Incidents by attack type:
An unauthenticated API endpoint exposed personal data of 9.8 million current and former Optus customers β names, dates of birth, passport and driver's licence numbers β to a single anonymous attacker.
Former AWS engineer Paige Thompson exploited a misconfigured Web Application Firewall to extract personal data on roughly 106 million Capital One credit-card applicants and customers from S3.
An unpatched Apache Struts vulnerability let attackers exfiltrate Social Security numbers, dates of birth, addresses, and driver's license numbers for 147 million U.S., U.K., and Canadian consumers.
An SQL injection attack β committed primarily by four British teenagers β exposed personal data on roughly 157,000 TalkTalk customers including bank account details. Triggered a record Β£400,000 UK ICO fine.