Close
Blog February 10, 2026

Recent Data Breach Examples

Table of Contents:

    Every organization faces cyber threats, but studying real data breach examples reveals patterns that can help you strengthen your defenses. From stolen credentials and exposed data to ransomware attacks that cripple operations, these security incidents offer valuable lessons for security leaders.

    Our 2025 Global Third-Party Breach Report found that 35.5% of breaches originated from third-party events, a 6.5% increase from 2023. The average global cost of a data breach now stands at $4.5 million, according to IBM. Understanding how the biggest data breaches happened can help your organization avoid becoming the next headline and protect your sensitive data from threat actors.

    The MOVEit breach and its cascading impact

    The 2023 MOVEit vulnerability stands as one of the most significant supply chain attack events in recent memory. The ransomware group Cl0p exploited a zero-day vulnerability in Progress Software’s file transfer tool, allowing attackers to gain unauthorized access to systems worldwide.

    A single vulnerability led to a third-party data breach that affected thousands of organizations. In the energy sector alone, our STRIKE Team documented that 7 of 18 third-party breaches stemmed from MOVEit, including fourth-party incidents where companies were compromised through their vendors’ vendors.

    The full scope of data exposure

    The financial impact exceeded billions of dollars globally. Sensitive personal information from healthcare organizations, financial institutions, and government agencies appeared on the dark web within weeks. Personal details, including names, Social Security numbers, and financial data, surfaced in underground marketplaces where hackers trade breached data.

    This breach highlights the importance of monitoring your extended vendor ecosystem, which is just as crucial as securing your own perimeter. Organizations that discover data exposure early can notify affected individuals and implement credit monitoring before criminals can exploit the stolen personal and financial information.

    Healthcare data breaches and the value of patient data

    Healthcare organizations face unique targeting because patient data and health information command premium prices among hackers. Our data breach report revealed that healthcare was responsible for 242 total breaches, accounting for 24.2% of all security incidents analyzed.

    Lower downtime tolerance makes these organizations particularly vulnerable to ransomware attacks. Healthcare records contain rich personal data, including Social Security numbers, dates of birth, financial information, and insurance details, which can enable identity theft. 

    The Office for Civil Rights, which enforces HIPAA regulations, requires healthcare organizations to report breaches affecting 500 or more individuals. This makes healthcare breach statistics more visible than other industries, where reporting requirements are less stringent.

    Why attackers target health records

    Medical records are worth significantly more than credit card details because they contain all the necessary information for identity theft. Attackers steal data, including names, addresses, Social Security numbers, and insurance policy numbers from a single health record.

    Notable patterns in healthcare data breach examples include:

    • Pharmaceutical distribution and clinical trial support breaches accounting for 28 incidents
    • Healthcare administrative services experiencing 17 breaches
    • Healthcare software and telehealth services suffering 8 compromises
    • Medical billing and revenue cycle management seeing 6 data leaks

    These numbers reveal that protecting patient data requires attention to every vendor handling sensitive information. A single weak link in data security can expose millions of records.

    The Change Healthcare attack and systemic risk

    In February 2024, a cyberattack on Change Healthcare demonstrated how a single third-party data breach can disrupt an entire industry. The compromise forced over 100 systems offline and disrupted patient services nationwide.

    This security breach highlights concentration risk. A small handful of Cloud Service Providers and critical infrastructure vendors now underpin the majority of global digital operations.  When attackers compromise one of these central nodes, cascading effects disable operations across thousands of downstream customers.

    Recent data breaches targeting Microsoft 365

    Among the most concerning recent data breaches is a massive botnet campaign targeting Microsoft 365 accounts that our STRIKE Team uncovered. Over 130,000 compromised devices conducted large-scale password spraying attacks, exploiting non-interactive sign-ins with Basic Authentication.

    How the attack works

    The attackers use stolen credentials from infostealer logs to systematically target email accounts at scale. By exploiting non-interactive sign-ins, they bypass modern login protections and evade MFA enforcement, creating a critical blind spot for security teams.

    This campaign presents multiple risks to data security:

    • Account takeovers giving threat actors unauthorized access to email account contents
    • Business disruption through account lockouts affecting operations
    • Lateral movement as attackers pivot within networks using compromised accounts
    • Access to sensitive information stored in email and collaboration tools

    Organizations relying solely on interactive sign-in monitoring remain blind to these attacks because the activity appears in Non-Interactive Sign-In logs that security teams often overlook.

    Operation 99 and social engineering attacks on developers

    Our STRIKE Team uncovered Operation 99, an ongoing cyberattack targeting software developers orchestrated by the Lazarus Group, a North Korean state-sponsored hacking unit.

    The fake job offer trap

    Attackers pose as recruiters on LinkedIn, enticing victims with project tests or code reviews. When a developer clones the malicious repository, the code connects to a command-and-control server and initiates data-stealing implants.

