title: “Biggest Data Breaches 2026: The Definitive List (With Stats & What to Do)”
slug: biggest-data-breaches-2026
meta_title: “Biggest Data Breaches 2026: Ranked by Scale & Impact”
meta_description: “Over 1 billion records exposed so far in 2026. See the biggest data breaches ranked by scale, what data was stolen, and how to protect yourself now.”
focus_keyword: biggest data breaches 2026
author: Michael Torres
author_credentials: Tech journalist, 10+ years covering cybersecurity and big tech
reading_time: 11 min
last_updated: 2026-04-09
pillar: Cybersecurity
tags: [data breach, cybersecurity, hacking, identity theft, 2026]
Biggest Data Breaches 2026: The Definitive Ranked List (Updated April 2026)
Reading time: ~11 minutes | By Michael Torres, Tech Journalist
Over one billion personal records have already been exposed in 2026 — and we’re only in the first quarter. From a catastrophic identity-verification meltdown exposing nearly a billion KYC files, to a nation-state wiper attack that destroyed 80,000 corporate devices overnight, 2026 is shaping up to be one of the most damaging cybersecurity years on record.
This article ranks the biggest data breaches of 2026 by scale and severity, explains exactly what data was stolen, who is behind each attack, and — critically — what you should do if your information was compromised.
Table of Contents
- 2026 Data Breach Snapshot: Key Stats
- The Biggest Data Breaches of 2026 — Ranked
- IDMerit — ~1 Billion Records
- Cegedim Santé — 15.8 Million Medical Records
- JD Sports — Up to 10 Million Customers
- Odido — 6.2 Million Telecom Customers
- Crunchyroll — 6.8 Million Users
- Panera Bread — 5.1 Million Accounts
- Stryker — Nation-State Wiper Attack
- LexisNexis — 3.9 Million Records
- Navia Benefit Solutions — 2.7 Million People
- Norton Healthcare — 2.5 Million People
- European Commission — 350GB of Government Data
- Aura — 900,000 Identity Protection Records
- Figure Technology Solutions — 967,000 Accounts
- Marquis Software Solutions — 672,000 Records
- What Is the Average Cost of a Data Breach in 2026?
- Which Industries Are Targeted Most in 2026?
- How Do Hackers Get Your Data in 2026?
- What Should You Do If Your Data Was Breached?
- FAQ: Your Top Questions Answered
2026 Data Breach Snapshot: Key Stats
Data breaches in 2026 are not just more frequent — they are more sophisticated, more politically motivated, and harder to detect. Before diving into individual incidents, here is what the numbers say.
| Metric | 2026 Figures |
|---|---|
| Total major breaches tracked (Q1 2026) | 14+ confirmed |
| Total records exposed (Q1 2026) | 1.06 billion+ |
| Average cost per breach (IBM 2025 report) | $4.44 million |
| Average time to detect and contain a breach | 241 days |
| Share of breaches involving third parties | 30% (doubled YoY) |
| Ransomware present in breaches | 44% of all cases |
| FBI IC3 cybercrime losses in 2025 | $20.9 billion |
| Increase in cybercrime complaints YoY | 26% |
Original data compilation by NewsBalaxy.net based on IBM Security, Verizon DBIR 2025, and FBI IC3 2025 Annual Report.
According to the FBI’s Internet Crime Complaint Center (IC3), Americans filed more than 1 million cybercrime complaints in 2025, with losses reaching $20.9 billion — a 26% surge year over year. For the first time, the IC3 report included AI-facilitated fraud as a dedicated category, accounting for 22,000+ complaints and nearly $893 million in losses.
The Verizon 2025 Data Breach Investigations Report (DBIR), which analyzed over 22,000 security incidents and 12,000 confirmed breaches, found that third-party breaches doubled year over year, now accounting for 30% of all incidents. Ransomware featured in 44% of breaches, though the median ransom payout dropped to $115,000 — and 64% of victims refused to pay.
The Biggest Data Breaches of 2026 — Ranked
What was the biggest data breach in 2026?
