The biggest data breaches of 2024
From Change Healthcare to Snowflake customers and the National Public Data leak, 2024 broke records for both attack scale and the financial cost to victims.
2024 broke records on multiple dimensions: largest U.S. healthcare data breach (Change Healthcare), largest single dump of personal data (National Public Data), and most consequential cloud-customer compromise (Snowflake). Below is a ranked recap of the year's defining incidents.
1. Change Healthcare ransomware (February)
Change Healthcare, a UnitedHealth Group subsidiary, was hit by ALPHV/BlackCat ransomware via a Citrix portal without MFA. Personal and health information of an estimated 100 million Americans was stolen, and U.S. prescription claims processing was disrupted for weeks. UnitedHealth's reported cost: over $2.87 billion.
2. National Public Data dump (April–August)
A breach at the consumer data broker National Public Data (NPD) surfaced on criminal forums beginning April 2024, and a full 2.7-billion-record dump was posted in August. The records included Social Security numbers, names, addresses, and dates of birth — scraped from public records without subject consent. The parent company filed for bankruptcy by October.
3. Snowflake customer compromises (April–July)
Threat actors — most prominently a group identified as UNC5537 — used infostealer-harvested credentials to authenticate to Snowflake cloud-data-warehouse customer tenants that had not enabled MFA. At least 165 organizations were affected, including AT&T (records of nearly all wireless customers, ~110 million), Ticketmaster (560 million records), Santander, Advance Auto Parts, and Neiman Marcus.
4. AT&T call-records breach (July)
Separately from the Snowflake incident, AT&T disclosed that call and text metadata of nearly all wireless customers (≈110M) over a six-month period had been stolen via the Snowflake compromise. Although content was not exposed, the metadata enabled large-scale social-graph analysis.
5. Ticketmaster (Live Nation) breach (May)
A subset of the Snowflake compromises hit Ticketmaster's parent Live Nation, exposing approximately 560 million customer records with names, addresses, phone numbers, partial credit card data, and event histories.
6. Synnovis NHS pathology attack (June, UK)
The Russian-speaking Qilin group ransomwared Synnovis, a pathology services provider to NHS hospitals in London. Blood-test processing was disrupted for weeks; hundreds of thousands of records leaked; the UK declared a "critical incident."
7. WazirX cryptocurrency exchange (July, India)
North Korea's Lazarus Group stole $230 million in cryptocurrency from Indian exchange WazirX after compromising a multi-signature wallet via spear-phishing of an engineer.
8. CDK Global (auto dealerships, June, U.S.)
A ransomware attack on CDK Global, a software platform used by ~15,000 U.S. auto dealerships, caused a multi-week sales outage across the U.S. automotive retail sector — one of the most consequential single-supplier ransomware impacts in retail.
Patterns
Three patterns dominated 2024:
- Cloud-customer breaches via stolen credentials: the Snowflake cohort is a stark reminder that the cloud provider's security is necessary but not sufficient — customer MFA matters as much.
- Concentration risk in critical infrastructure: one billing intermediary, one pathology lab, one dealership platform — each a single point of failure for an entire industry.
- Pure data extortion replacing encryption: ransomware operations increasingly skip the encryption step entirely and monetize via leak-site pressure alone, because backups have improved enough that decryption leverage has weakened.
The full catalog is searchable on the incidents page.