Major US Data Breaches: Reference Timeline

The landscape of major US data breaches spans financial services, healthcare, retail, government, and technology sectors, with individual incidents exposing hundreds of millions of consumer records and triggering landmark regulatory enforcement actions. This reference timeline covers the scope, classification, and structural mechanics of documented large-scale US data breaches, the regulatory bodies that responded to them, and the frameworks used to categorize breach severity and organizational liability. For professionals navigating identity protection services, the Identity Protection Providers provider network provides sector-organized resources tied directly to breach response and recovery.

Definition and scope

A data breach, as defined by the Federal Trade Commission under 16 C.F.R. Part 603, is an unauthorized acquisition of unencrypted consumer information that compromises the security, confidentiality, or integrity of personal information maintained by a covered entity. The Health Insurance Portability and Accountability Act (HIPAA), administered by the Department of Health and Human Services Office for Civil Rights (45 C.F.R. Part 164), establishes a parallel definition specific to protected health information (PHI), distinguishing breaches from "impermissible uses" and "limited dataset" disclosures.

All 50 states have enacted data breach notification laws, creating a fragmented but overlapping compliance architecture above the federal baseline. The National Conference of State Legislatures (NCSL) tracks this state-level body of law as a living inventory. At the federal level, the Gramm-Leach-Bliley Act (15 U.S.C. § 6801 et seq.) imposes breach safeguard obligations on financial institutions, while the FTC Act's Section 5 unfair or deceptive acts standard has been applied to breach-related failures in data security practices.

Breach scope is measured along four primary axes: record volume (number of distinct individual records exposed), data sensitivity (financial credentials, Social Security numbers, PHI, or authentication tokens), dwell time (the interval between intrusion and detection), and organizational response latency (the interval between detection and public notification).

How it works

Large-scale US data breaches follow recognizable structural patterns documented in the Verizon Data Breach Investigations Report (DBIR), published annually since 2008. The DBIR classifies breach pathways into hacking, malware, social engineering, misuse by insiders, physical access, and error — with hacking and social engineering accounting for the dominant share of confirmed breaches across the report's history.

A breach typically progresses through five phases:

1. Initial access — Achieved through credential theft, phishing, exploitation of unpatched vulnerabilities, or supply chain compromise. The 2020 SolarWinds incident, investigated by the Cybersecurity and Infrastructure Security Agency (CISA) under Emergency Directive 21-01, demonstrated supply chain access as a vector affecting approximately 18,000 organizations.
2. Persistence and lateral movement — Attackers establish footholds within network segments, escalate privileges, and traverse toward high-value data stores.
3. Exfiltration — Target data is extracted to external infrastructure. In the 2013 Target breach, approximately 40 million payment card records were exfiltrated through a third-party HVAC vendor's compromised credentials, as documented in subsequent Senate Commerce Committee hearings.
4. Detection — External notification by law enforcement, a third-party researcher, or an affected customer triggers internal investigation. NIST Special Publication 800-61 Rev. 2, Computer Security Incident Handling Guide, defines detection and analysis as a discrete incident response phase with prescribed documentation requirements.
5. Notification and remediation — Covered entities notify affected individuals and regulators within statutory timeframes that vary by sector and state law. HIPAA mandates notification within 60 days of breach discovery for covered entities (45 C.F.R. § 164.412).

Common scenarios

The documented history of major US breaches clusters into five structural scenarios, distinguished by the sector targeted, the attack vector, and the regulatory framework triggered:

Healthcare sector breaches — The 2015 Anthem Inc. breach exposed approximately 78.8 million records containing Social Security numbers, employment data, and health plan information. The HHS Office for Civil Rights resolved the Anthem investigation in 2018 with a $16 million settlement (HHS press release, October 2018), the largest HIPAA settlement recorded at that time.

Financial services breaches — The 2017 Equifax breach exposed sensitive personal data of approximately 147 million US consumers, including Social Security numbers, birth dates, and driver's license numbers. The FTC, CFPB, and all 50 state attorneys general jointly resolved enforcement actions in 2019, with Equifax agreeing to a settlement of up to $700 million (FTC, July 2019).

Retail point-of-sale breaches — The 2013 Target breach and the 2014 Home Depot breach, which exposed approximately 56 million payment card records, illustrated the vulnerability of physical retail payment infrastructure to RAM-scraping malware.

Government and federal system breaches — The 2015 Office of Personnel Management (OPM) breach, attributed to state-sponsored actors, compromised background investigation records for approximately 21.5 million individuals, including federal employees and security clearance holders (OPM, 2015).

Technology platform breaches — The 2018 Yahoo settlement with the SEC resolved disclosures related to breaches affecting approximately 3 billion user accounts, occurring between 2013 and 2016 and disclosed years after discovery.

Decision boundaries

Practitioners and researchers must distinguish between a data breach and related but legally distinct events. A security incident is any event that potentially jeopardizes the confidentiality, integrity, or availability of information — a broader category that encompasses breaches as a subset (NIST SP 800-61). An exposure or misconfiguration (such as an unsecured Amazon S3 bucket containing consumer records) may constitute a breach under state law even without evidence of unauthorized access, depending on the jurisdiction's statutory definition.

The contrast between confirmed exfiltration and unauthorized access without evidence of exfiltration is legally significant: HIPAA's breach definition includes a rebuttable presumption that an impermissible access constitutes a breach unless the covered entity demonstrates a low probability that PHI was compromised, assessed across four defined factors (45 C.F.R. § 164.402).

For identity protection professionals structuring consumer-facing services around breach response, the page establishes the regulatory anchors and service classification standards applied within this reference network. The How to Use This Identity Protection Resource page describes how breach-related service categories are organized within the network framework.

Breach classification also determines the applicable penalty tier. Under HIPAA, the HHS civil monetary penalty structure (45 C.F.R. § 160.404) scales penalties across four tiers based on culpability, ranging from a minimum of $100 per violation for unknowing violations to a maximum of $50,000 per violation for willful neglect uncorrected — with an annual cap of $1.9 million per violation category as adjusted by the Federal Civil Penalties Inflation Adjustment Act.