Global Data Breaches and Cyber Attacks in 2024

35,900,145,035 known records breached so far in 9,478 publicly disclosed incidents

Welcome to our 2024 data breaches and cyber attacks page, where you can find an overview of the year’s top security incidents, the most breached sectors of 2024, month-on-month trends, links to our monthly reports, and much more.

Use the links in the ‘On this page’ section below to navigate.

To get our latest research delivered straight to your inbox, subscribe to our free weekly newsletter, the Security Spotlight.

IT Governance is dedicated to helping organisations tackle the threat of cyber crime and other information security weaknesses. We offer a variety of resources to help understand and mitigate threats, from training courses and consultancy services to free guides.

Our 2023 overview is here. To download our monthly Data Breach Dashboards, click here.



Top data breach statistics for 2024

Top 10 biggest breaches of 2024 (so far)

Note 1: Where ‘around’, ‘about’, etc. is reported, we record the rounded number. Where ‘more than’, ‘at least’, etc. is reported, we record the rounded number plus one. Where ‘up to’, etc. is reported, we record the rounded number minus one.

Note 2: For incidents where we only know the file size of the data breached, we use the formula 1 MB = 1 record. Given that we can’t know the exact numbers, as it depends on the types of records included (e.g. pictures and medical histories are considerably larger files than just names and addresses), we err on the side of caution by using this formula. We believe that this underestimates the records breached in most cases, but it is more accurate than not providing a number at all.

Most breached sectors of 2024

Note: Technically speaking, the most breached sector by number of records known to be breached is ‘multiple’ at 26,126,684,692 (due to the MOAB – mother of all breaches and the thousands of compromised Ray servers). The most breached sector by number of incidents is also ‘multiple’ with 6,857 incidents (largely due to the MOAB and the thousands of compromised Ray servers).

However, to make these statistics as informative as possible, we exclude the ‘multiple’, ‘other’ and ‘unknown’ sectors. This has also been accounted for in the percentages under the number of publicly disclosed incidents.


Note 1: The following graphs reflect our most up-to-date data – in other words, they account for data corrections when more information about certain incidents comes to light after we publish our monthly reports. There will therefore be discrepancies with our monthly reports, particularly older ones.

Note 2: We’ve included data from November and December 2023 to help you put these figures into context. As we collect more 2024 data, we’ll remove the 2023 data from this page.

Known records breached

Publicly disclosed security incidents

Data breached

Note 1: These exclude publicly disclosed incidents where we don’t know for sure whether data was breached, or where a cyber attack only led to e.g. a service disruption but not a data breach.

Note 2: To avoid skewing the data, this graph excludes four outlier events: the Europol action of December 2023, affecting 443 organisations; the MOAB of January 2024, affecting 3,876 organisations; the thousands of compromised Ray servers of March 2024; and the 916 misconfigured Google Firebase websites of March 2024.

Remedial action

Note: To avoid skewing the data, this graph excludes the Europol action of December 2023, the MOAB of January 2024; the thousands of compromised Ray servers of March 2024; and the 916 misconfigured Google Firebase websites.

Incident notification

Note: To avoid skewing the data, this graph excludes the Europol action of December 2023; the MOAB of January 2024; the thousands of compromised Ray servers of March 2024; and the 916 misconfigured Google Firebase websites.

Ransomware

Note: To avoid skewing the data, this graph excludes the Europol action of December 2023; the MOAB of January 2024; the thousands of compromised Ray servers of March 2024; and the 916 misconfigured Google Firebase websites.

Supply chain attacks

Note: To avoid skewing the data, this graph excludes the Europol action of December 2023; the MOAB of January 2024; the thousands of compromised Ray servers of March 2024; and the 916 misconfigured Google Firebase websites.

The top 3 biggest breaches in April 2024


The top 3 biggest breaches in March 2024


The top 3 biggest breaches in February 2024


The top 3 biggest breaches in January 2024


Suffered an incident?

