Biggest Data Breaches 2026: Records, Costs, and Top Incidents

The biggest data breaches 2026 have already eclipsed the worst quarters of 2025 by record volume, even as the average financial loss per breach falls for the first time in over a decade. Last updated: 2026-05-13.

TL;DR

• The Medtronic incident is the largest confirmed breach in 2026 so far, with the ShinyHunters group claiming theft of more than 9 million records [source: SecurityWeek, April 2026].
• Third-party and supply chain compromises now drive 30% of breaches, double the 15% level seen a year earlier [source: Verizon DBIR 2026].
• The global average cost of a breach is $4.44 million in 2025, the first year-over-year drop IBM has recorded [source: IBM Cost of a Data Breach Report 2025].
• US healthcare keeps the top industry cost spot at $11.2 million per breach, fifteenth consecutive year [source: IBM Cost of a Data Breach Report 2025].
• January 2026 saw a misconfigured cloud database expose 149 million records, one of the largest single exposures of the year [source: PKWARE, 2026].

!Visual showing biggest data breaches 2026 ranked by records exposed with company logos and counts

This roundup ranks the largest confirmed incidents, explains why supply chain attacks have doubled, and shows how to check if your data is exposed.

What are the biggest data breaches 2026 so far?

The biggest data breaches 2026 are corporate cyber incidents in which large volumes of personal or business records were stolen, leaked, or exposed during the calendar year. This means any reader, employee, or customer of an affected company can find their personal data circulating on criminal marketplaces or public dump sites.

The Medtronic incident leads confirmed cases. On 24 April 2026, Medtronic publicly confirmed that an unauthorized third party accessed corporate IT systems after the ShinyHunters group listed it on its Tor extortion site with a claim of 9 million records [source: SecurityAffairs, April 2026]. Medtronic has not confirmed the 9 million figure and says forensic work continues.

Behind Medtronic, the headline incidents include a 149 million record cloud exposure in January, the Navia benefits administrator breach affecting 2.7 million people, Hallmark Cards at roughly 2.8 million accounts, Dutch telecom Odido at 6 million accounts, and the Vimeo extortion case affecting more than 119,000 users [source: PKWARE 2026 breach roundup]. Cisco disclosed a development environment compromise on 31 March 2026 in which attackers cloned over 300 GitHub repositories and allegedly extracted AWS keys.

How does 2026 compare to past breach years?

Breach volume in 2026 is on track to exceed 2025, but average financial loss per breach is falling. This means defenders are containing incidents faster, even as attackers steal more records overall.

The Verizon 2026 Data Breach Investigations Report analyzed 22,000 incidents and 12,195 confirmed breaches, the largest dataset in DBIR history source: Verizon DBIR 2026]. That figure rose from the 2025 edition, which itself reflected record incident counts. At the same time, [IBM’s research shows global average breach cost fell from $4.88 million in 2024 to $4.44 million in 2025, a 9% decline [source: IBM 2025].

| Metric | 2024 | 2025 | 2026 trend |
|—|—|—|—|
| Global average breach cost | $4.88M | $4.44M | Slight further decline expected |
| Mean time to identify + contain | 258 days | 241 days | 9-year low |
| Confirmed breaches in DBIR dataset | ~10,600 | ~12,000 | 12,195 [source: Verizon DBIR 2026] |
| Third-party involvement | ~15% | ~30% | Holding at 30% |
| Healthcare avg cost per breach | $9.77M | $11.20M | Highest of any industry, 15 years running |

Two patterns explain the gap. First, AI-assisted detection cuts response times: IBM found organizations using AI and automation widely shorten the breach lifecycle by an average of 68 days and save roughly $1.9 million per breach. Second, attackers are running supply chain campaigns that hit many victims at once, which lifts record counts even when each individual victim contains the incident quickly.