The largest data breach of 2026 by record volume is the IDMerit exposure, in which a misconfigured database left approximately one billion identity-verification records publicly accessible online with no authentication required. The breach was discovered by Cybernews researchers in November 2025 and publicly disclosed in February 2026.
1. IDMerit — ~1 Billion Records Exposed
When: Discovered November 11, 2025 — Disclosed February 18, 2026
Sector: Identity verification / KYC
Records exposed: ~1 billion (including ~1 billion KYC entries across 26 countries)
Attack type: Misconfigured unsecured database
IDMerit, a California-based AI-powered identity verification provider, left a MongoDB database fully exposed on the public internet — no password, no authentication, no access control. Any party with the URL could read, copy, export, or delete the entire contents.
What was in the database:
| Data Type | Details |
|---|---|
| Full legal names | Yes |
| Home addresses and postal codes | Yes |
| Dates of birth | Yes |
| National ID numbers | Government-issued IDs |
| Phone numbers and emails | Yes |
| KYC/AML verification logs | Yes |
| Telecom metadata | Yes |
| Breach status annotations | Yes |
The US accounted for 203 million records. Mexico contributed 124 million. Combined, the exposure spanned 26 countries — making this one of the largest identity data leaks in history.
IDMerit secured the database the next day (November 12, 2025), but took 99 days to make a public disclosure. Researchers warned that automated crawlers used by threat actors continuously scan the internet for exposed databases and often discover them within hours of exposure.
2. Cegedim Santé — 15.8 Million Medical Records
When: Breach occurred late 2025 — Confirmed March 3, 2026
Sector: Healthcare software (France)
Records exposed: 15.8 million
Attack type: Platform breach (MonLogicielMedical)
This is the largest healthcare data breach in European history. Cegedim Santé’s MonLogicielMedical (MLM) platform, used by over 3,800 general practitioners across France, was infiltrated in late 2025. Hackers made off with 15.8 million administrative patient files. Cegedim filed a criminal complaint in October 2025 — but four months passed before the public learned of the breach.
The most alarming dimension: 165,000 files contained doctors’ free-text clinical notes, including:
– HIV status
– Psychiatric diagnoses
– Sexual orientation
– Mental health conditions
French politicians and government officials were reportedly among those exposed. The breach is particularly damning given that France’s data protection authority (CNIL) had fined Cegedim €800,000 just 18 months earlier for illegal health data processing.
3. JD Sports — Up to 10 Million Customers
When: 2026
Sector: Retail / Fashion
Records exposed: Up to 10 million
Attack type: Cyberattack
British fashion retailer JD Sports confirmed that up to 10 million customers may have had personal data accessed by hackers. The breach underscores ongoing vulnerabilities in the retail sector, where large customer databases and e-commerce systems remain attractive targets.
4. Odido — 6.2 Million Telecom Customers
When: February 7, 2026 weekend
Sector: Telecommunications (Netherlands)
Records exposed: Up to 6.2 million
Attack type: Unauthorized access to customer contact system
Dutch telecom provider Odido disclosed that attackers breached a customer contact system over the February 7 weekend, downloading data on up to 6.2 million customers. Exposed information included names, home addresses, email addresses, mobile numbers, and dates of birth.
5. Crunchyroll — 6.8 Million Users
When: March 12, 2026
Sector: Media / Streaming
Records exposed: 8 million support tickets; 6.8 million unique email addresses
Attack type: Phishing via third-party contractor (Okta SSO)
The anime streaming giant suffered a breach when attackers phished a Telus International contractor who had Okta SSO access to Crunchyroll’s support system. The attacker downloaded 8 million support ticket records, exposing 6.8 million unique user email addresses, IP addresses, and partial credit card information. The Crunchyroll breach is a textbook case of supply chain vulnerability — where a third-party’s weak security becomes your company’s catastrophe.
6. Panera Bread — 5.1 Million Accounts
When: Late January 2026 (leaked February 2026)
Sector: Food / Restaurant
Records exposed: ~5.1 million
Attack type: Data theft by ShinyHunters group
The ShinyHunters hacking group claimed to have stolen customer data from Panera Bread in late January 2026. When extortion attempts failed, the group leaked approximately 760MB of data publicly. Analysis via Have I Been Pwned confirmed roughly 5.1 million unique accounts were exposed, containing names, dates of birth, phone numbers, and email addresses.
