Global Data Breaches and Cyber Attacks in January 2024 – 29,530,829,012 Records Breached

IT Governance’s research found the following for January 2024:

  • 4,645 publicly disclosed security incidents.
  • 29,530,829,012 records known to be breached.

Incredibly, even though 2024 has only just begun, we’ve already surpassed the totals of 2023 – across the full year – in both incidents and records breached.

This is due to a major outlier event: the MOAB (mother of all breaches), where an open instance saw more than 26 billion data records leaked from 3,876 domain names.

We recognise that many of these records have been compiled from previous data breaches, and that this data set will undoubtedly contain duplicates, so appreciate that this event has to be treated differently to other, completely new incidents. Furthermore, a single event of this magnitude inevitably skews the other figures, which we want to account for.

This monthly report therefore provides two sets of numbers: including and excluding the MOAB.

Free PDF download: Data Breach Dashboard

For a quick, one-page overview of this month’s findings, please use our Data Breach Dashboards. This month, we provide two Dashboards: including and excluding the MOAB.

You can also download this and previous months’ Dashboards as free PDFs here.

This blog provides further analysis of the data we’ve collected. We also analyse the longer-term trends in our 2024 overview of publicly disclosed data breaches and cyber attacks.

At the bottom of this blog, we’ve outlined our research methodology.

Top 10 biggest breaches

Note 1: Where ‘around’, ‘about’, etc. is reported, we record the rounded number. Where ‘more than’, ‘at least’, etc. is reported, we record the rounded number plus one. Where ‘up to’, etc. is reported, we record the rounded number minus one.

Note 2: For incidents where we only know the file size of the data breached, we use the formula 1 MB = 1 record. Given that we can’t know the exact numbers, as it depends on the types of records included (e.g. pictures and medical histories are considerably larger files than just names and addresses), we err on the side of caution by using this formula. We believe that this underestimates the records breached in most cases, but it is more accurate than not providing a number at all.

1. The ‘mother of all breaches’: more than 26 billion records exposed

The security researcher Bob Diachenko and investigators from Cybernews have discovered an open instance with 26 billion data records, mostly compiled from previous breaches – although it likely also includes new data.

The data is more than mere credentials, too – according to Cybernews, most of the exposed data is sensitive. Given the extraordinary scale of the data breach, it’s been dubbed the ‘MOAB’ (mother of all breaches). In total, 3,876 domain names were included in the exposed data set.

Data breached: more than 26 billion records.

2. Russian research centre Planeta attacked by Ukraine, allegedly 2 PB of data wiped

The Main Directorate of Intelligence of the Ministry of Defense of Ukraine claims to have destroyed a 2-PB (petabyte) database belonging to Russia’s Far Eastern Research Center for Space Hydrometeorology, or Planeta.

With the caveat that news of state-sponsored attacks against combatants during wartime must be treated with a certain degree of caution, it appears that the cyber attack on Planeta – which receives and processes satellite data on behalf of more than 50 Russian state entities, including the Ministry of War – destroyed 280 servers at a cost of “at least $10 million”.

Data breached: 2 PB.

3. Mobile network database breach exposes 750 million Indians’ personal data

The Indian security company CloudSEK claims to have found the personal data of 750 million Indians for sale on an “underground forum”. Compromised data includes victims’ names, addresses, phone numbers and Aadhaar numbers (a 12-digit government identification number).

It remains unclear how the data breach occurred, but the attackers apparently suggested it was the result of “exploiting vulnerabilities within government databases of telecommunication systems”.

Data breached: 750 million victims’ personal data.

4. Massive data breach potentially exposes entire Brazilian population

Researchers have discovered a publicly accessible Elasticsearch instance containing the private data of hundreds of millions of Brazilians, including full names, dates of birth, sex and Cadastro de Pessoas Físicas numbers – the 11-digit number that identifies individual taxpayers.

The data is no longer publicly available.

Data breached: >223,000,000 victims’ personal data.

Sector overview

For our monthly analyses, we look at the top 5 most breached sectors by number of incidents and by known number of records breached.

We provide a full sector breakdown in our annual report.