Top 10 biggest breaches 2026 ranked

The table below ranks the largest confirmed 2026 incidents by reported records exposed. Where the affected company has not validated the attacker claim, the figure is shown as “alleged”.

| Rank | Organization | Records exposed | Date confirmed | Vector |
|—|—|—|—|—|
| 1 | Unnamed cloud database (researcher find) | 149,000,000 | Jan 2026 | Misconfigured S3-style storage |
| 2 | Medtronic (alleged by ShinyHunters) | 9,000,000+ | 24 Apr 2026 | Corporate IT intrusion |
| 3 | Odido (Dutch telecom) | 6,000,000 | Feb 2026 | Customer database access |
| 4 | Hallmark Cards | 2,800,000 | Mar 2026 | Customer account leak |
| 5 | Navia Benefits | 2,700,000 | Jan 2026 | Healthcare benefits records |
| 6 | “Breach3d” agency disclosure | 11,700,000 confirmed of 19M alleged | Q1 2026 | Government accounts |
| 7 | Vimeo (ShinyHunters extortion) | 119,000 | Apr 2026 | Account credentials |
| 8 | Cisco (development environment) | 300+ GitHub repos cloned, AWS keys | 31 Mar 2026 | Stolen credentials, dev systems |
| 9 | Vercel (OAuth supply chain) | Environment variables across customers | Apr 2026 | OAuth token abuse |
| 10 | Various supply chain victims (DBIR data) | 26,000 downstream victims | Year to date | Third-party vendor compromise |

Sources: tech.co tracker, PKWARE roundup, Privacy Guides weekly, Vercel OAuth analysis.

!Top 10 biggest data breaches 2026 ranked table with records exposed and attack vectors

A note on counting: a single misconfigured cloud bucket can hold more records than a high-profile corporate attack, yet it draws less press because the attacker is often a security researcher who reports and not an extortion group. Both belong in any honest 2026 ranking.

Why does healthcare lead breach costs?

Healthcare leads breach costs because patient records hold long-term resale value and clinical systems often cannot afford prolonged downtime. This means attackers know hospitals and device makers are more likely to negotiate, which lifts both breach frequency and ransom demands across the sector.

Healthcare has now been the costliest breached industry in IBM’s data for fifteen consecutive years, with average per-breach cost reaching $11.2 million in 2025 [source: IBM 2025]. The Medtronic confirmation in April 2026 fits the pattern: a large medical device maker, an extortion group with prior healthcare hits, and a record claim that the company is still working to verify.

The reported sequence:

• 17-18 April 2026: ShinyHunters lists Medtronic on its leak site with a 21 April negotiation deadline.
• 21 April 2026: Listing disappears, a pattern often linked to negotiation or payment activity, per Infosecurity Magazine.
• 24 April 2026: Medtronic publicly confirms the intrusion but does not validate the 9 million record claim.
• Forensic review ongoing: Medtronic states no impact to products, patient safety, or therapy delivery.

Healthcare attackers target patient identifiers, insurance numbers, and clinical metadata because those records hold long-term resale value. Stolen credit card numbers can be cancelled within hours, while a date of birth and an insurance member ID are useful for years.

Why are supply chain attacks dominating breaches 2026?

Supply chain attacks dominate 2026 because attackers found that compromising one vendor can expose hundreds of downstream customers. This means defenders now have to monitor not only their own perimeter but the security posture of every SaaS tool, code dependency, and contractor in their stack.

The Verizon 2026 DBIR puts third-party involvement at 30% of breaches, up from approximately 15% in the prior year [source: Verizon DBIR 2026]. Black Kite separately tracked 136 major third-party breaches affecting 719 named companies, with about 26,000 downstream victims who were never publicly identified, an average of 5.28 downstream victims per breach.

The Vercel incident is the canonical 2026 example. Trend Micro researchers documented an OAuth attack in which attackers exploited platform environment variables, exposing keys and secrets across many Vercel-hosted projects in one move. This kind of cascade is why Gartner predicts that by 2026, 45% of organizations worldwide will see an attack on their software supply chain, an almost 3x increase from 2021.