7. Stryker — Nation-State Wiper Attack
When: March 11, 2026
Sector: Medical devices (Michigan, USA)
Devices wiped: ~80,000 (200,000 claimed by attackers)
Attack type: Nation-state wiper attack via Microsoft Intune MDM
This breach is unlike any other on this list. Handala — a pro-Iran hacking group believed to operate under Iran’s Ministry of Intelligence and Security (MOIS) — launched a destructive wiper attack against Stryker, one of America’s largest medical device manufacturers, without deploying a single line of malware.
How they did it: Attackers compromised a Microsoft Intune administrator account using stolen credentials. They then created a new global admin account and used Stryker’s own mobile device management (MDM) tool to remotely wipe managed devices across the global network.
The result: operations disrupted in 79 countries, 50GB of corporate data stolen, and a company forced to shut down offices worldwide. The FBI, CISA, DHS, HHS, and the White House National Cyber Director all became involved in the response. The FBI later seized domains tied to the Handala group.
Handala claimed the attack was retaliation for an Iranian school missile strike. The Stryker attack represents a watershed moment: a legitimate IT tool weaponized at scale against its own owner.
8. LexisNexis — 3.9 Million Records
When: February 24, 2026 (confirmed March 2026)
Sector: Legal data services
Records exposed: 3.9 million database records; 21,042 customer accounts
Attack type: Unpatched React2Shell vulnerability + overpermissioned IAM roles
Attackers exploited an unpatched React2Shell vulnerability combined with overpermissioned IAM (Identity and Access Management) roles to extract 3.9 million records from LexisNexis. Among the 21,042 customer accounts exposed were the profiles of 118 government officials — a finding with significant national security implications.
9. Navia Benefit Solutions — 2.7 Million People
When: December 22, 2025 – January 15, 2026 (disclosed 2026)
Sector: Benefits administration / Healthcare
Records exposed: 2.7 million
Attack type: Unauthorized access
Navia, a company managing employee benefits programs including HRAs, FSAs, and COBRA enrollment, disclosed that unauthorized parties accessed its systems over a 24-day window. Exposed data included names, dates of birth, Social Security numbers, phone numbers, email addresses, and detailed benefits enrollment information — a dangerous combination for identity fraud and financial fraud.
10. Norton Healthcare — 2.5 Million People
When: 2026
Sector: Healthcare
Records exposed: ~2.5 million
Attack type: Unauthorized access (patient and employee data)
Norton Healthcare confirmed that threat actors gained unauthorized access to personal information belonging to approximately 2.5 million patients and employees. Details of the attack method have not been fully disclosed publicly.
11. European Commission — 350GB of Government Data
When: March 24–27, 2026
Sector: Government / EU
Data stolen: 350GB
Attack type: AWS cloud infrastructure compromise
Attackers breached the cloud infrastructure hosting the European Commission’s Europa web platform, extracting 350GB of data including databases, mail contents, and confidential contracts. The Commission stated the incident was “contained quickly” and that internal systems were not impacted — though the volume of extracted data suggests the breach was far from trivial.
12. Aura — 900,000 Identity Protection Records
When: March 18, 2026
Sector: Identity protection services
Records exposed: 900,000
Attack type: Social engineering → employee credential compromise
In a deeply ironic incident, Aura — a company that sells identity protection services — was breached through a social engineering phone call that compromised an employee’s credentials. The attack exposed 900,000 records containing names, email addresses, home addresses, and phone numbers of people who had specifically signed up to protect their identity.
13. Figure Technology Solutions — 967,000 Accounts
When: February 14, 2026
Sector: Fintech
Records exposed: ~967,000
Attack type: Social engineering
Figure Technology Solutions, a fintech company, confirmed that a social engineering attack allowed hackers to access internal systems, exposing nearly 967,000 user accounts. Stolen data included names, dates of birth, email and postal addresses, and phone numbers.
