed.
The kicker? Threat actors were in the network for weeks before Shields discovered the breach. No wonder they were hit with state and federal class action lawsuits, which they later paid $15.3 million to settle.
Biggest Cyberattacks in 2021
Planned Parenthood ransomware attack
When a ransomware attack leads to a class action lawsuit. A cyberattack on Planned Parenthood Los Angeles in October 2021 nabbed the protected health information of over 400,000 patients, who were notified in November of the October attack. The affected files included names, addresses, birthdates, diagnoses, treatments, and prescription information.
In mid-December, one of those patients filed a lawsuit with the U.S. District of Central California, alleging that Planned Parenthood failed to implement cybersecurity protocols to protect patients’ information, and violated both the Health Insurance Portability and Accountability Act (HIPAA) and the California Confidentiality of Medical Information Act.
Planned Parenthood handles particularly sensitive healthcare information, increasing potential privacy risks for affected individuals. And that the branch situated next to Hollywood only adds to that.
Bringing home the bacon from JBS
In May 2021, ransomware gang REvil hit JBS S.A., the world’s largest meat supplier, processing around ¼ of the U.S.’s beef and about 1/5th of its pork, with a cyberattack.
All beef facilities in the USA were shut down. The United States Department of Agriculture (USDA) encouraged other suppliers to temporarily absorb the surplus of livestock. This incident highlights how cyberattacks against critical infrastructure can create real-world consequences that extend far beyond the targeted organization.
JBS paid $11 million ransom in Bitcoin to restore operations. Then, interestingly, approximately two months later, all REvil websites and infrastructure vanished from the internet.
Colonial Pipeline ransomware attack
Remember the pictures of snaking lines of cars outside gas stations across the Eastern Seaboard in May 2021? This came because of Russian DarkSide group attacking Colonial Pipeline—the largest refined oil products pipeline in the U.S. The company carries 45% of the East Coast’s supply of diesel, petrol, and jet fuel at 2.5 million barrels a day.
The hackers were able to get into Colonial Pipeline’s network using a compromised VPN password that lacked multi-factor authentication.
In response, Colonial Pipeline shut all pipeline operations down to contain the attack, causing fuel shortages and panic buying across the South and East Coast. The U.S. also declared a state of emergency. Colonial Pipeline paid a $4.4 million ransom, of which the Department of Justice (DOJ) was able to recover about 85% under mysterious circumstances.
Facebook data leak
In April 2021, the stolen data of 533 million Facebook users from 106 countries, including 32 million records in the U.S., was published for free online. The scraped data included phone numbers, Facebook IDs, names, locations, birthdates, bios, and email addresses. Tech giants are supposed to collect your data, not lose it.
The data was scraped from a breach in August 2019, which was patched by Facebook. They also chose not to notify its users of the leaked data. This leak highlights the long-term risks associated with collecting and retaining vast amounts of personal data, particularly when exposed information can remain accessible for years.
Attack on Acer
The REvil ransomware gang also hit Taiwanese electronics manufacturer Acer in March 2021 with a ransomware attack, and demanded the largest ransom at the time, $50 million.
The attackers reportedly exploited unpatched Microsoft Exchange vulnerabilities to infiltrate the network, exfiltrate sensitive files, and encrypt critical systems. The attackers deployed the double extortion tactic of releasing data in public to increase pressure, which in this case included spreadsheets, bank balances, and other sensitive communications.
Acer responded by stating it was in the process of an internal investigation to learn the full extent of what happened.
This tactic has become standard for many ransomware attacks and is based on the attackers’ realization that large companies can often now recover from ransomware attacks without paying, hence the need for other forms of persuasion. Attackers are essentially extortionists, making the demand based on what the value of the hostage data is.
Microsoft Exchange zero-days
Zero-days, which are flaws not known to defenders for which there is often no available patch, are being exploited at lightning speed. One example was a series of global data breaches targeting on-premises Microsoft Exchange Servers in January 2021 to steal emails and gain long-term environment access using four separate ProxyLogon zero days.
Allegedly carried out by the Chinese Hafnium Group, Microsoft issued security updates in March 2021 to mitigate only after the fact, but had been alerted to the hack back in January 2021, indicating a clear lack of urgency. This campaign highlights the speed at which threat actors exploit newly discovered vulnerabilities and the widespread consequences that can result from delayed patching.
At least 30,000 businesses and government agencies were hit by breaches, serious enough that the U.S. Cybersecurity & Infrastructure Security Agency (CISA) recommended either to update the system or disconnect affected servers from the network. A Rapid7 estimate in October 2021 was that as many as 32% of vulnerable servers still were not patched.
Take Action for Your Business
As these examples show, no amount of infrastructure or investment guarantees protection from a cyberattack, but with cybercrime on the increase, addressing common weaknesses and causes of data breaches is a smart place to start.
Our cybersecurity tips list offers simple, practical steps you may take to protect your business.
Alternatively, if you can invest in third-party assessment and verification of your security measures, it can help build trust with stakeholders and provide independent validation of your security practices.
Don’t let your business become a statistic—help secure your operations:
- Find out more about Cyber Essentials and Cyber Essentials Plus.
- Explore our ISO/IEC 27001, ISO 20000-1, and ISO 42001 certifications.
- Train your team with our cybersecurity training courses.
Get started on your journey to cybersecurity certification and help to protect your business—get a quote today or contact our team of experts to discuss your needs.