Top 5 most breached sectors (by number of incidents)

Note: To make this table as informative as possible, the percentages exclude the ‘multiple’, ‘other’ and ‘unknown’ sectors. We’ve also excluded these sectors from the top 5. If we hadn’t, ‘multiple’ would have been in the top spot at 3,876 incidents due to the MOAB, and ‘unknown’ would have ranked above finance at 60 incidents.

Top 5 most breached sectors (by number of records)

Note: To make this table as informative as possible, we’ve excluded the ‘multiple’, ‘other’ and ‘unknown’ sectors. If we hadn’t, ‘multiple’ would have been in the top spot at 26,000,000,001 known records breached due to the MOAB, and ‘unknown’ would have ranked fourth at 293,840,772 known records breached, largely due to the unknown Brazilian organisation breached.

Security Spotlight

To get news of the latest data breaches and cyber attacks straight to your inbox, subscribe to our free weekly newsletter: the Security Spotlight.

Every Wednesday, you’ll get a 4-minute email with:

  • Industry news, including a round-up of the week’s publicly disclosed data breaches and cyber attacks;
  • Our latest research and statistics;
  • Interviews with our experts, sharing their insights and expertise;
  • Free useful resources; and
  • Upcoming webinars.

Research methodology

We identify incidents from a range of publicly available sources (listed in our weekly round-ups), including news articles, PR statements and feeds by security researchers. We record these incidents, along with quantifiable data points for each, in a spreadsheet. Note that we only record incidents where we have a reasonable degree of confidence that it’s genuine, e.g. because the report is coming from a reputable source, or because samples have been provided.

We do our best to present the data as accurately and objectively as possible, but inevitably deal with lots of blurry lines. There are also the inherent limitations of working with breaking news, where we often lack detail at initial disclosure.

Please also be aware that we log incidents manually in a spreadsheet, from which we analyse and quantify the numbers. While we do our utmost to avoid inputting errors, when we typically record hundreds of incidents a week, some mistakes may slip through.

Month and year recorded

We record incidents by the month and year that they came into the public domain; not when the incident took place, given that it usually takes time for the victim to become aware of the incident, and more time before publicly disclosing it.

Again, an inherent limitation of working with breaking news is that, often, more information about the incident comes to light later. We do backtrack our data in our spreadsheet in such scenarios, which our annual report will reflect, but this causes some discrepancies between our weekly and monthly reports, and our annual one.

Region and country

We record the region (continent) and country as where most affected individuals are located. If we don’t have this information, we record the region and country as where the organisation is based. Where the organisation has locations in multiple countries, we record the region and country of its headquarters.

Supply chain attacks

Incidents that originated from a third party, often an IT services or software provider. Note that relatively few supply chain attacks can have a relatively big impact on the overall figures, but that doesn’t make these attacks any less serious. Successfully exploiting a vulnerability in just one IT services or software provider could impact hundreds or even thousands of organisations.

Data breached

Where the confidentiality, integrity and/or availability of data records have been compromised. This can include an unsecured database, data exfiltration and even physical data breaches – for instance, lost or stolen paperwork. The hard copy data could also have been destroyed without authorisation.

Note that a ‘data record’ can include personal data as well as confidential business data.

In cases where only the number of affected data subjects is reported, but we know that multiple data types had been breached per person, we still record only the number of individuals affected, because we can only record the numbers publicly disclosed. Moreover, where there is any doubt, we always err on the side of caution by reporting the lower figure.

Remedial action

Reported remediation typically includes conducting a forensic analysis to establish exactly what happened (often by engaging a third-party specialist). It often also involves temporarily taking down systems to limit the impact of the security breach.

In the case of DoS (denial-of-service) attacks, where a website had been taken down by a threat actor and is live again at the time of writing, we assume that the attacked organisation has taken remedial action, even if that organisation hasn’t publicly acknowledged the attack or the remediation.

Notified regulator

This means that the incident involved a regulator or an equivalent authority, whether because the organisation itself became aware of the breach and reported it, or because a third party reported it, or because it was the regulator or authority that uncovered the data breach.

Notified individuals

‘Individuals’ here can mean both data subjects as well as individuals affected by a service disruption. Where the organisation made a clear statement of intent about notifying affected individuals as soon as it has completed its investigation, we count this as having notified individuals.