Get FREE expert insight from Cliff Martin, our head of incident response, into:

  • Defence in depth, with prevention, detection and response;
  • Cyber incident response plans;
  • The different stages of incident response;
  • Staff training;
  • Internal expertise vs outsourcing;
  • Incident responder skills; and
  • Much more.

Security Spotlight

To get news of the latest data breaches and cyber attacks straight to your inbox, subscribe to our free weekly newsletter: the Security Spotlight.

Every Wednesday, you’ll get a 4-minute email with:

  • Industry news, including a round-up of the week’s publicly disclosed data breaches and cyber attacks;
  • Our latest research and statistics;
  • Interviews with our experts, sharing their insights and expertise;
  • Free useful resources; and
  • Upcoming webinars.

Research methodology

We identify incidents from a range of publicly available sources (listed in our weekly round-ups), including news articles, PR statements and feeds by security researchers. We record these incidents, along with quantifiable data points for each, in a spreadsheet. Note that we only record incidents where we have a reasonable degree of confidence that it’s genuine, e.g. because the report is coming from a reputable source, or because samples have been provided.

We do our best to present the data as accurately and objectively as possible, but inevitably deal with lots of blurry lines. There are also the inherent limitations of working with breaking news, where we often lack detail at initial disclosure.

Please also be aware that we log incidents manually in a spreadsheet, from which we analyse and quantify the numbers. While we do our utmost to avoid inputting errors, when we typically record hundreds of incidents a week, some mistakes may slip through.

Month and year recorded

We record incidents by the month and year that they came into the public domain; not when the incident took place, given that it usually takes time for the victim to become aware of the incident, and more time before publicly disclosing it.

Again, an inherent limitation of working with breaking news is that, often, more information about the incident comes to light later. We do backtrack our data in our spreadsheet in such scenarios, which our annual report will reflect, but this causes some discrepancies between our weekly and monthly reports, and our annual one.

Region and country

We record the region (continent) and country as where most affected individuals are located. If we don’t have this information, we record the region and country as where the organisation is based. Where the organisation has locations in multiple countries, we record the region and country of its headquarters.

Supply chain attacks

Incidents that originated from a third party, often an IT services or software provider. Note that relatively few supply chain attacks can have a relatively big impact on the overall figures, but that doesn’t make these attacks any less serious. Successfully exploiting a vulnerability in just one IT services or software provider could impact hundreds or even thousands of organisations.

Data breached

Where the confidentiality, integrity and/or availability of data records have been compromised. This can include an unsecured database, data exfiltration and even physical data breaches – for instance, lost or stolen paperwork. The hard copy data could also have been destroyed without authorisation.

Note that a ‘data record’ can include personal data as well as confidential business data.

In cases where only the number of affected data subjects is reported, but we know that multiple data types had been breached per person, we still record only the number of individuals affected, because we can only record the numbers publicly disclosed. Moreover, where there is any doubt, we always err on the side of caution by reporting the lower figure.

For data breaches claimed by threat actors on dark web forums, where they provide samples or other evidence of the breach, we accept these incidents as having genuinely occurred, but don’t accept the number of records the threat actor claims to have stolen at face value. This is because these numbers – particularly in terms of unique records – are often exaggerated. We therefore log these incidents as known to have had data breached, but with either an unknown number of records or logging only the number of samples provided (if specified), then update this when a reliable source has verified the numbers.

Remedial action

Reported remediation typically includes conducting a forensic analysis to establish exactly what happened (often by engaging a third-party specialist). It often also involves temporarily taking down systems to limit the impact of the security breach.

In the case of DoS (denial-of-service) attacks, where a website had been taken down by a threat actor and is live again at the time of writing, we assume that the attacked organisation has taken remedial action, even if that organisation hasn’t publicly acknowledged the attack or the remediation.

Notified regulator

This means that the incident involved a regulator or an equivalent authority, whether because the organisation itself became aware of the breach and reported it, or because a third party reported it, or because it was the regulator or authority that uncovered the data breach.

Notified individuals

‘Individuals’ here can mean both data subjects as well as individuals affected by a service disruption. Where the organisation made a clear statement of intent about notifying affected individuals as soon as it has completed its investigation, we count this as having notified individuals.