What does an average breach cost in 2026?

The global average data breach cost is $4.44 million in 2025, the first year-over-year decrease since IBM started tracking the figure. This means companies that invest in faster detection and tighter response playbooks are now paying noticeably less per incident, even as breach volume rises.

Cost breakdown highlights from the IBM 2025 report:

• Global average: $4.44M, down 9% from $4.88M [source: IBM 2025].
• United States average: $10.22M, more than double the global figure [source: IBM 2025].
• Middle East: $7.29M (second highest region).
• Healthcare: $11.2M per breach (industry leader, 15 years).
• Financial services: $6.08M per breach.
• Critical infrastructure: $4.82M per breach.
• Mean time to identify and contain: 241 days, lowest in nine years.

IBM also surfaced two AI signals. Heavy use of approved AI security tools cut breach lifecycle by 68 days and saved $1.9M on average. Conversely, organizations with high “shadow AI” usage, where employees connected sanctioned data to unsanctioned AI tools, paid $670,000 more per breach than those with low shadow AI. The lesson: AI in security saves money when governed, costs money when ignored.

Ransomware groups behind 2026 breaches

ShinyHunters, the extortion group behind the Medtronic claim, has dominated 2026 headlines. The pattern is consistent: gain access through stolen credentials or a SaaS platform abuse, exfiltrate sensitive corporate data, list the victim on a Tor leak site, and demand ransom under threat of public dump.

March 2026 saw heavy activity from several groups including LockBit successors and Akira variants targeting US municipalities, European logistics firms, and Asian manufacturing [source: CM Alliance, March 2026]. The Cisco development environment intrusion in late March used stolen credentials rather than a software exploit, illustrating the broader trend: identity is the new attack surface.

Patterns to watch in 2026:

• Double extortion remains dominant. Encryption plus data theft, then ransom for both decryption and silence.
• Triple extortion is rising. Some groups also threaten or directly contact victim customers, partners, and regulators to apply pressure.
• No-encryption pure-extortion attacks. Several 2026 incidents skip ransomware entirely and rely only on data theft and exposure threats.

How long do organizations take to detect a breach?

The mean time to identify plus contain a breach is now 241 days in 2025 according to IBM, the lowest figure in nine years of tracking. This means an attacker is still typically inside a network for roughly eight months before the victim ejects them.

Why does detection take so long? Several factors compound:

• Initial access often uses valid credentials, which raise fewer alerts than malware.
• Attackers move slowly inside a network to avoid behavioral detection.
• Many organizations lack centralized logging or have stale SIEM rules.
• Supply chain compromise hides in the trust granted to a third-party vendor.

The 241-day figure is an average. Healthcare, finance, and government organizations with mature programs now contain in under 100 days, while smaller and less mature organizations still see compromises lasting more than a year.

How can you check if you were affected?

You can check whether your data was exposed in 2026 breaches by using free breach-lookup services and by reading direct notices from companies you do business with. This means you should not wait for a letter in the mail, since notification timelines stretch into months under most US state breach laws.

Practical steps to verify exposure:

1. Check Have I Been Pwned by email address. The service indexes most large public breach corpuses.
2. Read your bank, insurer, and healthcare provider portals for posted security notices.
3. Subscribe to your state attorney general’s data breach notification list.
4. Search the affected company’s site for a “security incident” page and FAQ.
5. Review the Privacy Guides weekly roundup for breaches you may have missed.

If a breach you are exposed to confirms theft of Social Security numbers or financial account credentials, treat the incident as high severity and act within 72 hours.

Steps to protect yourself after a breach 2026

After a confirmed breach, three categories of action matter: credential reset, financial guard, and continuous monitoring. Doing only the first leaves you exposed to long-tail fraud months later.

Credential reset:

• Change the password on the breached service immediately.
• Change the password on any other service where you reused that password.
• Enable two-factor authentication on email, banking, and any social account that holds professional reputation.
• Replace SMS-based 2FA with an authenticator app or hardware key where possible.