    The malware specifically targets:

    • Source code and intellectual property
    • Secrets and configuration files from development environments
    • Cryptocurrency wallet keys and credentials
    • Browser stored passwords and personal details

    This social engineering approach exploits the trust developers place in professional networking platforms. One security incident we investigated began when a developer received what appeared to be a legitimate job offer. The coding test looked innocent, but hidden in the code was malware designed to steal data from corporate systems.

    Why developers are high-value targets

    By compromising developer accounts, attackers gain access to the software supply chain. A single compromised developer can introduce malicious code that affects thousands of downstream users, making developer-focused phishing attacks one of the most dangerous causes of data breaches in technology.

    Retail and hospitality breaches show third-party exposure

    Retail and hospitality companies face the highest relative rates of third-party breaches of any industry. Our data shows that 52.4% of all breaches in this sector originated from third parties, compared to a cross-industry average of 35.5%.

    Payment card data breaches represent a significant attack vector, with 29 incidents linked to vulnerabilities in payment processing. When attackers compromise a payment processor, they simultaneously harvest credit card details and customer information from multiple clients.

    Common retail breach vectors

    The retail sector faces diverse threats across its technology stack:

    • Point-of-sale system compromises exposing card details
    • E-commerce platform vulnerabilities allowing data theft
    • Loyalty program database breaches revealing customer information
    • Supply chain software attacks disrupting operations

    The 2024 Blue Yonder attack illustrates this pattern. A ransomware attack on this supply chain software vendor disrupted operations for Starbucks and several supermarket chains, forcing them to manually process payroll and manage logistics. This incident demonstrated how a single compromise at a shared vendor can create immediate operational crises for dozens of global businesses.

    Energy sector vulnerabilities and employee information at risk

    The energy sector shows a disproportionately high rate of third-party breaches. Our research found that 45% of all energy sector breaches involved third-party risk, significantly higher than the global average.

    Many compromises of energy companies are data breaches with no impact on operations. Such breaches typically expose employee information and customer data that can be used for identity theft or phishing attacks.

    HR, payroll, and benefits documentation often reveal dates of birth, Social Security numbers, and banking details. One late 2023 incident at a state utility exposed data stolen from 500,000 customers and contractors. A threat actor offered this information for sale on an underground criminal forum, demonstrating how quickly exposed data becomes data on the dark web.

    Third-party relationships that enabled energy sector breaches included:

    • MOVEit installations at energy companies and their vendors
    • Pension benefits administrators handling employee information
    • Payroll services providers with access to sensitive information
    • Managed service providers with broad network access

    Cloud platform attacks and credential theft

    The UNC5537 campaign against Snowflake cloud services in 2024 utilized stolen credentials from infostealer malware to access customer accounts that lacked multi-factor authentication. This campaign made cloud platforms the second most common third-party attack vector in 2024.

    Attackers increasingly rely on previously stolen credentials to fuel new campaigns. Credentials harvested from earlier breaches provide ready access to accounts where users reused passwords. This makes robust security practices around password management a requirement.

    Key patterns from cloud-related security incidents include:

    • Attackers targeting accounts without multi-factor authentication
    • Stolen credentials from earlier breaches enabling new compromises
    • Insider threat risks from employees with excessive privileges

    These data breach examples show why security protocols must extend beyond your own systems.

    Common cause of data breaches across industries

    Analyzing hundreds of security incidents reveals consistent patterns.

    Stolen or weak credentials are the primary cause of most breaches. Whether obtained through phishing attacks or purchased from criminal markets, compromised credentials let attackers walk through the front door.

    Organizations cannot achieve robust security by focusing only on their own defenses. When a vendor suffers a breach, attackers often use that relationship to gain access to your systems. Strong security policies must extend to every third party with access to your data.

    Software vulnerabilities in widely deployed applications create opportunities for simultaneous attacks. The MOVEit and Cleo campaigns demonstrate how a single zero-day vulnerability can trigger cascading breaches.

    Lessons from the biggest data breaches

    Studying these security incidents reveals patterns that should inform your security measures.

    First, attackers target shared infrastructure. Compromising one vendor provides access to dozens of downstream victims.

    Second, credential theft and phishing attacks remain foundational. Even sophisticated malicious campaigns begin with stolen passwords or tricked employees.

    Third, third-party risk keeps growing. The 6.5% increase in third-party breaches indicates that this trend is accelerating.

    Fourth, detection speed matters. When attackers gain unauthorized access, the time between initial compromise and detection determines whether a security breach becomes a disaster or a contained incident.

    How we help organizations protect against these threats

    Our MAX managed service operationalizes third-party risk management with 24/7 monitoring through our Vendor Risk Operations Center. When signs of escalating risk appear, our team engages directly with affected vendors to drive remediation.

    Ready to view your supply chain risk in real-time? Request a demo of MAX  to learn how our managed services can help protect your organization from becoming the next data breach example others study.