Major US Data Breaches: Reference Timeline

The record of major US data breaches documents systemic failures across healthcare, financial services, retail, government, and technology sectors — failures that have exposed the personal information of hundreds of millions of Americans over the past two decades. This reference timeline organizes the most significant confirmed incidents by sector and scale, describes the exposure mechanisms that made each category of breach possible, and establishes the regulatory context under which affected organizations faced accountability. For individuals assessing their own exposure risk, this record connects directly to actionable steps covered in Data Breach Response for Individuals and Personal Information at Risk.

Definition and scope

A data breach, as defined by the Department of Health and Human Services (HHS) Office for Civil Rights under 45 C.F.R. § 164.402, is "the acquisition, access, use, or disclosure of protected health information in a manner not permitted" by HIPAA — though this definition applies specifically to covered entities. The FTC's broader enforcement posture under Section 5 of the FTC Act (15 U.S.C. § 45) treats unauthorized exposure of consumer data as an unfair or deceptive practice regardless of sector.

For purposes of this reference, a "major" US breach is one meeting at least one of the following thresholds:

1. Exposure of 1 million or more individual records
2. Confirmed exfiltration of Social Security numbers, financial account credentials, or biometric identifiers
3. A breach requiring federal regulatory notification or congressional testimony
4. A breach resulting in documented identity fraud at population scale

The Identity Theft Resource Center (ITRC), a named public-interest nonprofit that publishes the annual Data Breach Report, tracked 3,205 publicly disclosed data compromises in 2023 (ITRC 2023 Annual Data Breach Report), the highest single-year total in the organization's reporting history.

This scope excludes ransomware incidents where data was encrypted but exfiltration was not confirmed, and excludes breaches confined to foreign nationals with no US consumer impact. Synthetic identity fraud and account takeover fraud — both downstream consequences of credential breaches — are documented separately within this reference network.

How it works

Major breaches follow a documented attack lifecycle. The MITRE ATT&CK framework (maintained by MITRE Corporation at attack.mitre.org) classifies adversary behavior across 14 tactic categories. In the context of large-scale consumer data breaches, five phases are consistently present:

1. Initial access — achieved through phishing, credential stuffing against exposed authentication endpoints, exploitation of unpatched software vulnerabilities (CVEs), or compromise of a third-party vendor with privileged network access.
2. Persistence and lateral movement — attackers establish footholds using stolen credentials or backdoors, then traverse internal networks toward high-value data stores such as customer databases, HR systems, or payment processing environments.
3. Discovery and collection — automated tools enumerate database schemas and extract records in bulk. Structured Query Language (SQL) injection remains a primary collection mechanism against web-facing databases.
4. Exfiltration — data is transferred to attacker-controlled infrastructure, often staged through cloud storage services or encrypted channels to evade detection.
5. Impact and monetization — exfiltrated data is sold on dark web marketplaces, used directly for financial identity theft, or leveraged in targeted fraud campaigns. Dark web monitoring services detect when credential sets from known breaches appear in these marketplaces.

The time-to-detection gap is a structural vulnerability. IBM's Cost of a Data Breach Report 2023 found the average time to identify and contain a breach was 277 days (IBM Cost of a Data Breach Report 2023), allowing months of unauthorized access before containment.

Common scenarios

The following breach categories represent the dominant exposure patterns in the US public record:

Healthcare sector breaches operate under HIPAA's Breach Notification Rule (45 C.F.R. §§ 164.400–414), requiring notification to HHS and affected individuals within 60 days of discovery. The 2015 Anthem Inc. breach exposed approximately 78.8 million records — including names, Social Security numbers, birth dates, and employment information — and resulted in a $115 million class-action settlement (U.S. District Court, N.D. Cal., 2018). The 2024 Change Healthcare breach, operated by UnitedHealth Group subsidiary Optum, disrupted pharmacy and claims processing nationwide and is estimated by the American Hospital Association to have affected a substantial share of the US population, though final record counts remain under federal investigation as of the reporting period.

Financial sector breaches operate under the Gramm-Leach-Bliley Act (GLBA, 15 U.S.C. §§ 6801–6809) and the FTC's Safeguards Rule (16 C.F.R. Part 314). The 2017 Equifax breach exposed 147.9 million Americans' credit file data — including Social Security numbers, birth dates, and driver's license numbers — and resulted in a $575 million FTC settlement (with up to $700 million total) (FTC v. Equifax, 2019). The 2019 Capital One breach exposed approximately 106 million US and Canadian consumer records through a misconfigured web application firewall on cloud infrastructure.

Retail and payment breaches center on point-of-sale (POS) malware and payment card skimming. The 2013 Target breach compromised 40 million payment card records through network access gained via a third-party HVAC vendor. The 2014 Home Depot breach exposed 56 million payment cards using malware deployed across self-checkout terminals.

Government and federal breaches fall under the Federal Information Security Modernization Act (FISMA, 44 U.S.C. § 3551 et seq.). The 2015 Office of Personnel Management (OPM) breach exposed background investigation records on 21.5 million federal employees and contractors, including fingerprint data on 5.6 million individuals (OPM Congressional Testimony, 2015).

Third-party and supply chain breaches are the fastest-growing category per the ITRC 2023 report. A single compromised vendor can cascade exposure across dozens of downstream organizations simultaneously.

Decision boundaries

Determining how a historical breach affects current individual risk requires distinguishing between breach categories:

Credential breaches vs. record breaches — Credential breaches (username/password pairs) carry immediate account takeover risk mitigated through password rotation and multi-factor authentication. Record breaches involving static identifiers — Social Security numbers, birth dates, biometric data — carry permanent exposure risk because the underlying identifier cannot be changed. Social Security number protection strategies address this asymmetry directly.

Encrypted vs. plaintext data exposure — Breaches disclosing properly salted and hashed credential data (bcrypt, Argon2) present lower immediate risk than breaches exposing plaintext passwords or weakly hashed credentials (MD5, SHA-1 without salting). Equifax stored sensitive data without field-level encryption in several database categories, per the 2018 Senate Commerce Committee investigation report.

Notified vs. unnotified exposure — Federal breach notification obligations vary by sector. HIPAA's 60-day rule, the SEC's 4-business-day material breach disclosure rule (effective December 2023, 17 C.F.R. § 229.106), and state-level notification laws — with 50 states now maintaining distinct statutes — create inconsistent notification timelines. Many individuals learn of their exposure through third-party monitoring rather than direct notice.

Active fraud vs. dormant data — Stolen records do not always produce immediate fraud. Threat actors frequently hold high-quality identity data for extended periods before monetizing it, meaning breach victims may face fraud attempts years after an initial exposure. This dynamic makes ongoing monitoring — including free credit report access and placement of a credit freeze — relevant even for breaches that occurred years prior.

The identity theft reporting process and FTC IdentityTheft.gov guide document the formal remediation pathways available to individuals who discover active misuse of their information following a historical breach.

References

• Federal Trade Commission — Equifax Data Breach Settlement
• HHS Office for Civil Rights — HIPAA Breach Notification Rule
• Office of Personnel Management — Cybersecurity Incidents
• Identity Theft Resource Center — 2023 Annual Data Breach Report
• IBM Security — Cost of a Data Breach Report 2023
• MITRE ATT&CK Framework
• FTC Safeguards Rule — 16 C.F.R. Part 314
• NIST — Federal Information Security Modernization Act (FISMA) Resources
• [SEC