Financial guard:

• Place a fraud alert with one of the three US credit bureaus (the others are auto-notified).
• Freeze your credit at all three bureaus if the breach exposed SSN, date of birth, and address.
• Review credit card statements weekly for 90 days.
• Lock your federal tax filing PIN ahead of filing season if SSN was exposed.

Continuous monitoring:

• Sign up for free credit monitoring if the affected company offers it; the offer is usually 12 to 24 months.
• Use a password manager to generate unique strong passwords across services.
• Watch your inbox for targeted phishing using the breach’s leaked details; attackers send convincing emails referencing real account data within weeks.

What should businesses learn from breaches 2026?

The clearest lesson from 2026 is that identity and third-party trust are the two attack surfaces that matter most. This means classic perimeter spending no longer maps to the real risk surface; budget needs to follow identity, supply chain, and detection capability.

Five concrete priorities, based on the IBM and Verizon evidence:

1. Inventory third-party access. Every SaaS vendor, contractor, and OAuth grant is a potential breach path.
2. Adopt phishing-resistant MFA. Passkeys and hardware keys defeat the credential phishing chain that drives most breaches.
3. Deploy AI-assisted detection. IBM’s data shows AI cuts breach lifecycles by 68 days and saves around $1.9M per incident.
4. Govern AI usage. Shadow AI added $670K to average breach cost in IBM’s dataset.
5. Run quarterly response drills. Containment speed is now the single biggest cost lever.

A 2026 breach response plan also has to address regulatory complexity. The EU AI Act, US state privacy laws, and sector regulators have all tightened breach notification windows in the past year. A 30-day delay that was acceptable in 2023 can now trigger fines.

!Five business priorities to prevent biggest data breaches 2026 in cybersecurity strategy

FAQ on biggest data breaches 2026

Which is the single biggest breach of 2026 so far?
By records exposed, the January 2026 cloud database leak at 149 million records is the largest single incident. By corporate impact, the Medtronic breach with a 9 million record claim is the most significant healthcare event.
Is the average breach cost really going down?
Yes. IBM’s 2025 report shows the first year-over-year decline in global average cost, at $4.44 million, down from $4.88 million. US organizations still pay $10.22 million on average, the highest regional figure.
Why is supply chain risk so high in 2026?
Verizon’s DBIR 2026 found third-party involvement in 30% of breaches, double the prior year. Attackers target a single SaaS vendor or code dependency and ride the trust into many downstream organizations at once.
How do I know if my employer was breached?
Check the company’s investor relations and security disclosure pages, your state attorney general’s breach list, and breach-tracker services like Have I Been Pwned. US public companies must file an 8-K within four business days of a material cyber incident.
What is ShinyHunters and why does the name keep appearing?
ShinyHunters is an extortion group active since 2020 that operates a Tor leak site and runs negotiations from there. They have claimed credit for several 2026 incidents including Medtronic and Vimeo.
Are passkeys really safer than passwords?
Yes for phishing resistance. Passkeys are bound to the device and the legitimate site domain, so a fake login page cannot harvest them, which removes the most common credential theft vector.
Should I pay for identity theft insurance after a breach?
Often it is unnecessary. Most affected companies provide 12 to 24 months of free credit monitoring, and a $0 credit freeze at the three bureaus is the strongest single protection step.

Bottom line

The biggest data breaches 2026 are larger by volume, smaller by per-incident cost, and increasingly driven by supply chain and identity-based attacks. Medtronic, the 149 million record cloud exposure, and the Vercel OAuth supply chain incident together signal where defenders need to spend in the second half of the year: third-party governance, phishing-resistant authentication, and AI-assisted detection. For readers, the practical playbook is unchanged: check exposure regularly, freeze credit when SSN is involved, and treat any breach notice as the start of a 12-month watch, not a 12-day one.