14. Marquis Software Solutions — 672,000 Individuals
When: August 14, 2025 (disclosed March 2026)
Sector: Financial services
Records exposed: 672,000
Attack type: Compromised SonicWall firewall + ransomware
Attackers compromised a SonicWall firewall and deployed ransomware against Marquis Software Solutions. The breach was not disclosed publicly until March 2026 — seven months after it occurred — exposing names, dates of birth, Social Security numbers, and financial account information.
What Is the Average Cost of a Data Breach in 2026?
The average cost of a data breach globally is $4.44 million, according to IBM’s 2025 Cost of a Data Breach Report. Organizations that use shadow AI — where employees download or use unapproved AI tools — face an additional $670,000 in breach costs on top of the average.
Key cost drivers include:
– Lost business and customer churn after disclosure
– Legal fees, regulatory fines, and class-action settlements
– Incident response and forensic investigation
– Notification costs and credit monitoring for affected individuals
– Reputational damage and stock price impact
Healthcare breaches consistently cost more than any other sector. The average breach cost in healthcare is $9.77 million — more than double the global average — driven by regulatory complexity, data sensitivity, and the operational disruption involved in system downtime (IBM 2025).
Which Industries Are Targeted Most in 2026?
Healthcare dominates the 2026 breach landscape. Of the 14 major breaches tracked in Q1 2026, four involved healthcare organizations (Cegedim, Norton, Navia, UMMC). This is consistent with historical patterns — healthcare records fetch premium prices on dark web markets due to the volume and sensitivity of the data they contain.
Industries most targeted in 2026:
| Industry | Share of Major Breaches (Q1 2026) | Why |
|---|---|---|
| Healthcare | 29% | High-value PII + sensitive diagnoses + HIPAA complexity |
| Financial services | 21% | Direct monetization potential |
| Technology | 14% | IP theft + credential harvesting |
| Government | 14% | Nation-state espionage |
| Retail / Consumer | 14% | Large customer databases |
| Telecom | 7% | Call records + subscriber data |
Original analysis compiled from Q1 2026 breach disclosures tracked for this article.
How Do Hackers Get Your Data in 2026?
How do hackers gain access in data breaches? The Verizon 2025 DBIR identifies credential theft and vulnerability exploitation as the two dominant entry points, while social engineering remains alarmingly effective.
Top attack vectors (Verizon DBIR 2025):
| Attack Vector | Share of Breaches |
|---|---|
| Third-party / supply chain compromise | 30% |
| Stolen credentials | 22% |
| Exploited vulnerabilities (unpatched software) | 20% |
| Phishing | 16% |
| Ransomware (present, not entry vector) | 44% |
What is especially alarming in 2026: for newly disclosed critical vulnerabilities in edge devices (VPNs, firewalls), the median time between public disclosure and mass exploitation by attackers is zero days. Organizations that delay patching even briefly face immediate exploitation.
The Stryker case adds another dimension: in 2026, attackers don’t need malware at all. They can weaponize your own legitimate IT tools against you — using MDM platforms, cloud admin consoles, and identity providers as the attack surface.
What Should You Do If Your Data Was Breached?
If your information appears in any of the 2026 breaches listed above — or if you suspect it was compromised — take these steps immediately:
1. Check if you were affected
Visit Have I Been Pwned (a free, legitimate service run by security researcher Troy Hunt) and enter your email address. It will tell you which known breaches include your data.
2. Freeze your credit
Contact all three major US credit bureaus — Equifax, Experian, and TransUnion — and request a credit freeze. This prevents anyone from opening new credit accounts in your name. It’s free and can be done online.
3. Change compromised passwords immediately
If the breach exposed your password (even hashed), change it on every site where you used the same or similar password. Use a password manager (Bitwarden, 1Password) to generate unique passwords for every account.
4. Enable multi-factor authentication (MFA) everywhere
MFA — requiring a second factor beyond a password — stops the majority of credential-based attacks. Enable it on email, banking, social media, and any service containing financial or personal data.
