20 Biggest Data Breaches of 2022 You Should Know

Protecting your personal information online is important, and news of data breaches can be worrisome when your data may have been compromised. Sometimes hackers force a data breach, which can happen through malware, a ransomware attack, or other types of cyberattacks. Other times, data may be leaked through a vulnerability in the code of a website or app and end up in the hands of cybercriminals. 

Regardless, protecting your personal information is important for you and critical to the companies that have your data — even small businesses.

One of the latest data breaches involves more than 70,000 people whose information was held by Lending Tree, LLC. The breach was caused by issues with the coding of its website that led to hackers gaining unauthorized access. As part of this breach, individuals' names, Social Security numbers, addresses, and dates of birth were compromised. Lending Tree alerted individuals whose information may have been compromised.

Companies have a duty to inform you if your sensitive data has been part of a data leak. However, in many cases, the companies send out those notifications after doing a lengthy investigation, which means your information could be exposed for a while before you know. 

It is important that you also protect your data by using strong passwords and checking your credit reports for suspicious activity.

We suggest staying informed on recent data breaches in case any of these organizations have your data. The sooner you know your information is at risk, the sooner you can protect yourself, your accounts, and your identity.

1. July 2022: American Airlines

In late September, American Airlines reported that hackers got hold of "a very small number" of employee and customer information. The breach occurred when hackers sent a phishing email and gained access to a handful of employee emails.

American Airlines notified all affected individuals after it first detected the breach in July 2022. The stolen data could include:

• Birth dates
• Driver's license numbers
• Passport information
• Medical information

2. July 2022: Marriott International

Marriott International fell victim to a data breach in June. The breach compromised more than 20 gigabytes of customer information, including credit cards.

How did the breach happen? Allegedly, the hackers were able to gain access to an employee’s computer through social engineering. Marriott’s corporate office said that the hackers mostly gained non-sensitive business information, but it was notifying individuals whose data was compromised.

3. July 2022: Neopets

69 million users' data was compromised in a Neopets data breach in July. The hackers were able to access personally identifiable information such as names, birth dates, and email addresses. 

Hackers were also able to gain access to source code for the company’s website and they’re trying to auction off the information to the highest bidder. Neopets is a popular digital pet-keeping website.

4. June 2022: Shields Health Care Group

Shields Health Care Group notified its customers of a data breach that happened in early March. Hackers were able to access Shields’ systems and customer data was compromised including names, Social Security numbers, birth dates, personal medical information, and more.

The company says it is working with law enforcement about the breach and also evaluating its systems to protect patient data in the future. The extent of the breach, and how many customers were affected, was not disclosed.

5. June 2022: Flagstar Bank

Flagstar is a Michigan-based bank and one of the largest mortgage lenders in the country. Hackers gained access to the information of 1.5 million Flagstar Bank customers in a massive data breach in December 2021. Flagstar waited to inform customers until after it had completed its investigation in June 2022.

Compromised data included customer names and social security numbers. Flagstar offered affected customers two years of identity theft protection.

6. June 2022: OpenSea

Email addresses of newsletter subscribers and users were impacted in a data breach of NFT company OpenSea. The breach happened because an employee at OpenSea’s email provider downloaded and leaked the information. Open Sea did not disclose how many email addresses were compromised.

OpenSea warned its customers that their email addresses could be used for phishing scams in the future.

7. May 2022: Texas Department of Insurance

A web application used to manage worker’s compensation information was the culprit for a recent data breach of the Texas Department of Insurance. The breach took place on Jan. 4, 2022, due to a programming issue that allowed access to protected information.

According to TDI, “The types of information that may have been accessible include names, addresses, dates of birth, phone numbers, part or all of Social Security numbers, and information about injuries and workers’ compensation claims.”

8. April 2022: Block and Cash App

More than 8 million users' information was compromised when a Cash App employee left the company and downloaded corporate reports. The breach only affected Cash App Investing users, not any of Cash App’s other users. Compromised data included customer names and Cash App brokerage numbers, along with account values, and stock value trades.

9. April 2022: Kaiser Permanente

Almost 70,000 patients had their personal data compromised in a recent breach of Kaiser Permanente. The hacker gained access to the personal data through an employee’s email that contained sensitive information including patient names, medical information, and test results.

10. March 2022: Microsoft

In March, Microsoft announced that a hacker group known as Lapsus$ infiltrated its systems. The company said in a statement that no customer data was compromised and that its security team was able to stop the incident before the hacker group gained additional access. The users accessed Microsoft systems by compromising user identities.

11. March 2022: Okta

Okta’s systems were compromised for 25 minutes on January 21, which led to an investigation into possible damages. Hackers were able to gain access to a workstation and had access to 366 Okta user records. However, the forensic report concluded that the hackers did not gain access to any Okta accounts or make any configuration changes.