5. Monitor your financial accounts and credit reports
Review bank and credit card statements weekly for unauthorized transactions. In the US, you are entitled to free weekly credit reports at AnnualCreditReport.com.
6. Watch for phishing follow-ups
Breached data frequently ends up in targeted phishing campaigns. Be suspicious of unexpected emails, calls, or texts referencing your personal details — this is not a coincidence if your data was stolen.
7. Report identity theft
If your Social Security number was exposed (as in the Navia, Marquis, or Norton Healthcare breaches), file a report at IdentityTheft.gov (FTC) and consider placing a fraud alert with the credit bureaus.
FAQ: Your Top Questions Answered
What was the biggest data breach in 2026?
The IDMerit breach is the largest of 2026 by record volume — approximately one billion identity records were exposed in a misconfigured, publicly accessible MongoDB database. The exposure included KYC verification records across 26 countries, with the US accounting for 203 million records alone.
How many data breaches happened in 2026?
There were 4,100+ publicly disclosed data breaches in 2025 — approximately 11 per day. Q1 2026 has already confirmed 14+ major incidents, with the full year on track to match or exceed prior records.
What companies were hacked in 2026?
Major 2026 victims include Stryker, Crunchyroll, Panera Bread, Odido, LexisNexis, the European Commission, Aura, JD Sports, Figure Technology Solutions, Navia, Norton Healthcare, Cegedim Santé, and IDMerit, among many others.
What is the average cost of a data breach in 2026?
The global average cost is $4.44 million per breach, according to IBM’s 2025 Cost of a Data Breach Report. Healthcare breaches average $9.77 million — more than double the global average.
How do hackers get your data?
The top methods are: third-party and supply-chain compromise (30% of breaches), stolen or phished credentials (22%), exploited unpatched vulnerabilities (20%), and direct phishing (16%), per the Verizon 2025 DBIR.
What should I do if my data was breached?
Act immediately: check Have I Been Pwned, freeze your credit at all three bureaus, change passwords on affected accounts, enable MFA everywhere, and monitor your financial accounts. If your SSN was exposed, file a report at IdentityTheft.gov.
Which industry is most targeted by data breaches?
Healthcare is the most targeted sector — and the most expensive when breached, averaging $9.77 million per incident. Healthcare records contain dense PII including insurance details, medications, diagnoses, and government IDs, making them premium targets on dark markets.
How long does it take to detect a data breach?
The global average is 241 days to identify and fully contain a breach. This explains why many 2026 disclosures involve breaches that occurred months earlier — Cegedim (4-month gap), Marquis (7-month gap), IDMerit (99-day gap between discovery and disclosure).
Is ransomware still a threat in 2026?
Yes — ransomware appeared in 44% of all confirmed data breaches in 2025. However, the median ransom payout fell to $115,000, and 64% of victims now refuse to pay, according to Verizon DBIR 2025.
Can nation-states cause data breaches?
Absolutely. The 2026 Stryker attack demonstrates that nation-state actors are now deploying destructive wiper attacks against civilian companies — not just stealing data, but destroying it. The Iran-linked Handala group wiped ~80,000 Stryker devices using legitimate MDM tools, with no malware involved.
Related Articles
- Top Cybersecurity Threats in 2026: What You Need to Know Right Now
- Your Phone Is Under Attack: Record Security Patches Reveal 200 Critical Vulnerabilities
- The Future of AI in Cybersecurity 2026: Trends and Predictions
About the Author
Michael Torres is a tech journalist with over a decade of experience covering cybersecurity, big tech, and digital policy. His reporting on data privacy and breach accountability has appeared across leading technology publications. When a billion records get exposed overnight, he reads the forensic reports so you don’t have to.
Sources: FBI IC3 Annual Report 2025 | Verizon 2025 DBIR | IBM Cost of a Data Breach 2025 | IDMerit breach — Cybernews | Stryker attack — Krebs on Security | Cegedim breach — The Register | Strobes March 2026 roundup
Disclosure: This article contains no affiliate links. NewsGalaxy.net is editorially independent.
Personal finance writer helping readers save money and build wealth through actionable strategies. Covers budgeting, investing, frugal living, and financial independence topics.