The Lapsus$ hacking group has been the instigator behind dozens of recent cybercrimes. Run by teens, Lapsus$ successfully hacked well-known companies through ransomware and social engineering attacks, including Microsoft, Nvidia, Samsung, T-Mobile, Okta, and EA Games.

12. March 2022: Comstar

Comstar, an ambulance billing service, notified customers about a security breach on March 26. The Comstar network was accessed by unauthorized users and Comstar launched an investigation.

From the investigation, Comstar was unable to identify specifically what information was accessed, however, those systems included data such as names, birth dates, driver’s licenses, financial information and Social Security numbers. Comstar determined that the information was specifically for the town of Hudson, New Hampshire.

13. March 2022: Parker Hannifin

This time, hackers targeted the health plan data of Parker Hannifin, a manufacturing company. The breach impacted 119,513 people according to the Office for Civil Rights. Those affected included current and former employees, their dependents, and members of the company’s health plans.

The Conti ransomware group claimed responsibility for the attack and published data from the stolen information. Personal information such as names, Social Security numbers, birth dates, addresses, U.S. passport numbers, and more were compromised in the attack.

14. February 2022: GiveSendGo

GiveSendGo, a Christian fundraising site, was hacked in February. More than 92,000 donors were leaked online, including names and personal details. A few days later, hackers also released information about every fundraising campaign that had been published on the platform. This included data from every person who had created an account on the site—about 170,000 entries. The site’s source code, along with images of identity verification documents were also released.

15. February 2022: Virginia Commonwealth University Health System

More than 4,000 organ donors and recipients had their data leaked for more than 16 years as part of a data breach on Virginia Commonwealth University Health System. The incident took place in February, when VCU learned that donors and recipients could access other information when logged into a donor portal. The hospital did not release how the incident happened.

16. February 2022: ARcare

From January 18 to February 24, an unauthorized user accessed ARcare’s systems. An investigation into the breach concluded that personal information was part of the data breach. The information compromised included personal and medical information, Social Security numbers, financial account information, and more. The company does not believe there was any misuse of the information.

17. February 2022: Spokane Regional Health District

A compromised employee email account is to blame for a data breach with Spokane Regional Health District. This was the second phishing attack on the organization in three months. The email account included more than 1,000 individuals' private information, including names, birth dates, case numbers, and medical history.

In another attack, more than 1,200 individuals' information was compromised. SRHD said it would enhance employee cyber security training and add multi-factor authentication.

18. January 2022: Crypto.com

A January 17 attack on Crypto.com compromised 483 user wallets. The hack led to an overall loss of about $33.8 million in cryptocurrency. This included:

• 4,836 ethereum, about $13 million
• 444 bitcoin, about $16 million
• Close to $66,200 in other cryptocurrencies

Hackers were able to initiate withdrawals without the necessary two-factor authentication normally required. The company added additional security layers following the breach.

19. January 2022: Twitter

In January, a hacker alerted Twitter to security flaws on the popular social media website. The hacker said Twitter was vulnerable to hackers seeking to use information maliciously. Twitter said it fixed the problem, but shortly after, a different hacker began selling more than 5 million Twitter users' information on the dark web. The hacker was seeking at least $30,000 for the data. The information in the hack included phone numbers and email addresses.

20. December 2021: Mattax Neu Prater Eye Center

Another health care data breach was announced by Mattax Neu Prater Eye Center in Missouri. The breach involved the personal information of 92,361 individuals. Hackers accessed the center’s medical records platform, myCare Integrity, where they deleted databases and system configuration files. The center did not have any evidence that the data was used for identity theft.

Bottom line

Data breaches are a common occurrence for companies around the world. As a consumer, being the victim of a data breach can be stressful to navigate. Before you are a victim of one of these breaches, you can take steps to protect your identity. There are many tools available to help keep your personal information secure, discover any suspicious activity, and remedy any concerns.

4.9

AllAboutCookies writers and editors score products based on a number of objective features as well as our expert editorial assessment. Our partners do not influence how we rate products.

Editorial Rating

Learn More

On Aura Identity Theft's website

Aura Identity Theft

Up to 68% off Family Annual Plans

• Excellent identity theft protection service
• Includes a password manager and VPN
• Robust tools for children’s security
• Provides VantageScore and not FICO score updates

Author Details

Andrew Adams

About the Author

Andrew Strom Adams is a freelance writer focused on online privacy and digital security. He writes on various topics to help individuals protect themselves on the internet. Andrew has worked in legal marketing, technology, and startups. He has more than 12 years of experience in marketing and communications. He holds an M.B.A. from Westminster College and a B.A. in journalism from Oklahoma Baptist University. When he’s not writing, he’s playing with his two kids or watching reality TV.